struts2_rest_xstream is a module that exploits Apache Struts 2's REST plugin, using the XStream handler to deserialise XML requests perform arbitrary code execution.
Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12
You can download these versions here with any version of Apache Tomcat:
You will also need to install a Struts 2 showcase application, which can be found here:
The path to a struts application action
The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.
The Check Command
struts2_rest_xstream module comes with a check command that can effectively check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following:
set VERBOSE true set RHOST [IP] set TARGETURI [path to the Struts app with an action]
When the module is in verbose mode, the
check command will try to tell you the OS information, and whether or not the machine is vulnerable. Like this:
msf exploit(struts2_rest_xstream) > check [+] 10.1.11.11:8080 The target appears to be vulnerable.
Exploiting the Host
After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS.