| 1 | + | description = [[ |
| 2 | + | Spring Framework 5.2.x / 5.3.x CVE-2022-22965 Remote Code Execution Vulnerability |
| 3 | + | |
| 4 | + | This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE |
| 5 | + | uses a payload "/?class.module.classLoader.URLs%5B0%5D=0" through a GET request |
| 6 | + | looking (400) code as response (NON INTRUSIVE) |
| 7 | + | |
| 8 | + | Inspired by: |
| 9 | + | |
| 10 | + | @Twitter thread |
| 11 | + | https://twitter.com/RandoriAttack/status/1509298490106593283 |
| 12 | + | |
| 13 | + | @ZAP Scan Rule |
| 14 | + | https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/ |
| 15 | + | |
| 16 | + | Manual inspection: |
| 17 | + | |
| 18 | + | # curl -i -s -k -X $'GET' |
| 19 | + | -H $'Host: <target>' |
| 20 | + | -H $'User-Agent: alex666' |
| 21 | + | -H $'Connection: close' |
| 22 | + | $'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400 |
| 23 | + | |
| 24 | + | # curl -i -s -k -X $'GET' |
| 25 | + | -H $'Host: <target>' |
| 26 | + | -H $'User-Agent: alex666' |
| 27 | + | -H $'Connection: close' |
| 28 | + | $'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400 |
| 29 | + | |
| 30 | + | References: |
| 31 | + | https://github.com/alt3kx/CVE-2022-22965 |
| 32 | + | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 |
| 33 | + | https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities |
| 34 | + | https://github.com/BobTheShoplifter/Spring4Shell-POC |
| 35 | + | https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement |
| 36 | + | https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework |
| 37 | + | ]] |
| 38 | + | |
| 39 | + | --- |
| 40 | + | -- @usage |
| 41 | + | -- nmap -p <port> --script=./CVE-2022-22965.nse <target> |
| 42 | + | -- |
| 43 | + | -- @examples: |
| 44 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn |
| 45 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/..;/" -Pn |
| 46 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/" -Pn |
| 47 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/download/" -Pn --script-trace | more |
| 48 | + | -- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.uri="/examples/" -Pn -iL targets.txt |
| 49 | + | -- |
| 50 | + | -- @output |
| 51 | + | -- PORT STATE SERVICE |
| 52 | + | -- 443/tcp open https |
| 53 | + | -- | CVE-2022-22965: |
| 54 | + | -- | VULNERABLE: |
| 55 | + | -- | Spring Framework 5.2.x 5.3.x RCE |
| 56 | + | -- | State: VULNERABLE (Exploitable) |
| 57 | + | -- | IDs: CVE:CVE-2022-22965 |
| 58 | + | -- | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable |
| 59 | + | -- | to remote code execution (RCE) via data binding. |
| 60 | + | -- | Disclosure date: 2022-03-31 |
| 61 | + | -- | References: |
| 62 | + | -- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 |
| 63 | + | |
| 64 | + | |
| 65 | + | author = "Alex Hernandez aka alt3kx <[email protected]>" |
| 66 | + | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" |
| 67 | + | categories = {"vuln", "exploit"} |
| 68 | + | |
| 69 | + | local shortport = require "shortport" |
| 70 | + | local http = require "http" |
| 71 | + | local stdnse = require "stdnse" |
| 72 | + | local string = require "string" |
| 73 | + | local vulns = require "vulns" |
| 74 | + | |
| 75 | + | portrule = shortport.http |
| 76 | + | |
| 77 | + | local S4S1 = "Tomcat" |
| 78 | + | local S4S2 = "springframework" |
| 79 | + | local S4S3 = "Tomcat" |
| 80 | + | local S4S4 = "Tomcat" |
| 81 | + | |
| 82 | + | --Payloads: |
| 83 | + | --GET checker path2 = "/?class.module.classLoader.DefaultAssertionStatus=nosense" |
| 84 | + | --GET checker path1 = "/?class.module.classLoader.URLs%5B0%5D=0" |
| 85 | + | local S4S_CHECKER_URI = "/?class.module.classLoader.URLs%5B0%5D=0" |
| 86 | + | |
| 87 | + | action = function(host, port) |
| 88 | + | |
| 89 | + | local vuln = { |
| 90 | + | title = "Spring Framework 5.2.x 5.3.x RCE", |
| 91 | + | state = vulns.STATE.NOT_VULN, |
| 92 | + | IDS = { CVE = 'CVE-2022-22965' }, |
| 93 | + | description = [[ |
| 94 | + | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable |
| 95 | + | to remote code execution (RCE) via data binding.]], |
| 96 | + | |
| 97 | + | references = { |
| 98 | + | 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965' |
| 99 | + | }, |
| 100 | + | dates = { |
| 101 | + | disclosure = {year = '2022', month = '03', day = '31'}, |
| 102 | + | }, |
| 103 | + | |
| 104 | + | } |
| 105 | + | |
| 106 | + | local report = vulns.Report:new(SCRIPT_NAME, host, port) |
| 107 | + | |
| 108 | + | uri = stdnse.get_script_args("CVE-2022-22965.uri") or S4S_CHECKER_URI |
| 109 | + | evil_uri = uri..S4S_CHECKER_URI |
| 110 | + | |
| 111 | + | local options = {header={}} |
| 112 | + | |
| 113 | + | options['header']['User-Agent'] = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0" |
| 114 | + | |
| 115 | + | local response = http.get(host, port, evil_uri, { header = { ["Content-Type"] = "application/x-www-form-urlencoded"}}) |
| 116 | + | |
| 117 | + | if response.status and response.body then |
| 118 | + | |
| 119 | + | if response.status == 400 and string.find(response.body, S4S1) ~= nil then |
| 120 | + | stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 400") |
| 121 | + | vuln.state = vulns.STATE.EXPLOIT |
| 122 | + | end |
| 123 | + | --500 Internal Server Error , Spring Framework 5.2.x / 5.3.x Exceptions |
| 124 | + | if response.status == 500 and string.find(response.body, S4S2) ~= nil then |
| 125 | + | stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 500") |
| 126 | + | vuln.state = vulns.STATE.EXPLOIT |
| 127 | + | end |
| 128 | + | |
| 129 | + | if response.status == 200 and string.find(response.body, S4S3) ~= nil then |
| 130 | + | |
| 131 | + | stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 200") |
| 132 | + | vuln.state = vulns.STATE.NOT_VULN |
| 133 | + | end |
| 134 | + | |
| 135 | + | if response.status == 404 and string.find(response.body, S4S4) ~= nil then |
| 136 | + | |
| 137 | + | stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 404") |
| 138 | + | vuln.state = vulns.STATE.NOT_VULN |
| 139 | + | end |
| 140 | + | |
| 141 | + | else |
| 142 | + | stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned unknow response.") |
| 143 | + | vuln.state = vulns.STATE.UNKNOWN |
| 144 | + | end |
| 145 | + | return report:make_output (vuln) |
| 146 | + | end |
| 147 | + | |
| 148 | + | |