支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: cd0c4abdd9da6eddb2cd8e3f369f5581ba36ec35

来源
https://github.com/silentsignal/WebSphere-WSIF-gadget
关联漏洞
标题:IBM WebSphere Application Server 安全漏洞 (CVE-2020-4464)
Description:IBM WebSphere Application Server(WAS)是美国IBM公司的一款应用服务器产品。该产品是JavaEE和Web服务应用程序的平台,也是IBMWebSphere软件平台的基础。 IBM WebSphere Application Server中存在安全漏洞。攻击者可利用该漏洞执行代码。
Description
CVE-2020-4464 / CVE-2020-4450
介绍
WSIF Gadget for WebSphere (CVE-2020-4464 / CVE-2020-4450)
=========================================================

This is based on the excellent blog posts of ZDI (original report by [@\_tint0](https://twitter.com/_tint0)):

* https://www.thezdi.com/blog/2020/7/20/abusing-java-remote-protocols-in-ibm-websphere
* https://www.zerodayinitiative.com/blog/2020/9/29/exploiting-other-remote-protocols-in-ibm-websphere

... and the work of some fine Chinese hackers (I couldn't determine the true source for the code, feel free to open an Issue if you think you deserve credit):

* https://paper.seebug.org/1315/
* https://vlambda.com/wz_7iyDatDUdvs.html
* https://cert.360.cn/report/detail?id=3d016bdef66b8e29936f8cb364f265c8


My additions (not much, really):
* Dependencies + build script
* Publicly accessible RMI service
* Little code cleanup

[FoxGlove's code](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) is pulled in as a submodule, you can use the WebSphere request file to trigger CVE-2020-4464.

You should copy the `plugins` and `runtimes` directories from WebSphere to the `lib` directory, then run `ant` to compile!

To run (Java 11):

```
java -cp .:runtimes/com.ibm.ws.orb_9.0.jar:runtimes/com.ibm.ws.admin.client_9.0.jar:plugins/com.ibm.ws.managedobject.jar:plugins/com.ibm.ws.runtime.jar:plugins/com.ibm.ws.batch.runtime.jar:plugins/javax.j2ee.ejb.jar:runtimes/com.ibm.jaxws.thinclient_9.0.jar --add-modules jdk.naming.rmi --add-exports='jdk.naming.rmi/com.sun.jndi.rmi.registry=ALL-UNNAMED' Test
```

```
java -cp .:plugins/com.ibm.ws.runtime.jar:runtimes/com.ibm.ws.admin.client_9.0.jar RMIServer
```
文件快照

 [4.0K]  /data/pocs/cd0c4abdd9da6eddb2cd8e3f369f5581ba36ec35
├── [1.4K]  build.xml
├── [4.0K]  JavaUnserializeExploits
├── [4.0K]  lib
│   ├── [4.0K]  plugins
│   │   └── [   0]  _COPY_FROM_WEBSPHERE_
│   └── [4.0K]  runtimes
│       └── [   0]  _COPY_FROM_WEBSPHERE_
├── [1.7K]  README.md
├── [4.0K]  resource
│   └── [1.7K]  poc.wsdl
└── [4.0K]  src
    ├── [1.3K]  RMIServer.java
    └── [2.7K]  Test.java

6 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。