Skip to content

Commit

Permalink
Add mod doc for struts_dmi_rest_exec and update struts_dmi_exec.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@wchen-r7
wchen-r7 committed Jun 9, 2016
1 parent e4c55f9 commit dff60d9
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 2 deletions.
4 changes: 2 additions & 2 deletions documentation/modules/exploit/multi/http/struts_dmi_exec.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ For testing purposes, here is how you would set up the vulnerable machine:
4. Install Java first. Make sure you have the JAVA_HOME environment variable.
5. Extract Apache Tomcat.
6. In conf directory of Apache Tomcat, open the tomcat-users.xml file with a text editor.
7. In tomcat-users.xml, add this role: ```<role rolename="manager-gui"/>```
8. In tomcat-users.xml, add this role to user tomcat: ```<user username="tomcat" password="tomcat" roles="tomcat,manager-gui"/>```
7. In tomcat-users.xml, add the ```manager-gui``` role
8. In tomcat-users.xml, add the ```manager-gui``` role to a user.
9. Remove other users.
10. In a terminal or command prompt, ```cd``` to the bin directory, and run: ```catalina.bat run``` (or catalina.sh). You should have Apache Tomcat running on port 8080.
11. Extract the vulnerable struts app: ```tar -xf struts2-blank.tar.gz```
Expand Down
56 changes: 56 additions & 0 deletions documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
struts_dmi_rest_exec is a module that exploits Apache Struts's REST plugin with Dynamic Method
Invocation, and it supports Windows and Linux platforms.

## Vulnerable Application

Apache Struts versions between 2.3.20 and 2.3.28 are vulnerable, except 2.3.20.2 and 2.3.24.2.
The application's struts.xml also needs set ```struts.enable.DynamicMethodInvocation``` to true,
and ```struts.devMode``` to false.

For testing purposes, here is how you would set up the vulnerable machine:

1. Download Apache Tomcat
2. Download Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded.
3. Download the vulnerable [Apache Struts application](https://github.com/rapid7/metasploit-framework/files/300762/struts2-rest-showcase.tar.gz).
4. Install Java first. Make sure you have the JAVA_HOME environment variable.
5. Extract Apache Tomcat.
6. In conf directory of Apache Tomcat, open the tomcat-users.xml file with a text editor.
7. In tomcat-users.xml, add the ```manager-gui``` role.
8. In tomcat-users.xml, add the ```manager-gui``` role to a user.
9. Remove other users.
10. In a terminal or command prompt, ```cd``` to the bin directory, and run: ```catalina.bat run``` (or catalina.sh). You should have Apache Tomcat running on port 8080.
11. Extract the vulnerable struts app: ```tar -xf struts2-rest-showcase.tar.gz```
12. Navigate to the Apache Tomcat server with a browser on port 8080.
13. Click on Manager App
14. In the WAR file to deploy section, deploy struts2-rest-showcase.war
15. Stop struts2-blank in the manager app.
16. On the server, ```cd``` to ```apache-tomcat-[version]/webapps/struts2-rest-showcase/WEB-INF/classes```, open struts.xml with a text editor.
17. In the XML file, make sure ```struts.enable.DynamicMethodInvocation``` is true
18. In the XML file, make sure ```struts.devMode``` is false.
19. Back to Apache Tomcat's manager app. Start the struts2-rest-showcase again.

And now you have a vulnerable server.


## Options

**TMPPATH**

By default, the struts_dmi_rest_exec exploit should be ready to go without much configuration. However,
in case you need to change where the payload should be uploaded to, make sure to set the correct
target, and then change the TMPPATH datastore option.

## Scenarios

struts_dmi_rest_exec supports three platforms: Windows, Linux, and Java. By default, it uses Java,
so you don't need to worry about configuring this. Running the module can be as simple as the usage
explained in the Overview section.

However, native payload do have their benefits (for example: Windows Meterpreter has better
support than Java), so if you decide to switch to a different platform, here is what you do:

1. Do ```show targets```, and see which one you should be using
2. Do ```set target [id]```
3. Do ```show payloads```, which shows you a list of compatible payloads for that target.
4. Do: ```set payload [payload name]```
5. Do: ```exploit```

0 comments on commit dff60d9

Please sign in to comment.