CVE-2021-25641 PoC — Apache Dubbo 代码问题漏洞

Source

https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept

Associated Vulnerability

Title:Apache Dubbo 代码问题漏洞 (CVE-2021-25641)
Description:Apache Dubbo是美国阿帕奇（Apache）基金会的一款基于Java的轻量级RPC（远程过程调用）框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo 2.7.8和2.6.9之前版本存在代码问题漏洞，该漏洞源于攻击者利用该漏洞可以通过篡改字节前序标志(也就是不遵循服务器的指令)来选择提供者将使用哪个序列化id。

Description

Apache/Alibaba Dubbo <= 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions <= 2.7.6 With Different Gadgets

Readme

# The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept
Apache/Alibaba Dubbo &lt;= 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions &lt;= 2.7.6 With Different Gadgets

Covered in-depth in the article "The 0xDABB of Doom", published on the Checkmarx blog
https://www.checkmarx.com/blog/technical-blog/the-0xdabb-of-doom-cve-2021-25641/

File Snapshot


 [4.0K]  /data/pocs/1839da48af8c41cbe0d366552089dab7f6c77a38
├── [4.0K]  DubboProtocolExploit
│   ├── [2.1K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               ├── [4.0K]  DubboProtocolExploit
│               │   ├── [6.5K]  Main.java
│               │   └── [9.3K]  Utils.java
│               └── [4.0K]  org
│                   └── [4.0K]  apache
│                       └── [4.0K]  dubbo
│                           └── [4.0K]  demo
│                               └── [ 108]  DemoService.java
└── [ 379]  README.md

9 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!