CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

CVE-2024-36401-GeoServer Property 表达式注入 Rce woodpecker-framework 插件

# CVE-2024-36401-WoodpeckerPlugin

## 简介
> CVE-2024-36401 批量探测和利用，支持自定义内存马注入
1. 可批量探测
2. 对 url 地址后端已进行过滤（只管丢 url 就行）
3. 可以自定义生成内存马进行注入（默认的内存马注入已添加注入器类名: java.lang.test 「目的是为了JDK11下的defineAnonymousClass绕过」）

![img.png](assets/img1.png)

## 安装

下载源码执行
```bash
   mvn package 
```
将 target 下的jar包放在 [woodpecker-framework](https://github.com/woodpecker-framework/)  下的 plugin 文件夹中
不想自己编译，可以直接在附件下载 CVE-2024-36401-WoodpeckerPlugin-x.x-SNAPSHOT-all.jar，放入 woodpecker-framework 下的 plugin 文件夹中


## Poc探测
![img.png](assets/img2.png)

## Exp利用

poc探测完，右键发送到Exploit

![img.png](assets/img3.png)

在 `command`=`xx`,`xx`为执行的任意命令

`ismemshelldopen`=`false` 的时候执行命令，为 `true` 不会执行命令

![img_3.png](assets/img6.png)

## 内存马注入
1. 默认内存马注入为冰蝎`Listener`内存马
2. 支持自定义内存马注入

自定义内存马注入：使用 [java-memshell-generator
](https://github.com/pen4uin/java-memshell-generator) 生成内存马，注意中间件选取`Jetty`

![img_2.png](assets/img5.png)

或者使用   `JMG Shell Helper`插件

![img_5.png](assets/img8.png)

然后替换memshelldata=xx的xx参数即可

![img_4.png](assets/img7.png)

## 免责

>  仅供学习和研究使用，使用本项目产生的一切后果与作者无关

## 参考

https://yzddmr6.com/posts/geoserver-memoryshell/

https://blog.csdn.net/qq_45305211/article/details/139717906

https://github.com/kN6jq/WoodpeckerPluginManager

## 协议
+ MIT

 [4.0K]  /data/pocs/6831db2d385c58c85c3a397b749424ba5f4fa3f7
├── [1.0K]  assembly.xml
├── [4.0K]  assets
│   ├── [148K]  img1.png
│   ├── [179K]  img2.png
│   ├── [195K]  img3.png
│   ├── [117K]  img4.png
│   ├── [171K]  img5.png
│   ├── [ 88K]  img6.png
│   ├── [116K]  img7.png
│   └── [154K]  img8.png
├── [3.4K]  pom.xml
├── [1.7K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  me
                └── [4.0K]  gv7
                    └── [4.0K]  woodpecker
                        └── [4.0K]  plugin
                            ├── [4.0K]  exploits
                            │   └── [ 43K]  Exploit.java
                            ├── [4.0K]  pocs
                            │   └── [8.5K]  Poc.java
                            ├── [4.0K]  utils
                            │   └── [1.5K]  Utils.java
                            ├── [1.3K]  VulPluginInfo.java
                            └── [ 746]  WoodpeckerPluginManager.java

11 directories, 16 files