Oracle WebLogic Server Core Unspecified Vulnerability via T3/IIOP

This repository is a self-contained lab exploit for Oracle WebLogic Server CVE-2024-21182, described as an unauthenticated T3/IIOP JNDI injection leading to server-side LDAP lookup and, in the provided lab conditions, remote code execution. The repo is not tied to a common exploit framework; it contains custom Java, Python, Bash, and Docker components. Structure and purpose: - poc/CVE_2024_21182.java is the main exploit client. It connects to a WebLogic T3 endpoint, constructs a malicious weblogic.application.naming.MessageDestinationReference, reflectively inserts it into an AggregatableOpaqueReference, binds it into JNDI, and triggers lookup() so the server performs an attacker-controlled LDAP lookup. - exploit/ldap_server.py is the attacker infrastructure. It implements a minimal LDAP server that answers searches with a javaNamingReference containing javaClassName=Exploit, javaFactory=Exploit, and javaCodeBase pointing to an HTTP server. The same script also starts an HTTP server to host the compiled class file. - exploit/Exploit.java is the payload class. Its static initializer executes /bin/sh -c 'id ...; uname -a ...' and writes output to /tmp/RCE_PROOF_CVE_2024_21182 on the victim. - exploit/build.sh recompiles Exploit.java to Java 8 bytecode for compatibility with the lab’s older JDK. - docker-compose.yml provisions a vulnerable WebLogic container and an attacker container exposing the LDAP/HTTP services. - validate.sh automates end-to-end reproduction: waits for WebLogic readiness, copies and compiles the PoC inside the container against the live WebLogic classpath, runs the exploit against 127.0.0.1:7001 with ldap://attacker:1389/Evil, and checks for the proof file. Main exploit capability: The exploit provides unauthenticated network-triggered JNDI injection over T3, causing the target WebLogic server to initiate outbound LDAP and HTTP connections to attacker-controlled infrastructure. In the included lab, this results in arbitrary command execution via remote Java class loading. On newer JDKs or patched systems, the same technique may degrade to SSRF/outbound lookup without RCE. Notable targeting details: The README states Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 are the CVE-listed affected versions, while the lab uses vulhub/weblogic:12.2.1.3-2018 to reproduce the vulnerable class behavior. The exploit specifically abuses WebLogic classes AggregatableOpaqueReference and MessageDestinationReference to bypass prior protections associated with CVE-2023-21839. Overall, this is a real operational lab exploit with a working payload and attacker infrastructure, not merely a detector or README-only proof of concept.

This repository contains a single Java proof-of-concept exploit (CVE_2024_21182.java) targeting Oracle WebLogic Server's JNDI implementation, specifically for CVE-2024-21182. The exploit demonstrates how an attacker can use the T3 protocol to connect to a vulnerable WebLogic server and bind a malicious AggregatableOpaqueReference object containing a MessageDestinationReference that points to an attacker-controlled LDAP server. This could potentially be used to trigger remote code execution or further attacks via JNDI injection. The code is a standalone POC and does not include a full exploit chain or payload delivery, but it clearly demonstrates the vulnerability mechanism. The README is minimal and only states the vulnerability context. The main fingerprintable endpoints are the T3 and LDAP URLs, which are hardcoded as placeholders in the code.

This repository contains a single Java proof-of-concept exploit for CVE-2024-21182, a JNDI injection vulnerability in Oracle WebLogic Server. The main file, CVE_2024_21182.java, demonstrates how an attacker can use the T3 protocol to connect to a vulnerable WebLogic instance and bind a malicious MessageDestinationReference object that references an attacker-controlled LDAP server. The exploit leverages internal WebLogic classes and Java reflection to craft the payload. The README.md provides a brief description and states the exploit is for educational purposes. The code is a functional POC and does not include a full malicious payload, but it shows the core technique for exploiting the vulnerability. The main network endpoints involved are the target WebLogic server (T3 protocol) and an LDAP server under the attacker's control.