The script exploit-CVE-2017-3248-bobsecq.py exploits the CVE-2017-3248 (https://www.tenable.com/security/research/tra-2017-07). It is the first script/POC for exploiting the "Oracle WebLogic RMI Registry UnicastRef Object Java Deserialization Remote Code Execution" vulnerability because Tenable (which has discovered this vulnerability) has not published an exploit/POC.
This script can be used for:
- checking if a weblogic server is vulnerable
- exploiting the RCE
This script needs the last version of Ysoserial (https://github.com/frohoff/ysoserial)
Version affected by this vulnerability (according to Oracle):
- 10.3.6.0,
- 12.1.3.0
- 12.2.1.0
- 12.2.1.1
This exploit has been tested on Weblogic Server 12.1.2.0 (without and with ssl).
$ python exploit-CVE-2017-3248-bobsecq.py -h
usage: exploit-CVE-2017-3248-bobsecq.py [-h] -t TARGET -p PORT
[--jip ATTACKERIP]
[--jport ATTACKERPORT]
[--cmd CMDTOEXECUTE] [--check] [--ssl]
--ysopath YSOPATH
[--payloadType PAYLOADTYPE]
optional arguments:
-h, --help show this help message and exit
-t TARGET target IP
-p PORT target port
--jip ATTACKERIP Local JRMP listener ip
--jport ATTACKERPORT Local JRMP listener port (default: 3412)
--cmd CMDTOEXECUTE Command to execute on the target
--check Check if vulnerable
--ssl Enable ssl connection
--ysopath YSOPATH Ysoserial path
--payloadType PAYLOADTYPE
Payload to use in JRMP listener (default:
CommonsCollections5)