Strutting your stuff – Unauthenticated Remote Code Execution

Carrie Roberts //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here:

Save the exploit code to a file and execute with Python passing two command line arguments. The first command line argument is the URL to execute the attack against. The URL should point to a Struts “action” page which you can find with a Google search like “ inurl:action”

And the second command line parameter is the OS command that you want to run against the exploited system. A complete example is given below:

python “ls -l”

Perhaps you are a defender and want to ensure all your systems have been patched but you have multiple web servers behind your domain name. In this case, you will want to run the exploit against specific IP addresses as shown below.

python “ls -l”

The Proof-of-Concept code will likely throw an SSL certificate error in this case. Make the following modifications (highlighted in yellow) to support this use case.

The inclusion of the Host header may not be required depending on your web server configuration.

Good Luck, and get this fixed . . . yesterday!

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!