Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Apache Struts 2 REST Plugin XStream RCE #8924

Merged
merged 3 commits into from Sep 8, 2017
Merged

Conversation

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Sep 6, 2017

msf exploit(struts2_rest_xstream) > info 

       Name: Apache Struts 2 REST Plugin XStream RCE
     Module: exploit/multi/http/struts2_rest_xstream
   Platform: Unix, Python, Linux, Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2017-09-05

Provided by:
  Man Yue Mo
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Unix (In-Memory)
  1   Python (In-Memory)
  2   Linux (Dropper)
  3   Windows (Dropper)

Basic options:
  Name       Current Setting                  Required  Description
  ----       ---------------                  --------  -----------
  Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                                       yes       The target address
  RPORT      8080                             yes       The target port (TCP)
  SRVHOST    0.0.0.0                          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT    8080                             yes       The local port to listen on.
  SSL        false                            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /struts2-rest-showcase/orders/3  yes       Path to Struts action
  URIPATH                                     no        The URI to use for this exploit (default is random)
  VHOST                                       no        HTTP server virtual host

Payload information:

Description:
  Apache Struts versions 2.5 through 2.5.12 using the REST plugin are 
  vulnerable to a Java deserialization attack in the XStream library.

References:
  https://cvedetails.com/cve/CVE-2017-9805/
  https://struts.apache.org/docs/s2-052.html
  https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
  https://github.com/mbechler/marshalsec

msf exploit(struts2_rest_xstream) > 
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/struts branch 8 times, most recently from 179eec1 to 43d10ad Sep 6, 2017
@wvu-r7 wvu-r7 added the delayed label Sep 7, 2017
@a4j4123
Copy link

@a4j4123 a4j4123 commented Sep 7, 2017

I did not test successfully!
test

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 7, 2017

@a4j4123: You have provided zero details while testing a WIP exploit.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/struts branch from 43d10ad to dae6eda Sep 7, 2017
@singletrackseeker
Copy link

@singletrackseeker singletrackseeker commented Sep 7, 2017

Regarding the image above: Does the line "Command Stager progress - 100.00% done" indicate that the target is vulnerable?

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 7, 2017

Nope, just that it tried to stage the entire payload. Probably worth checking the response in execute_command.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/struts branch from dae6eda to 2dfb1d4 Sep 7, 2017
@busterb busterb self-assigned this Sep 7, 2017
@afbach
Copy link

@afbach afbach commented Sep 7, 2017

Newbie here, but I couldn't get this to work until I created a documentation struts2_rest_xstream.md and you've got it called a plugin, but it's really a module?

@wvu-r7 wrote:
The vulnerable software is the REST plugin in Struts. This is a module, not a Metasploit plugin.

Ah, now I get it. But as for needing to adding a
.../documentation/modules/exploit/multi/http/struts2_rest_xstream.md

should that be in there somewhere? Didn't seem to be use-able w/o it.

@lnxg33k
Copy link

@lnxg33k lnxg33k commented Sep 7, 2017

Tried both of, Unix (In-Memory) and Python (In-Memory) and they are perfectly working 👍
screenshot 2017-09-08 01 29 37
screenshot 2017-09-08 01 30 05

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 8, 2017

@afbach: The vulnerable software is the REST plugin in Struts. This is a module, not a Metasploit plugin.

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 8, 2017

@lnxg33k: The Windows targets aren't working right now, unfortunately. Windows dropper was functioning earlier, but I might have introduced a regression. PSH still not functional. Sorry. Thanks for testing the Unix-based targets.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/struts branch from 2e4b1ab to 7dd1681 Sep 8, 2017
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/struts branch 2 times, most recently from a28d8f5 to c296f72 Sep 8, 2017
Hat tip @acammack-r7. Forgot about that first syntax!
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/struts branch from c296f72 to a9a3075 Sep 8, 2017
@a4j4123
Copy link

@a4j4123 a4j4123 commented Sep 8, 2017

s2-053 is coming too fast

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 8, 2017

Nevermind, Windows Defender enabled itself again. -_-

So the Windows dropper is working properly. That's 4/5 working targets. Hopefully PSH works soon...

@todb-r7 todb-r7 added the hotness label Sep 8, 2017
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
@wvu-r7 wvu-r7 removed the delayed label Sep 8, 2017
@busterb busterb merged commit 978fdb0 into rapid7:master Sep 8, 2017
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
busterb pushed a commit that referenced this pull request Sep 8, 2017
@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 8, 2017

🍰

@busterb
Copy link
Member

@busterb busterb commented Sep 8, 2017

added 54a6297 - feel free to append test runs to the module docs

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/struts branch Sep 8, 2017
@busterb
Copy link
Member

@busterb busterb commented Sep 8, 2017

Release Notes

The Apache Struts 2 REST Plugin XStream RCE module has been added to the framework. It targets Apache Struts versions 2.1.2-2.3.33 and Struts 2.5-2.5.12 that abuse the REST plugin's XStream handler to deserialise XML requests to perform arbitrary code execution.

@AgoraSecurity
Copy link
Contributor

@AgoraSecurity AgoraSecurity commented Sep 8, 2017

This RCE is a blind RCE, right?

I'm using the payload cmd/unix/generic (also trying the exploit manually with Burp) and I can't get a valid web output (anyhow if I use > /tmp/test or similar) I can see the output of the command.

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 8, 2017

@AgoraSecurity: It is blind, which is why I'm using a random string as the command in the check method.

@AgoraSecurity
Copy link
Contributor

@AgoraSecurity AgoraSecurity commented Sep 8, 2017

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 8, 2017

@AgoraSecurity:

  1. XML elements that break the deserialization on Windows. I generated the payload with marshalsec and then modified it to work on both platforms.
  2. I'd like to leave the functional code alone until I can fix it. The PSH target is already commented out, so that code path is inaccessible to the user.

Thanks!

@mazen160
Copy link

@mazen160 mazen160 commented Sep 9, 2017

I wrote a lightweight tool for testing and exploiting the Apache Struts CVE-2017-9805

https://github.com/mazen160/struts-pwn_CVE-2017-9805

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 9, 2017

Very nice work, @mazen160. I may also do a time-based check, since I don't think we can rely on the 500 error.

@mazen160
Copy link

@mazen160 mazen160 commented Sep 10, 2017

@wvu-r7 Thanks!
I waited till I have a stable detection mechanism for the vulnerability.

Best,
Mazin

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 11, 2017

@afbach: @busterb added the module doc when he landed this PR. You should have it now.

@AgoraSecurity
Copy link
Contributor

@AgoraSecurity AgoraSecurity commented Sep 11, 2017

I understand that this should work in any web server. I've had success in Tomcat (Windows and Linux), anyhow I can't make it work in JBoss (Windows).
Should it work in JBoss?

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Sep 18, 2017

I did not test with JBoss, but I can definitely do that.

@jcmoreno
Copy link

@jcmoreno jcmoreno commented Sep 18, 2017

Hi, great job btw. Can support for custom headers or cookies be added? This would enable post-auth testing.

@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Aug 28, 2018

I've reenabled the PowerShell target. It appears to be working fine. Chances are Defender reenabled itself between my tests. FML. AV evasion is left as an exercise to the reader.

@wvu-r7 wvu-r7 mentioned this pull request Aug 28, 2018
6 of 6 tasks complete
@wvu-r7
Copy link
Member Author

@wvu-r7 wvu-r7 commented Aug 28, 2018

Windows ARCH_CMD target added. All targets retested and working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.