Strutting your stuff – Unauthenticated Remote Code Execution

Carrie Roberts //

Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here: https://github.com/rapid7/metasploit-framework/issues/8064

Save the exploit code to a file and execute with Python passing two command line arguments. The first command line argument is the URL to execute the attack against. The URL should point to a Struts “action” page which you can find with a Google search like “site:example.com inurl:action”

And the second command line parameter is the OS command that you want to run against the exploited system. A complete example is given below:

python exploit.py https://example.com/some/example.action “ls -l”

Perhaps you are a defender and want to ensure all your systems have been patched but you have multiple web servers behind your domain name. In this case, you will want to run the exploit against specific IP addresses as shown below.

python exploit.py https://specific.ip.addr.here/some/example.action “ls -l”

The Proof-of-Concept code will likely throw an SSL certificate error in this case. Make the following modifications (highlighted in yellow) to support this use case.

The inclusion of the Host header may not be required depending on your web server configuration.

Good Luck, and get this fixed . . . yesterday!