-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Weblogic deserialize AsyncResponseService module #11780
Add Weblogic deserialize AsyncResponseService module #11780
Conversation
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
Co-Authored-By: acamro <acamro@users.noreply.github.com>
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few things to update or change. Thanks for the submission!
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Show resolved
Hide resolved
modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
Outdated
Show resolved
Hide resolved
…ed exception handling, minimizing XML strings
@acamro : Thanks again for the quick turnaround! I compared your I went ahead and wrote docs, added a I've tested this against Ubuntu and Win10 on WebLogic v10.3.6, as well as against a seemingly non-vulnerable WebLogic 12c (12.2.1.2). Throwing this against the latter doesn't seem to cause any adverse affects. Getting ready to land this PR. 👍 |
Sanity testing failed because of a VM / infrastructure failure, not because of anything in the module:
|
Release Notes
|
Great work!! |
Agreed :) Thanks, all. |
I was working on a bug for Oracle Application Testing Suite and I noticed this also works against its WebLogic service, except this is on port 8088 by default. Just wanted to share for whoever is attacking Oracle services:
|
Don't forget to sleep! |
register_options( | ||
[ | ||
Opt::RPORT(7001), | ||
OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like I neglected to review this entire PR yet approved it. @wchen-r7 noticed that these options appear wrong. URIPATH
does not appear to be used anywhere, being an HttpServer
option, and WSPATH
should be TARGETURI
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A question has also been raised regarding the validity of the CVE reference. #11835
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. So I'm actually in the middle ore reviewing the vulnerability, I can update the module (for the CVE and the datastore options) later. Thank you guys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please.
wvu-r7 approved these changes 20 days ago
When I approved the changes, I was approving only the metadata I reviewed. Apologies for the misunderstanding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, sorry, it's my fault, a little bit confused with this, this is not intentional, of course.
At this moment, I start testing and solve the problem of the payload...
In a couple of hours, I'll be giving updates of the matter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acamro To be honest, I'm not so confident about the CVE update to CVE-2017-10271. There are other CVE-2019-2725 PoCs that look very similar to yours. Exactly what's the difference between these two? Do you know?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm verifying and could be the payload to exploit, WebLogic and Java have some blacklisted types that mitigate some payloads, in this case, I shouldn't have used a ProcessBuilder datatype, the real problem was simply a lack of testing (patched versions).
Hello again,
I've been very busy lately, however, here you have another juicy contribution.
By the way, thank you so much for the acknowledgment in the articles (y)...
Please, add this exploit module for CVE-2019-2725, CNVD-C 2019-48814, Oracle Weblogic Deserialization Vulnerability in the WLS AsyncResponseService web service component.
It was tested on Windows 7 x64 and Ubuntu 14.04.4 x64 with Oracle Weblogic Server v10.3.6 and v12.1.3
More Info:
[1] https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93
[2] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
[3] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Please feel free to fix or add things!!!
TODO
Fix the Unix payload to make it more generic
Add more payloads
More tests on Linux
Tests on Solaris
Documentation
DEMO
Verification
msfconsole
use exploit/multi/misc/weblogic_deserialize_asyncresponseservice
sessions -i 1