CVE-2017-3241 PoC — Oracle Java SE,Java SE Embedded和Jrockit 输入验证错误漏洞

来源

关联漏洞

Description

POC for java RMI deserialization vulnerability

介绍

# CVE-2017-3241-POC
POC for java RMI deserialization vulnerability

You probably need to use JDK 8 to run this poc.

Just pay attention to Message class in both client and server side. They are different. And the difference is the key to understand this vulnerability.

The fix Oracle published is to have developer configure a deserialization white/black list in java security policy. I would say, how many developer would know that list exist until they got hacked?

I thought to write a testing program, but I am lazy.. if you understand my code, can easily write your own. I suggest you use java instrument or reflection.

and Remote code execution is possible if some classes exist in target classpath:

http://seclist.us/proof-of-concept-exploit-showing-how-to-do-bytecode-injection-through-untrusted-deserialization.html

https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

http://www.freebuf.com/vuls/126499.html

This program is for Educational and test purpose ONLY. Do not use it without permission. Do not use it for malicious purpose. The usual disclaimer applies, especially the fact that me is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not my's responsibility.

文件快照

 [4.0K]  /data/pocs/11831fc8a22b1f3ff8653a5c2be69c54c133a3dd
├── [1.6K]  README.md
└── [ 18K]  SourceCode.zip

0 directories, 2 files

备注