 They're going to be doing a talk on attacking Oracle from the Metasploit project. All right, thanks. Let's get started. Thanks for either staying up late or waking up early. So this is me. Chris Gates, part of the Metasploit project, pen tester by day, bloggers, Curie Twit, all the other stuff. If you want to know more, ask me or bust out your Maltigo license. Thanks, Maurio Ceballos. I'm kind of known as MC within the framework. I'm sorry, now? OK, again, my name is Maurio Ceballos. Known as MC from within the framework. Do a lot of vulnerability research, exploit development. Some of that stuff ends up in the framework. A lot of it doesn't. My primary focus is on auxiliary modules and code execution vulnerabilities and for day job by do pen testing. So a quick disclaimer. This is not our employers. Everyone has to do that one. And then the other disclaimer is with the exception of some SQL injection that Maurio found, most of this stuff is not new. It's been around for quite a while. But it's been really hard to put all these random SQL files and Perl scripts and everything together to kind of put a whole attack together. So what we did, one of the things I was kind of going for when we did this was to put a process in place for pen testing Oracle. And Maurio's going to talk a bit about some of the other things he did and why he built this stuff. But that was a big thing is we didn't invent or discover it. We just tried to streamline the process and make it easier for all of us who are doing pen testing. So why we focus? So lots of pen tests. I've seen lots of potential Oracle clients. From my experience and everyone's experience is going to differ. People were either falling into the I have a DBA and his own personal hell is making sure he's doing this Oracle stuff or they don't. And I'd say, oh, you've got Oracle on your network. Who's in charge of the meddling account? And they'd be like, what's a meddling account? So with the Oracle business model of allowing free downloads but no updates without paying, we started seeing lots of default installs out on the network. And privilege escalation is easy and data theft is easy but it's metasploits, we want shells. So why we did this? There's not a lot of, actually I don't know of any support in any of the for pay frameworks that will go after any like SQL injection vulnerabilities in Oracle. Saint will do some of the memory corruption stuff that's in the default packages. But maybe core does, now I haven't seen it. And some of the other open source tools that do that are in GUMMA, I'm not sure it's still being worked on. Orasploit, that's not public. And then some commercial tools that focus more on doing VA's against Oracle and less on exploitation. All right, so I, okay, now, right, cool. So some of the current metasploits support we have is more on, again, the memory corruption vulnerabilities. This stuff is kind of supported by myself and a few other developers. We got coverage for things like Oracle secure backup, web logic overflow, a couple of TNS listener version, TNS listener process overflows in different pieces. We also have some auxiliary modules that we kind of stuck in there at first using a file format mixing to take advantage some of the SQL injection flaws that we're going to be talking about. Those are kind of obsolete now, kind of remove those Tuesday and kind of rewrote those to use a new mixing we're going to get into. And a really cool NTLM stealer which doesn't really inject anything but kind of tells the Oracle instance to pretty much mount an SMB share on our side and then we pretty much relay that hash and log back into the Oracle instance as the credentials we received from DBMS. I'm sorry. All right, so cool. So new metasploits support. I think sometime last year I kind of wrote a TNS mixing to support one of the, a couple of TNS overflows that I was writing. Doing all that work up front pretty much helped me out to do a lot of other things that weren't really exploit related. And again, so that mixing, which pretty much is just creates a dynamic TNS packet, is used for our SID enumeration tool, our brute force enumeration tool, our, what else we got there? A lot, what happened is that we ended up getting a full blow on TNS command.pl port into the framework. But the big thing about this talk here is an introduction of our Oracle mixing, which pretty much is what allows us to do all the magic. We're probably gonna show you here in a second. Couple of dependencies were wrapped around the Oracle Instant Client for the direct database access. We're using a really lightweight API for the database execution of our SQL statements and we're using an OCH8 Ruby driver. It's kind of broke was the newer versions of Ruby 1.9, so. It doesn't work on Windows yet either, so. Right, yeah, so anybody can get that stuff. I mean, I usually develop under Linux or OS 10. I don't touch Windows, I might attack it. And