Skip to content

Uvemode/CVE-2020-2555

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Forked from Y4er

I added some changes so the code can be built into a simple .jar with simple arguments (host, port, command, http/s), to build please replace coherence.jar with the version according to your target.

The .jar present in Releases is built for 12.1.3, as is easy to guess.

Usage:

java -jar 12_1_3.jar -H [Host] -P [Port] -C [Command] -https [optional]

The command is executed with "/bin/bash -c". If another command is needed this can be changed at CVE_2020_2555.java line 87.

CVE-2020-2555

Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE

com.supeream.CVE_2020_2555

/*
 * author:Y4er.com
 *
 * gadget:
 *      BadAttributeValueExpException.readObject()
 *          com.tangosol.util.filter.LimitFilter.toString()
 *              com.tangosol.util.extractor.ChainedExtractor.extract()
 *                  com.tangosol.util.extractor.ReflectionExtractor.extract()
 *                      Method.invoke()
 *                      ...
 *                      Runtime.getRuntime.exec()
 */

Require

This only works in JDK 8u76 and WITHOUT a security manager, because of BadAttributeValueExpException in here: https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70 And Please replace coherence.jar with your weblogic version, if not, you will get serialVersionUID inconsistent error.

Only test on Centos jdk8u202 Weblogic 12.2.1.4.

Reference

  1. https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
  2. https://www.youtube.com/watch?v=VzmZTYbm4Zw
  3. https://github.com/5up3rc/weblogic_cmd/

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages