Exploiting Remote Code Execution in Apache Struts2 (CVE-2017-9805)
So Apache Struts is a very popular open source web application framework that is used to develop Java-based web applications. On September 05, 2017, a very deadly remote code execution was identified in the framework which allowed any remote attacker to execute system commands on any server that had the application running build using the Apache Struts Framework and the very popular Rest Plugin. The flaw was basically an insecure deserialization vulnerability to begin with, but this later led to a remote code execution.
Cause Of The Vulnerability?
The vulnerability existed because of the Rest Plugin used with the Apache Struts Framework. The Rest plugin used the XStream handler to deserialize the XML requests without any type filtering so a specially crafted POST request of type- XML containing the system commands along with the header ‘Content-Type’ set to ‘application/xml’ triggered this vulnerability. If we want to get a proper understanding and step by step procedure of how vulnerability actually triggers and then please go through this beautiful blog.
The affected versions are 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13.
So enough of introduction, let’s start with our demo
To start with we first need a vulnerable server or machine running the affected struts version. A server specially made for this purpose is already available by the pentester lab. I will be using this particular box as the victim in the demo. The setup is very simple, just download it and deploy the iso file in your VMware (For some reason the port 80 of that box wasn’t working in VirtualBox so I switched to VMware) and you are good to go. You can download the box from here .
The metasploitable 3 box is also vulnerable to this so you can carry out your exploit there as well. And there is also an option to prepare your own vulnerable server. You can follow this blog here in case you want to set up your own server and then exploit it.
For attacking purpose I’ll be using Kali. You can use any of your choice but with Metasploit installed.
Let’s check the IP address of the struts box:
And the IP address of our Attacker machine: Kali
Now to exploit the box/server we could either use the python exploit released in exploit db or the Metasploit module. I generally prefer Metasploit so I would be using the XStream struts module of Metasploit. You could also use a lightweight working python script for testing and exploiting the struts. The script could be found here.
So First we need to set up the Metasploit module.
- Go to this link and copy the script
- Save this as struts2_rest_xstream.rb
- Now copy that ruby file to the following directory /usr/share/metasploit-framework/modules/exploits/multi/http/ by typing the following command: cp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/
Then let’s start the Metasploit framework by typing in msfconsole in your terminal.
Then type in the module we want to use. So in our case it is exploits/multi/http/struts2_rest_xstream.rb
So type in : use exploits/multi/http/struts2_rest_xstream.rb
Next, we need to set our remote host (IP address of the victim box) and remote port (port on which the apache struts is running).. so type in the following commands.
Set RHOST 192.168.0.101
Set RPORT 80
Next set up the target type – 2 which is the Linux version as our victim box is Linux based and along with that set the the TARGETURI to /orders/3 . So type in the following commands:
Set Target 2
Set TARGETURI /orders/3
Now type in: show options to verify if any parameter is left out to fill up.
So now as all seems to be well set, let’s hit exploit and Boom!!!
Thus we got a meterpreter session opened up, type in sysinfo or ls to verify.
So that’s for now. See you next time. Goodbye
You can have a look at my previous article on Hacking Windows Server. Here is the link of the article
Loved what you read?
If so, then kindly follow and share our website for much more interesting stuffs
For any queries please send a Hi to my Linkedin Handle: Here