I meant, Chris has a link here to the install. So with the mixing, I kind of created a couple of methods that are really simple to use, straightforward, connect, disconnect. Those two methods are used for our brute force module that looks for default known accounts, given a correct SID. The exact method does just that, it takes a statement and makes sure that it's correct, sends it off to the remote service. And if things are correct, it spits about a pretty nice format of what you just sent off. This is just a quick example of the output of ours. So what we've done is essentially made a really simple SQL client from within their framing to talk to the database. So yeah, you can do some administrative tasks that we've gotten from Carlos Perez and I think Rory, if you're in the room. But it's kind of used for more of the evil stuff that we're doing. So from a attack methodology point of view, we need four things to connect to an Oracle database. We need to know what IP it's on, obviously, what port it's listening on, if it's on this default 1521. The service identifier, which is kind of the unique name for the Oracle database and a username and password, so that makes sense, right? So first thing, locate Oracle systems. So we got in-map information disclosure, so maybe as you're doing some other pin testing there's some web app work, you'll see that there's some Oracle errors coming back or you'll just kind of stumble across it. Or Google, you know, so if you're doing an organization you may see if they have any kind of public presence via Google. Starting with like, I know with 4.9 in in-map it will now return the TNS listener version, which is actually really handy. Up until, you know, that it was really hard, you would just get an open Oracle port, which wouldn't really tell you too much what version it was, what status that thing was in. So the new in-map is actually really handy for that. And you can also look for other common Oracle ports. So 1158 is your enterprise manager console, your 5560, your SQL plus web portal. Plenty of Google Dorks if you wanna locate Oracle systems. The red database security guy wrote some really good white papers on using those. Sometimes they come pre-owned. I don't know if you can see that one, but I found that one doing some of Google Dorks. Logged in with Scott Tiger and he was already DBA. So someone got to that one before I did. Happens actually quite a bit if not that I would ever encourage you to go look for open Oracle boxes. But if you do, you'll probably find quite a lot of them are already owned. So determining versions, obviously key, we need to know what version things are, so we know what exploits and SQL injection things to tailor toward it. So what we do here, oh, you know what? I'm all in Mario's slide. Okay. So what we do here is we send a TNS version packet with the TNS mix-in and it just parses out the results. And I haven't come across any issues with this ever not working for me, so that's pretty handy. Oracle needs to know, the instant client needs to know the version it's talking to so it can do its handshake and make sure that it's allowed to talk. Mario's also at some point gonna be pushing out some code that will query dbnsmp.exe that will do some information leakage, which will help us see installed paths for Oracle. And I think we also pushed out the TNS command one, right? A port of tnscommand.perl, it's now tnscommand.rb, which will allow you to basically send whatever commands or information you want to via TNS, which is pretty handy. There's a video I'll be pushing out later, which you can set log files to whatever and do the old-school Oracle 9 hacking with that. I think that's it. Oh, we have also, all these scanner modules also have the report mix-in built in. So if you wanna use the database stuff, you can actually output that stuff through a database. You wanna talk about that? Well, the big piece of that is because eventually we're gonna go to the dbAutoPone stuff, so it makes things really easy to own massive stuff. So, yeah, so we get the data, we save it, and we get it ready for some mass exploitation. All right, cool, so determining the SID. This is the crucial thing. You can usually come across a username or password, either social engineering or finding it on someone's desk or whatever. What's sometimes hard to find is that SID. It's critical. If you don't know the SID, you could know everything else. It could be a vulnerable oracle box. If you can't connect to it, you can't do anything with it. So we've got a few modules that we built that actually help with that process. The first one is, so with nine.2.0.8 and below, if you just send a status packet at it, it will actually give you the answer back. It will say, hey, my SID's ACMS, my service name is ACMS, and I've got all this other stuff running. After that, you'll get a listener protected. The little code at the bottom there is showing