New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Apache Struts 2 REST Plugin XStream RCE #8924

Merged
merged 3 commits into from Sep 8, 2017

Conversation

Projects
None yet
@wvu-r7
Contributor

wvu-r7 commented Sep 6, 2017

msf exploit(struts2_rest_xstream) > info 

       Name: Apache Struts 2 REST Plugin XStream RCE
     Module: exploit/multi/http/struts2_rest_xstream
   Platform: Unix, Python, Linux, Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2017-09-05

Provided by:
  Man Yue Mo
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Unix (In-Memory)
  1   Python (In-Memory)
  2   Linux (Dropper)
  3   Windows (Dropper)

Basic options:
  Name       Current Setting                  Required  Description
  ----       ---------------                  --------  -----------
  Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                                       yes       The target address
  RPORT      8080                             yes       The target port (TCP)
  SRVHOST    0.0.0.0                          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT    8080                             yes       The local port to listen on.
  SSL        false                            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /struts2-rest-showcase/orders/3  yes       Path to Struts action
  URIPATH                                     no        The URI to use for this exploit (default is random)
  VHOST                                       no        HTTP server virtual host

Payload information:

Description:
  Apache Struts versions 2.5 through 2.5.12 using the REST plugin are 
  vulnerable to a Java deserialization attack in the XStream library.

References:
  https://cvedetails.com/cve/CVE-2017-9805/
  https://struts.apache.org/docs/s2-052.html
  https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
  https://github.com/mbechler/marshalsec

msf exploit(struts2_rest_xstream) > 
@a4j4123

This comment has been minimized.

Show comment
Hide comment
@a4j4123

a4j4123 Sep 7, 2017

I did not test successfully!
test

a4j4123 commented Sep 7, 2017

I did not test successfully!
test

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 7, 2017

Contributor

@a4j4123: You have provided zero details while testing a WIP exploit.

Contributor

wvu-r7 commented Sep 7, 2017

@a4j4123: You have provided zero details while testing a WIP exploit.

@singletrackseeker

This comment has been minimized.

Show comment
Hide comment
@singletrackseeker

singletrackseeker Sep 7, 2017

Regarding the image above: Does the line "Command Stager progress - 100.00% done" indicate that the target is vulnerable?

singletrackseeker commented Sep 7, 2017

Regarding the image above: Does the line "Command Stager progress - 100.00% done" indicate that the target is vulnerable?

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 7, 2017

Contributor

Nope, just that it tried to stage the entire payload. Probably worth checking the response in execute_command.

Contributor

wvu-r7 commented Sep 7, 2017

Nope, just that it tried to stage the entire payload. Probably worth checking the response in execute_command.

@busterb busterb self-assigned this Sep 7, 2017

@afbach

This comment has been minimized.

Show comment
Hide comment
@afbach

afbach Sep 7, 2017

Newbie here, but I couldn't get this to work until I created a documentation struts2_rest_xstream.md and you've got it called a plugin, but it's really a module?

@wvu-r7 wrote:
The vulnerable software is the REST plugin in Struts. This is a module, not a Metasploit plugin.

Ah, now I get it. But as for needing to adding a
.../documentation/modules/exploit/multi/http/struts2_rest_xstream.md

should that be in there somewhere? Didn't seem to be use-able w/o it.

afbach commented Sep 7, 2017

Newbie here, but I couldn't get this to work until I created a documentation struts2_rest_xstream.md and you've got it called a plugin, but it's really a module?

@wvu-r7 wrote:
The vulnerable software is the REST plugin in Struts. This is a module, not a Metasploit plugin.

Ah, now I get it. But as for needing to adding a
.../documentation/modules/exploit/multi/http/struts2_rest_xstream.md

should that be in there somewhere? Didn't seem to be use-able w/o it.

@lnxg33k

This comment has been minimized.

