This is only for research purposes and MUST NO be used for malicous purposes
The purpose of this is to be able to research the Remote Code Execution vulnerabilty within the Spring framework. While the entire impact of this vulnerability is unknown at this stage, part of the purpose of this project is to help others be able to research and experiment with the vulnerability to test its impact and scope.
- Run the script
build.shto build the app and Docker image - Start the webapp by running the script
run-webapp.sh(hit Ctrl + C to stop the webapp) - With the webapp running, run the srcipt
run-poc.shto run the exploit PoC - Also with the webapp running, you can run the script
run-poc-rest.shto run the exploit PoC against the REST interface
This script will build both the source code as well as Docker image. By default it will use the default Dockerfile to build the Docker image. You can specify a custom Dockerfile to use by providing the file name as an argument to the script. For example:
./build.sh Dockerfile-jetty
This will use the Dockerfile-jetty Docker file to build the webapp within a Jetty app server.
The scripts run-poc.sh and run-poc-rest.sh allow for a customer command to be passed as an argument:
./run-poc.sh "<command-goes-here>"
So for example:
./run-poc.sh "cat /etc/passwd"
The following sources have been helpful in developing this:
- Rapid 7 blog - Spring4Shell: Zero-Day Vulnerability in Spring Framework - helped with creating the PoC
- Spring - Serving Web Content with Spring MVC - helped to provide information for creating a MVC app from scratch
- Retrospected GitHub - spring-rce-poc - helped provide an improved exploit script as well as Docker images
- Spring blog post announcing the vulnerability - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- CVE-2022-22965 (VMWare)
- CVE-2022-22965 (Mitre)
- CVE-2022-22965 (NVD)