that it was against an oracle 10 box, and it's not gonna give you anything. So if we won't give it to us directly, we've got a few other methods that we can kind of go after it. First thing we do is we can brute force for default SIDs. So we take the SID list from Red Database Security. Feel free to add to it. Mine's growing every day. It just rips through and asks the oracle instance, oh, are you oracle? Are you DBMS? Are you oracle nine? Whatever. If it's right, it will give you a different error message back and parse that out for you. Or we can query other components that actually will contain the oracle SID. The Enterprise Manager will show it to you. There's a couple Java servlets, so we'll actually have the oracle in the HTML. And what we've done is wrote some auxiliary modules that will actually run through the Class C, and check and see if they're there, and then log those for you. So in this case at the bottom, we can see that the servlet spy is running, and we run the module and it found that the oracle was, the SID was oracle. And so this is kind of what, so if Enterprise Manager console is running, this is what you'll see. If you just browse to the webpage, but if you're auditing a big network or you're trying to automate some of these things, you don't want to browse to every page and then write down the answer. So we've got a, yeah, we've got an OAS SID module down there at the bottom that will actually go through and parse out that HTML and give you the answer. You want to talk about some of the other modules? I just want to kind of emphasize that we are logging everything. We're using another mixing called the report mixing and log everything to a local MySQL database or SQLite database. So as you're going through the network scanning and looking for potential targets, everything's saved. We don't want to waste any data that, we don't want to re-scan it, we don't have to and unfortunately, we don't want to get caught either though too. All right, next step, username, password. So like I said, if you can't come across it by any other means or you've been, you had your scope restricted enough that you're going to have to do something that in the real world will get you caught, we have a login root script will actually throw all the default Oracle user names and passwords at the database. And if you get one that's fine, if it finds one that's right, it will actually, you know, log that for you. Again, using the reports mixing, so as we progress with DB auto-pone, all that stuff should automatically do stuff for you. And I should have updated the slide, but the actual output from the DB notes, we also saved the SID that we used. So again, we don't have to go back and re-scan it. That's actually really important. All right, so privilege escalation via SQL injection. If anyone's unaware, there is a ton of default Oracle packages with SQL injection. Most of it is executable by public, which means if I can get any username and password, I can call that SQL injection. I'm not gonna give a SQL injection 101 class, but the regular SQLI means you need to have a connect privilege. And if you don't have that, there's a cursor SQL injection that works in nine and 10 requires a little bit less privileges. Yeah, yeah. And I'll put out some more notes on that later. So go ahead. All right, so I guess we're gonna step through a really generic module that we wrote. What we're highlighting here, okay, well everything in black is just metadata, the module is just information. You can see the name of it, we're actually, we kind of picked this, the sys.ltfind rickset is the actual vulnerable package and procedure that we're gonna be exploiting in a short demo here. We kind of chose this because a lot of other talks used the same injection method, we just put our own little twist to it. The red is our actual, I hate to say the word, but our payload is what we want our injection to perform and by default we grant the DBA privilege to the user that we've used to log in and potentially exploit. Right? What's handy about that is, it doesn't always have to be grant DBA to Scott. So if you just need to change your permission on a table or a file or something, you can actually just use your SQL injection to do that versus grant in DBA because a lot of things as Mario's gonna talk about, a grant DBA across the wire or in memory might flag on some things. And it's fun just to grant DBA to your buddies too when you don't need it. So now this part, the nice thing about running using the framework is that we get a lot of access to other APIs to do some obfuscation of like variable names, function names and the name equals is just doing that. We kind of randomize the function name in what we declared as a function. The off ID current user as is pretty much just a run this as whoever invoked it. Progma, autonomous transaction. Again, this is just a cookie cutter, create a replace function. The