Strutting your stuff – Unauthenticated Remote Code Execution

Carrie Roberts //

Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here:

Save the exploit code to a file and execute with Python passing two command line arguments. The first command line argument is the URL to execute the attack against. The URL should point to a Struts “action” page which you can find with a Google search like “ inurl:action”

And the second command line parameter is the OS command that you want to run against the exploited system. A complete example is given below:

python “ls -l”

Perhaps you are a defender and want to ensure all your systems have been patched but you have multiple web servers behind your domain name. In this case, you will want to run the exploit against specific IP addresses as shown below.

python “ls -l”

The Proof-of-Concept code will likely throw an SSL certificate error in this case. Make the following modifications (highlighted in yellow) to support this use case.

The inclusion of the Host header may not be required depending on your web server configuration.

Good Luck, and get this fixed . . . yesterday!