CVE-2017-10271 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component. The exploit provides an unauthenticated attacker with remote arbitrary command execution.
Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments. It is downloadable from Oracle once registered for an account. For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`), Weblogic 10.3.6 for Windows (`wls1036_dev.zip`). For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`) in combination with a JDK (`jdk-8u211-windows-x64.exe`).
1. Install the application using the binaries above, with both a WebLogic server and an admin server.
2. When prompted, name the project `base_domain`.
3. When prompted, use a development environment instead of a production environment.
4. When prompted, keep the default port of TCP/7001.
5. When prompted, provide a username and password, and make a note of them.
6. Upon completion of the installer, find and execute the admin server. On Windows: `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`. On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
7. You may be prompted for the username and password you generated during the install process.
8. Wait for the output: `<Server state changed to RUNNING.>`
**TARGETURI** : Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`. You can also set `VHOST` instead to handle virtual hosts.
