Some Metasploit and Oracle Notes – Part 2

So More Oracle and Metasploit stuff tonight. as CG pointed out on the last post, most of this has been covered on his series of posts at the carnal0wnage blog (and lots more besides), this is just my working through the process for my own benefit and hopefully pointing out some of the potential things to think about as I go along….
ok so where I left off last time we’d got found our database, enumerated the SIDs and guessed a handily set default username/password (the infamous SCOTT/TIGER). So at this point we’ve got an account which can access the database, but now we need some more privileges…

4. Escalate privileges to get DBA level accessTo do this we’re going to use the metasploit droptable_trigger module, which works slightly differently from some exploit modules in Metasploit as executing the code generates a file that you can then run against the database to elevate your privileges.

Setting this up is very simple

use auxiliary/admin/oracle/droptable_trigger 

Handily the default SQL command that gets run by this exploit is “grant DBA to SCOTT” which is exactly what we’re looking for.
once we’ve run this module a .sql file is generated in the data/exploit directory. Probably the easiest way of running this is to use sqlplus, like so

sqlplus SCOTT/TIGER@[your_target_IP_here]/[your_target_SID_here] < msf.sql 

Assuming all goes well with the attack (from my experimentation with 10GR2 this one works fine) you can query the user_role_privs view in Oracle to confirm

SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT RESOURCE NO YES NO

It’s worth noting that some of these Oracle modules (there’s 9 in the current Metasploit svn versions) have required privilege levels (dbms_cdc_publish for example in a vanilla 10GR2 setup needs EXECUTE_CATALOG_ROLE to run which only SYS and users with the DBA role have…), so it’s worth trying out several to fit different scenarios…
So here we are with DBA, which to be honest for a lot attackers is all that’s needed. The data in the database is likely to be the “crown jewels” which the attackers looking for, but hey we can go further with the wonders of Metasploit and execute code on the underlying operating system…

5. Leverage Oracles functionality to get access to the underlying operating system
So at the moment I don’t see a metasploit option for doing this in *nix (there’s a win32 command execution module on mc’s page), however that’s not a serious problem as it turns out the nice guys at Oracle provide ways to do this easily.

A quick google around revealed this paper from Oracle on command execution from a database user and from my running of it, it works fine (although requires creation of new database objects so best suited to an environment that can be rolled back easily…).
So there you go, from nothing to OS access in 5 easy steps, courtesy of Metasploit…

2 thoughts on “Some Metasploit and Oracle Notes – Part 2

  1. The link under ‘this paper’ points to mc’s page.

  2. Whoops, thanks for that, I’ve updated the link to point in the right direction now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s