Show comment
Hide comment
@lnxg33k

lnxg33k Sep 7, 2017

Tried both of, Unix (In-Memory) and Python (In-Memory) and they are perfectly working 👍
screenshot 2017-09-08 01 29 37
screenshot 2017-09-08 01 30 05

lnxg33k commented Sep 7, 2017

Tried both of, Unix (In-Memory) and Python (In-Memory) and they are perfectly working 👍
screenshot 2017-09-08 01 29 37
screenshot 2017-09-08 01 30 05

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 8, 2017

Contributor

@afbach: The vulnerable software is the REST plugin in Struts. This is a module, not a Metasploit plugin.

Contributor

wvu-r7 commented Sep 8, 2017

@afbach: The vulnerable software is the REST plugin in Struts. This is a module, not a Metasploit plugin.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 8, 2017

Contributor

@lnxg33k: The Windows targets aren't working right now, unfortunately. Windows dropper was functioning earlier, but I might have introduced a regression. PSH still not functional. Sorry. Thanks for testing the Unix-based targets.

Contributor

wvu-r7 commented Sep 8, 2017

@lnxg33k: The Windows targets aren't working right now, unfortunately. Windows dropper was functioning earlier, but I might have introduced a regression. PSH still not functional. Sorry. Thanks for testing the Unix-based targets.

@a4j4123

This comment has been minimized.

Show comment
Hide comment
@a4j4123

a4j4123 Sep 8, 2017

s2-053 is coming too fast

a4j4123 commented Sep 8, 2017

s2-053 is coming too fast

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 8, 2017

Contributor

Nevermind, Windows Defender enabled itself again. -_-

So the Windows dropper is working properly. That's 4/5 working targets. Hopefully PSH works soon...

Contributor

wvu-r7 commented Sep 8, 2017

Nevermind, Windows Defender enabled itself again. -_-

So the Windows dropper is working properly. That's 4/5 working targets. Hopefully PSH works soon...

@todb-r7 todb-r7 added the hotness label Sep 8, 2017

Comment out PSH target and explain why
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.

@wvu-r7 wvu-r7 removed the delayed label Sep 8, 2017

@busterb busterb merged commit 978fdb0 into rapid7:master Sep 8, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb pushed a commit that referenced this pull request Sep 8, 2017

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 8, 2017

Contributor

🍰

Contributor

wvu-r7 commented Sep 8, 2017

🍰

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Sep 8, 2017

Contributor

added 54a6297 - feel free to append test runs to the module docs

Contributor

busterb commented Sep 8, 2017

added 54a6297 - feel free to append test runs to the module docs

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/struts branch Sep 8, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Sep 8, 2017

Contributor

Release Notes

The Apache Struts 2 REST Plugin XStream RCE module has been added to the framework. It targets Apache Struts versions 2.1.2-2.3.33 and Struts 2.5-2.5.12 that abuse the REST plugin's XStream handler to deserialise XML requests to perform arbitrary code execution.

Contributor

busterb commented Sep 8, 2017

Release Notes

The Apache Struts 2 REST Plugin XStream RCE module has been added to the framework. It targets Apache Struts versions 2.1.2-2.3.33 and Struts 2.5-2.5.12 that abuse the REST plugin's XStream handler to deserialise XML requests to perform arbitrary code execution.

@AgoraSecurity

This comment has been minimized.

Show comment
Hide comment
@AgoraSecurity

AgoraSecurity Sep 8, 2017

Contributor

This RCE is a blind RCE, right?

I'm using the payload cmd/unix/generic (also trying the exploit manually with Burp) and I can't get a valid web output (anyhow if I use > /tmp/test or similar) I can see the output of the command.

Contributor

AgoraSecurity commented Sep 8, 2017

This RCE is a blind RCE, right?

I'm using the payload cmd/unix/generic (also trying the exploit manually with Burp) and I can't get a valid web output (anyhow if I use > /tmp/test or similar) I can see the output of the command.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 8, 2017

Contributor

@AgoraSecurity: It is blind, which is why I'm using a random string as the command in the check method.

Contributor

wvu-r7 commented Sep 8, 2017

@AgoraSecurity: It is blind, which is why I'm using a random string as the command in the check method.

@AgoraSecurity

This comment has been minimized.

