Strutting your stuff – Unauthenticated Remote Code Execution

Carrie Roberts //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here: https://github.com/rapid7/metasploit-framework/issues/8064

Save the exploit code to a file and execute with Python passing two command line arguments. The first command line argument is the URL to execute the attack against. The URL should point to a Struts “action” page which you can find with a Google search like “site:example.com inurl:action”

And the second command line parameter is the OS command that you want to run against the exploited system. A complete example is given below:

python exploit.py https://example.com/some/example.action “ls -l”

Perhaps you are a defender and want to ensure all your systems have been patched but you have multiple web servers behind your domain name. In this case, you will want to run the exploit against specific IP addresses as shown below.

python exploit.py https://specific.ip.addr.here/some/example.action “ls -l”

The Proof-of-Concept code will likely throw an SSL certificate error in this case. Make the following modifications (highlighted in yellow) to support this use case.

The inclusion of the Host header may not be required depending on your web server configuration.

Good Luck, and get this fixed . . . yesterday!


Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

Join 2,166 other subscribers