Progma Autonomous Transaction is pretty much a problem that does a, if I remember right, it's been so long that I've done this stuff, man. A fork and join of the main process to the sub-process. It's been a long time since I wrote one of these, so I'm sorry. Then we just jump into our actual actual, we begin executing media at our foo and then return something. Fortunately, we're returning a zero because we want to return a number on top, but we're hackers, we don't really care about the error, we don't return shit, and then we end it. And then the actual vulnerable call to, or the actual call to the vulnerable package. Again, and this isn't it's assist LT, find a rick set, which I think the LT has to do with the workspace manager. The find a rick set procedure deals with versioning of a table name, and the injection happens in the first argument, which is the table name. The next thing we do is we actually throw our injection, we call it by calling our function, and then we go back and we try to be somewhat clean and remove any residue that we left. So we drop our function. And it's really simple, I mean, it's really, the SQL is like maybe all together eight lines of code after we've done all the hard, all the work has been done up front. So all you really gotta do is when you're auditing these things, just focus on the vulnerability and then you can own a lot of stuff. Anything else on that one? Yeah, the big thing for that is, as you create new, as you wanna port over the public SQL injection, that package is really the only thing that you need to change. Everything else is gonna stay the same, and you just need to change the package. So instead of having to worry about all the pro code, all the stuff that's handling all the disconnects, you just need to worry about the actual injection you're trying to exploit. So hopefully that's pretty easy for everyone as they, you know, fuzz all the things and look at the Oracle CPUs. That's all you have to change, one line of code. Oh, it's huge. All right, so everyone's probably seen this if you're familiar with the framework. And these are also the four things I talked about that we needed to connect. Set our remote host, so set our IP, the port, our user password, and the SID. And then lastly, we have that payload, our SQL injection variable of whatever we wanna run. So in this case, we're gonna grant DBA to Scott. Yeah? And so this is kind of what it looks like when you're running it. So again, we set our SQL. It runs, it creates the first function, which is gonna be some random function name. Perform the actual injection and then remove the function so we clean up. Some of that stuff will still be in the transaction logs, but we're not leaving anything hanging for someone to find later. Hopefully not. And so we can kind of see, did it work? It did, you know, now after the injection, Scott is now DBA, yay. We can start on with the other fun. Well, which works, but you know, I'm a little more paranoid than most when I'm hacking. So, you know, in the previous slides, it was really easy to take some code. It was public, you know, make it work and it did cool stuff, but, you know, when you do that, you kind of let everything down and you get caught. The screenshot of pretty much is a screenshot of the base interface that SAR attacked. Actually what, you know, signature flagged, what function, what package or procedure was called and what, you know, what it did. That's not fun. That's not fun. So yeah, you get caught real fast doing, you know, pretty much, you know, hacking naked. So I kind of saw that, you know, I kind of put in a couple of examples in the framework to do just bypassing SNORT. They have some static signatures for this particular bug. Really easy, on the Metasploit side, we just kind of base 64 in code, our entire, you know, our entire function and then our call to the vulnerable package or procedure and then on the DBMS side, we use some UTL tricks to actually decode it. And if, you know, you read from right to left, we take the, you know, DOS, which, you know, it could be the package or the function name, whatever. We read that back through the base 64 decode that the decode library that database has. We throw that back in the string, then we go ahead and execute that. That works fine for almost any signature base IDS that's looking for these type of attacks. It's a little overkill. Anybody does real SQL can see that I'm not that good at it. I just don't want to get caught, so. Yeah, that works on a 10 and 11, not on nine. Oh, how to fix that. Well, I mean, we can add that evasion, but if anybody's familiar with the Centrigal Hedgehog Suite, it's like a database HIPs and they have an Oracle agent that it's really cool. It caught the exploit because it kind of decodes everything from memory. So, over the net where we came clean, but the HIPs just flagged us and gave up all of our access and, you know, and, you