Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965

Overview

Spring4Shell-POC (CVE-2022-22965)

Spring4Shell

Docker Build Docker App Build Stars Docker Run

Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + A vulnerable Tomcat server with a vulnerable spring4shell application.

Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring.

The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell.

Details about this vulnerability

POC Usage

The usage is simple! You can either run the docker image, or just run the python script!

Please see vulnerable-tomcat for inscructions on setting up your own spring4shell vulnerable application here!

Requirements

Python

pip install -r requirements.txt
poc.py --help

image

Docker

## Dockerhub
docker pull bobtheshoplifter/spring4shell-poc:latest
docker run bobtheshoplifter/spring4shell-poc:latest --url https://example.io/
## Github docker repository
docker pull ghcr.io/bobtheshoplifter/spring4shell-poc:main
docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url https://example.io/

image

Vulnerable Tomcat server

I have now made a docker image for this, which includes a vulnerable spring + tomcat application.

The application should be enough to test this vulnerability.

Please see (vulnerable-tomcat/README.md)

Mitigations

!!(The following mitigations are only theoretical as nothing has been confirmed)!!

JDK Version under 9

Cyberkendra informed that JDK versions lower than JDK 9

You can easily check this by running

java -version

That will display something similar to this

openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 17.0.2+8-Ubuntu-120.04, mixed mode, sharing)

If your JDK version is under 8, you might be safe, but nothing is confirmed yet

The following article will be updated

Check if you are using the spring framework

Do a global search after "spring-beans-.jar" and "spring.jar"

find . -name spring-beans*.jar
Issues
  • Added threading

    Added threading

    Hello Bob:

    I've added stream=True to the requests.get() I've added threading. I've added Not Vulnerable to the output.

    Let me know if you have any questions.

    Thanks for the script.

    opened by ruped24 7
  • Cannot reproduce

    Cannot reproduce

    Hi,

    Regarding the following step to reproduce:

    the files update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT

    Couple of remarks:

    • On Windows, the zips are recognized as viruses, hence I deleted them right out of the bat.
    • The zips are password protected?!

    Without this mysterious tomcatwar.jsp it appears the PoC does not work. At least, I failed to reproduce it.

    help wanted 
    opened by dagnelies 2
Releases(0.0.1)
  • 0.0.1(Apr 4, 2022)

    What's Changed

    • Add SpringCloud URL to Details by @grogsaxle in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/2
    • Add info on how to test PoC by @esell in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/4
    • Fixed a typo on the main function argument descriptor by @FelixCoutinho in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/7
    • Added threading by @ruped24 in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/8

    New Contributors

    • @grogsaxle made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/2
    • @esell made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/4
    • @FelixCoutinho made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/7
    • @ruped24 made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/8

    Full Changelog: https://github.com/BobTheShoplifter/Spring4Shell-POC/commits/0.0.1

    Source code(tar.gz)
    Source code(zip)
Owner
Daniel Christensen
I do cool security stuff i guess 💻
Daniel Christensen
A Safer PoC for CVE-2022-22965 (Spring4Shell)

Safer_PoC_CVE-2022-22965 A Safer PoC for CVE-2022-22965 (Spring4Shell) Functionality Creates a file called CVE_2022-22965_exploited.txt in the tomcat

Colin Cowie 45 May 14, 2022
Spring4Shell - Spring Core RCE - CVE-2022-22965

Spring Core RCE - CVE-2022-22965 After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core R

Malte Gejr 102 Jul 1, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 40 Jun 30, 2022
CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Duarte Duarte 20 Apr 12, 2022
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

CVE-2022-21907 - Double Free in http.sys driver Summary An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request he

Podalirius 66 Jun 28, 2022
Spring-0day/CVE-2022-22965

CVE-2022-22965 Spring Framework/CVE-2022-22965 Vulnerability ID: CVE-2022-22965/CNVD-2022-23942/QVD-2022-1691 Reproduce the vulnerability docker pull

iak 4 Apr 5, 2022
CVE-2022-22965 : about spring core rce

CVE-2022-22965: Spring-Core-Rce EXP 特性: 漏洞探测(不写入 webshell,简单字符串输出) 自定义写入 webshell 文件名称及路径 不会追加写入到同一文件中,每次检测写入到不同名称 webshell 文件 支持写入 冰蝎 webshell 代理支持,可

东方有鱼名为咸 50 Jun 6, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 121 Jun 20, 2022
Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

Horizon 3 AI Inc 191 Jun 19, 2022
Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Axel Souchet 200 Jun 15, 2022
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 223 Jun 16, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus < 11306 Based on: https://xz.aliyun.com/t/106

Horizon 3 AI Inc 25 Feb 23, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 7 Jan 22, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 17 Mar 23, 2022
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

Axel Souchet 813 Jul 8, 2022
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

koz 1.4k Jul 3, 2022
Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

Kr0ff 4 Jul 1, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

null 23 Jul 9, 2022