WLT3Serial is an Native Java-based deserialization exploit for WebLogic T3 (and T3S) listeners (as outlined HERE). Requires third-party dependencies ysoserial and wlthint3client.
Advantages/Disadvantages compared to JavaUnserializeExploits weblogic.py https://github.com/breenmachine/JavaUnserializeExploits/blob/master/weblogic.py and loubia https://github.com/metalnas/loubia
+ Handles T3/T3S communication natively with Java instead of using packet captures with Python, and therefore should work against all WebLogic server versions.
+ Generates object payloads directly through ysoserial during every execution, and therefore supports the latest ysoserial version for payload generation.
+ Parses (and displays if requested) all thrown Exceptions during execution, and clearly states the overall result of execution based off these Exceptions. This includes notifying the user if exploitation appears to be successful, or if the target WebLogic server appears to be patched against exploitation.
+ Offers several different methods for payload delivery (although all are similar, and chances are all work against an unpatched WebLogic server and all do not work against a patched WebLogic server).
– Depends on a .jar file (wlthint3client.jar) that cannot be distributed by me (due to Oracle Licensing terms) and can only be downloaded with an Oracle username/password. Because of this, I can only distribute a “thin” release jar that still requires the user to obtain the required wlthint3client.jar file from Oracle.
– For T3S connections, SSLv2 and SSLv3 communication is not supported.
– SSL/TLS certificate validation is enabled by default in Java, so T3S connections require the use of InstallCert in order to connect and run properly. (NOTE: Fix in progress, to be incorporated in next release).
+ Java 8 or above
+ Grdale https://gradle.org/
+ ysoserial https://github.com/frohoff/ysoserial
+ wlthint3client – For handling T3/T3S connections natively, must be supplied by the user (due to Oracle Licensing terms); Can be downloaded (requires Oracle username/password) as part of wls1036_dev.zip (located in /wlserver/server/lib/wlthint3client.jar).
Building and Use:
git clone git clone https://github.com/Bort-Millipede/WLT3Serial && cd WLT3Serial
gradle clean prepare
downloaded wlthint3client.jar file in the build/libs/ directory
download here https://github.com/Bort-Millipede/WLT3Serial/releases/download/0.1/WLT3Serial-0.1.jar
place the ysoserial.jar file in the build/libs/ directory
java -jar WLT3Serial-full-[VERSION].jar [OPTIONS] REMOTE_HOST REMOTE_PORT PAYLOAD_TYPE PAYLOAD_CMD