|
| 1 | +struts_dmi_rest_exec is a module that exploits Apache Struts's REST plugin with Dynamic Method |
| 2 | +Invocation, and it supports Windows and Linux platforms. |
| 3 | + |
| 4 | +## Vulnerable Application |
| 5 | + |
| 6 | +Apache Struts versions between 2.3.20 and 2.3.28 are vulnerable, except 2.3.20.2 and 2.3.24.2. |
| 7 | +The application's struts.xml also needs set ```struts.enable.DynamicMethodInvocation``` to true, |
| 8 | +and ```struts.devMode``` to false. |
| 9 | + |
| 10 | +For testing purposes, here is how you would set up the vulnerable machine: |
| 11 | + |
| 12 | +1. Download Apache Tomcat |
| 13 | +2. Download Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded. |
| 14 | +3. Download the vulnerable [Apache Struts application](https://github.com/rapid7/metasploit-framework/files/300762/struts2-rest-showcase.tar.gz). |
| 15 | +4. Install Java first. Make sure you have the JAVA_HOME environment variable. |
| 16 | +5. Extract Apache Tomcat. |
| 17 | +6. In conf directory of Apache Tomcat, open the tomcat-users.xml file with a text editor. |
| 18 | +7. In tomcat-users.xml, add the ```manager-gui``` role. |
| 19 | +8. In tomcat-users.xml, add the ```manager-gui``` role to a user. |
| 20 | +9. Remove other users. |
| 21 | +10. In a terminal or command prompt, ```cd``` to the bin directory, and run: ```catalina.bat run``` (or catalina.sh). You should have Apache Tomcat running on port 8080. |
| 22 | +11. Extract the vulnerable struts app: ```tar -xf struts2-rest-showcase.tar.gz``` |
| 23 | +12. Navigate to the Apache Tomcat server with a browser on port 8080. |
| 24 | +13. Click on Manager App |
| 25 | +14. In the WAR file to deploy section, deploy struts2-rest-showcase.war |
| 26 | +15. Stop struts2-blank in the manager app. |
| 27 | +16. On the server, ```cd``` to ```apache-tomcat-[version]/webapps/struts2-rest-showcase/WEB-INF/classes```, open struts.xml with a text editor. |
| 28 | +17. In the XML file, make sure ```struts.enable.DynamicMethodInvocation``` is true |
| 29 | +18. In the XML file, make sure ```struts.devMode``` is false. |
| 30 | +19. Back to Apache Tomcat's manager app. Start the struts2-rest-showcase again. |
| 31 | + |
| 32 | +And now you have a vulnerable server. |
| 33 | + |
| 34 | + |
| 35 | +## Options |
| 36 | + |
| 37 | +**TMPPATH** |
| 38 | + |
| 39 | +By default, the struts_dmi_rest_exec exploit should be ready to go without much configuration. However, |
| 40 | +in case you need to change where the payload should be uploaded to, make sure to set the correct |
| 41 | +target, and then change the TMPPATH datastore option. |
| 42 | + |
| 43 | +## Scenarios |
| 44 | + |
| 45 | +struts_dmi_rest_exec supports three platforms: Windows, Linux, and Java. By default, it uses Java, |
| 46 | +so you don't need to worry about configuring this. Running the module can be as simple as the usage |
| 47 | +explained in the Overview section. |
| 48 | + |
| 49 | +However, native payload do have their benefits (for example: Windows Meterpreter has better |
| 50 | +support than Java), so if you decide to switch to a different platform, here is what you do: |
| 51 | + |
| 52 | +1. Do ```show targets```, and see which one you should be using |
| 53 | +2. Do ```set target [id]``` |
| 54 | +3. Do ```show payloads```, which shows you a list of compatible payloads for that target. |
| 55 | +4. Do: ```set payload [payload name]``` |
| 56 | +5. Do: ```exploit``` |
0 commit comments