Show comment
Hide comment
Contributor

AgoraSecurity commented Sep 8, 2017

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 8, 2017

Contributor

@AgoraSecurity:

  1. XML elements that break the deserialization on Windows. I generated the payload with marshalsec and then modified it to work on both platforms.
  2. I'd like to leave the functional code alone until I can fix it. The PSH target is already commented out, so that code path is inaccessible to the user.

Thanks!

Contributor

wvu-r7 commented Sep 8, 2017

@AgoraSecurity:

  1. XML elements that break the deserialization on Windows. I generated the payload with marshalsec and then modified it to work on both platforms.
  2. I'd like to leave the functional code alone until I can fix it. The PSH target is already commented out, so that code path is inaccessible to the user.

Thanks!

@mazen160

This comment has been minimized.

Show comment
Hide comment
@mazen160

mazen160 Sep 9, 2017

I wrote a lightweight tool for testing and exploiting the Apache Struts CVE-2017-9805

https://github.com/mazen160/struts-pwn_CVE-2017-9805

mazen160 commented Sep 9, 2017

I wrote a lightweight tool for testing and exploiting the Apache Struts CVE-2017-9805

https://github.com/mazen160/struts-pwn_CVE-2017-9805

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 9, 2017

Contributor

Very nice work, @mazen160. I may also do a time-based check, since I don't think we can rely on the 500 error.

Contributor

wvu-r7 commented Sep 9, 2017

Very nice work, @mazen160. I may also do a time-based check, since I don't think we can rely on the 500 error.

@mazen160

This comment has been minimized.

Show comment
Hide comment
@mazen160

mazen160 Sep 10, 2017

@wvu-r7 Thanks!
I waited till I have a stable detection mechanism for the vulnerability.

Best,
Mazin

mazen160 commented Sep 10, 2017

@wvu-r7 Thanks!
I waited till I have a stable detection mechanism for the vulnerability.

Best,
Mazin

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 11, 2017

Contributor

@afbach: @busterb added the module doc when he landed this PR. You should have it now.

Contributor

wvu-r7 commented Sep 11, 2017

@afbach: @busterb added the module doc when he landed this PR. You should have it now.

@AgoraSecurity

This comment has been minimized.

Show comment
Hide comment
@AgoraSecurity

AgoraSecurity Sep 11, 2017

Contributor

I understand that this should work in any web server. I've had success in Tomcat (Windows and Linux), anyhow I can't make it work in JBoss (Windows).
Should it work in JBoss?

Contributor

AgoraSecurity commented Sep 11, 2017

I understand that this should work in any web server. I've had success in Tomcat (Windows and Linux), anyhow I can't make it work in JBoss (Windows).
Should it work in JBoss?

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Sep 18, 2017

Contributor

I did not test with JBoss, but I can definitely do that.

Contributor

wvu-r7 commented Sep 18, 2017

I did not test with JBoss, but I can definitely do that.

@jcmoreno

This comment has been minimized.

Show comment
Hide comment
@jcmoreno

jcmoreno Sep 18, 2017

Hi, great job btw. Can support for custom headers or cookies be added? This would enable post-auth testing.

jcmoreno commented Sep 18, 2017

Hi, great job btw. Can support for custom headers or cookies be added? This would enable post-auth testing.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Aug 28, 2018

Contributor

I've reenabled the PowerShell target. It appears to be working fine. Chances are Defender reenabled itself between my tests. FML. AV evasion is left as an exercise to the reader.

Contributor

wvu-r7 commented Aug 28, 2018

I've reenabled the PowerShell target. It appears to be working fine. Chances are Defender reenabled itself between my tests. FML. AV evasion is left as an exercise to the reader.

@wvu-r7 wvu-r7 referenced this pull request Aug 28, 2018

Merged

Add Windows ARCH_CMD target to struts2_rest_xstream #10543

6 of 6 tasks complete
@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Aug 28, 2018

Contributor

Windows ARCH_CMD target added. All targets retested and working.

Contributor

wvu-r7 commented Aug 28, 2018

Windows ARCH_CMD target added. All targets retested and working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment