Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965

Last update: Jan 2, 2023

Overview

Spring4Shell-POC (CVE-2022-22965)

Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + A vulnerable Tomcat server with a vulnerable spring4shell application.

Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring.

The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell.

Details about this vulnerability

POC Usage

The usage is simple! You can either run the docker image, or just run the python script!

Please see vulnerable-tomcat for inscructions on setting up your own spring4shell vulnerable application here!

Requirements

Python3 or Docker

Python

pip install -r requirements.txt
poc.py --help

Docker

## Dockerhub
docker pull bobtheshoplifter/spring4shell-poc:latest
docker run bobtheshoplifter/spring4shell-poc:latest --url https://example.io/
## Github docker repository
docker pull ghcr.io/bobtheshoplifter/spring4shell-poc:main
docker run ghcr.io/bobtheshoplifter/spring4shell-poc:main --url https://example.io/

Vulnerable Tomcat server

I have now made a docker image for this, which includes a vulnerable spring + tomcat application.

The application should be enough to test this vulnerability.

Please see (vulnerable-tomcat/README.md)

Mitigations

!!(The following mitigations are only theoretical as nothing has been confirmed)!!

JDK Version under 9

Cyberkendra informed that JDK versions lower than JDK 9

You can easily check this by running

java -version

That will display something similar to this

openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 17.0.2+8-Ubuntu-120.04, mixed mode, sharing)

If your JDK version is under 8, you might be safe, but nothing is confirmed yet

The following article will be updated

Check if you are using the spring framework

Do a global search after "spring-beans-.jar" and "spring.jar"

find . -name spring-beans*.jar

You might also like...

Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

231 Nov 12, 2022

IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

1 Nov 25, 2021

Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus 11306 Based on: https://xz.aliyun.com/t/106

25 Nov 9, 2022

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

12 Nov 18, 2022

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

20 Nov 11, 2022

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

820 Dec 18, 2022

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

1.5k Jan 4, 2023

Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

3 Jul 23, 2022

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

26 Dec 26, 2022

Comments

Added threading

Hello Bob:

I've added stream=True to the requests.get() I've added threading. I've added Not Vulnerable to the output.

Let me know if you have any questions.

Thanks for the script.

opened by ruped24 7
Cannot reproduce
Hi,

Regarding the following step to reproduce:

the files update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT

Couple of remarks:

On Windows, the zips are recognized as viruses, hence I deleted them right out of the bat.

The zips are password protected?!

Without this mysterious tomcatwar.jsp it appears the PoC does not work. At least, I failed to reproduce it.
help wanted
opened by dagnelies 2

Releases(0.0.1)

0.0.1(Apr 4, 2022)
What's Changed

Add SpringCloud URL to Details by @grogsaxle in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/2

Add info on how to test PoC by @esell in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/4

Fixed a typo on the main function argument descriptor by @FelixCoutinho in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/7

Added threading by @ruped24 in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/8

New Contributors

@grogsaxle made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/2

@esell made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/4

@FelixCoutinho made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/7

@ruped24 made their first contribution in https://github.com/BobTheShoplifter/Spring4Shell-POC/pull/8

Full Changelog: https://github.com/BobTheShoplifter/Spring4Shell-POC/commits/0.0.1
Source code(tar.gz)
Source code(zip)