Demonstrable Proof of Concept Exploit for Spring4Shell Vulnerability (CVE-2022-22965)# Spring4Shell - PoC
# CVE - 2022 - 22965
## Versions affected :
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older versions
- Java JDK 9
- Apache Tomcat versions below 10..0.20, 9.0.62, and 8.5.78
- Applications that are packaged as a traditional WAR with spring-webmvc or spring-webflux dependency and deployed on a standalone Servlet container alone are affected
## Description
- The issue can be elevated by classLoader manipulation
- Improper data binding that is used to populate an object from request parameters (Request Mapping annotation) causes this vulnerability
- Attackers can load arbitrary classes and can inject arbitrary code that can be executed by the application
- A similar vulnerability ([CVE-2010-1622](https://nvd.nist.gov/vuln/detail/CVE-2010-1622)) had been disclosed earlier and patches have been applied to restrict ```class.classLoader``` and ```class.protectionDomain```
- But JDK9 introduced a new method ```class.getMethod()```, which bypasses that restriction by using ```class.module.classLoader``` to access any child property of class object
## Impact
- Successful exploitation of this vulnerability can lead to arbitrary code execution on the vulnerable machine.
## Test Application
- [gokul-ramesh/Spring4Shell-POC](https://github.com/gokul-ramesh/Spring4Shell-POC) (forked from [lunasec-io/Spring4Shell-POC](https://github.com/lunasec-io/Spring4Shell-POC) )
- Clone the repository and build the application
```
docker build . -t spring4shell-poc-app
```
Else get the docker image from [gokul2/spring4shell-poc]
```
docker pull gokul2/spring4shell-poc-app
```
- Bring up the application
```
docker run -p 8080:8080 spring4shell-poc-app
```
- The application will be available at [localhost:8080](http://localhost:8080) now.
- Run the exploit.py file
[4.0K] /data/pocs/c0020d8cd1065cd00d69a2f8ab405206fcbf934b
├── [ 711] exploit.py
└── [1.8K] README.md
0 directories, 2 files