Spring4Shell

Installs a pneuma agent on the remote server by exploiting the remote code execution vulnerability (CVE-2022-22965) in Spring Framework. You can use the following command to start up a vulnerable docker instance: "docker run -d -p 8082:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29"

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Exploit remote Spring server
Task webshell to trigger Pneuma download
Task webshell to set payload permissions
Task webshell with agent callback

User-Set Custom Variables

  • target: http://127.0.0.1:8082
  • webshell_directory: http://127.0.0.1:8082