WLT3Serial

Native Java-based deserialization exploit for WebLogic T3 (and T3S) listeners (as outlined HERE). Requires third-party dependencies ysoserial and wlthint3client.

Advantages/Disadvantages compared to JavaUnserializeExploits weblogic.py and loubia

Advantages:

Disadvantages:

Building

Requires Oracle Java 7 or 8. Has not been tested with any other Java vendor (such as OpenJDK or IBM JRE), so I make no promises of support for these. Can likely be built with Java 9 or 10, but I make no promises of support for these.

WLT3Serial is built via the Gradle build automation system. Gradle 4 should be used for building, although other versions have been partially tested (see Development section).

Third-Party Dependencies:

Procedure:

  1. Clone the WLT3Serial repository. git clone https://github.com/Bort-Millipede/WLT3Serial.git
  2. Open terminal and navigate to cloned repository.
  3. Execute the following command to create the preliminary build directory: gradle clean prepare
  4. Place downloaded wlthint3client.jar file in the build/libs/ directory.
  5. (OPTIONAL) If using a preferred version of ysoserial (v0.0.5 or higher), place the ysoserial.jar file in the build/libs/ directory.
  6. To build the WLT3Serial jar file (located at build/libs/WLT3Serial-[VERSION].jar), execute the following command: gradle build -x test

Usage

Requires Oracle Java 7 or 8. Has not been tested with any other Java vendor (such as OpenJDK or IBM JRE), so I make no promises of support for these. Can likely be used with Java 9 or 10, but I make no promises of support for these.

If using the Property (default), Bind or WLBind exploitation methods, WLT3Serial should be executed as such (note the value of the java '-cp' parameter):

If using the CustomClass exploitation method, WLT3Serial should be executed as such (note the value of the java '-cp' parameter):

Below is the printout of the built-in help menu:

Usage: WLT3Serial [OPTIONS] REMOTE_HOST REMOTE_PORT PAYLOAD_TYPE PAYLOAD_CMD

Options:
    --help              print usage (you're lookin at it)

    --verbose           Verbose output (full thrown exception output; Disabled by default)

    --method=EXPLOIT_METHOD     Exploit Method for delivering generated ysoserial payload
        Exploit Methods:
            Property    Send ysoserial payload as connection environment property value (Default; via javax.naming.Context.lookup(), variation of ysoserial.exploit.RMIRegistryExploit)
            Bind        Send ysoserial payload as object to bind to name (via javax.naming.Context.bind(), similar to ysoserial.exploit.RMIRegistryExploit)
            WLBind      Send ysoserial payload as WebLogic RMI object to bind to name (via weblogic.rmi.Naming.bind(), similar to ysoserial.exploit.RMIRegistryExploit)
            CustomClass Send ysoserial payload during T3/T3S connection initialization (via custom weblogic.rjvm.ClassTableEntry class, similar to JavaUnserializeExploits weblogic.py)

    --t3s[=PROTOCOL]        Use T3S (transport-encrypted) connection (Disabled by default)
        Protocols:
            TLSv1.2
            TLSv1.1
            TLSv1 (Default)
            SSLv3
            SSLv2 (SSLv2Hello handshake only, then fallback to SSLv3 for communication: this is an Oracle Java limitation, not a WLT3Serial limitation)

Available Payload Types (WebLogic is usually vulnerable to "CommonsCollectionsX" and "JRMPClientX" types):
    (available payloads listed here)

Exploit Method Notes

The Property, Bind, and WLBind methods are all very similar. This is to the point that if a target system cannot be exploited using one of these methods, then it likely cannot be exploited using any of them. The CustomClass method is completely different from the other methods.

Advantages/Disadvantages of Property/Bind/WLBind Methods:

T3S Connection Notes

it is recommended that the user does a scan of the target service with sslscan or the nmap ssl-enum-ciphers script to find out which protocols are supported. This way, the user can fine-tune the --t3s option when executing WLT3Serial.

Development

In an attempt to improve upon the JavaUnserializeExploits weblogic.py and loubia exploits, WLT3Serial was developed in Java using the following resources for connecting to WebLogic T3/T3S services:

Emphasis was placed on handling T3 connections natively in Java, as well as proper error handling to provide helpful command output for the user.

WLT3Serial was developed using the following software versions:

Live testing during development was conducted against the following versions of WebLogic Server:

Disclaimer

The developers provide the software for free without warranty, and assume no responsibility for any damage caused to systems by using the software. It is the responsibility of the user to abide by all local, state and federal laws while using the software.

Copyright

(C) 2017, 2018 Jeffrey Cap (Bort_Millipede)