know, now their response seemed like, what the hell happened? Now we know who it is, when they did it, how they did it, and then what they did. Hang on this one. Again, I'm not picking on Hedgehog, I just, you know, that's what they claim they do this and they do that fairly well. But we can beat that stuff sometimes. This slide's probably the hardest slide for me to put in here because it's probably the most important. It just kind of brings back the essence. Before I even get into it, it kind of brings back the essence of, you know, what the Framick is about really. So on the main slide, you see there's like these three things. It's good for the pen tester, it's good for the researcher, and it's good for people who write signatures. Up to this point, you know, it's good for the pen tester and, you know, forthcoming slides is good for the pen tester, but this one slide is really why I wrote the stuff, was to actually find other vulnerabilities or, you know, extend other vulnerabilities and, you know, fuzz, and yeah, and so what it did it gave me a really quick way of doing this stuff. So again, it's Hedgehog again, we're attacking Hedgehog, and I think in 06, there was a CVE that came out for the DBS metadata package having SQL vulnerabilities. Then I think maybe a month, two months later, I'm not sure how long, but there was this pro script that actually exploited one of the functions in the package. So when I actually wrote that initial exploit that we were just pointing stuff over to make sure people had coverage for certain things, we ran, I ran this exploit against the Hedgehog and, you know, it saw it flawless, you know, but Hedgehog says that they're, you know, they're able to catch ODE and, you know, things like that. Well, even though it doesn't so much ODE, it's that there's other vulnerabilities within the same package that they're not covering. So I probably spent about, you know, using the new mix in and about, I don't know, an hour worth of scrubbing the actual contents of the package itself, with a quick little fuzzer, you know, and came up with like three other injects that for the same package that bypassed the HIPs. Yeah, and, you know, again, I'm not picking on them, but, you know, just don't trust your vendor to cover your butts when, you know, I'm using old stuff and not even doing any evasion, not doing any encoding, anything. Just coming through the network heckin' naked and it still didn't see me, although it did catch the Grand DBA, but the response seems, you know, they're like, what the hell causes Grand DBA? Which was some old, you know, injection flaw that they should have had covered for. Yeah, so nothing against Pete Finnegan or Alden and Corn Purse because they're all sharp cats, they do real DBA stuff, so. So this is kind of a list of the initial push that we put out and the respective CVs. That's by far not all the stuff we have. We just wanted to do initial push, let the community take a look at how we were doing this, how we were pushing out the SQL injection. What's in there is a good breath of regular SQL injection, cursor SQL injection, and some of those modules are using Mario's, I'll call it IDS evasion, but it's not totally IDS evasion, but it should give everyone in the community that wants to start porting the rest of that SQL injection the ability to take a look at those modules, change the one line of code that they need to change and push those back out to us and we'll push them back out into the framework for everyone to use. Oh, also that's a good, it covers both nines, both 10s and 11s, so you should have something to play with for whatever you've got in your lab. So some post, let's talk about some post-exploitation stuff. I think this one's mine. So we could argue whether the data is more important. I think in most cases, the data actually is more important to us, so if we're DBA in the box, we now have access to pretty much any table or any data that we want and if you're getting tasked to do a good pen test, this is where you need it to be because you wanted to show them I got access to this data. But using the sql.rb thing, we can basically run commands, we can check access, we can make sure things are working right. So data's nice, this is Metasploit, everyone loves shells, so I love shells, I love breaking in stuff, so several published methods that have been around a while for actually running OS commands on the database once you've got DBA access. So you can do it via Java, you can make some Java packages and classes, xproc backdoors, run OS commands via dbms scheduler, or I mean you can really roll your own, you can run any PLSQL or Java you want. And now with the post-exploitation modules we're pushing out, you can see that it's really easy just to write your own post-exploitation stuff. Use that, prepare exact method in the API to run whatever you want. So it's pretty powerful. So the first one we'll talk about is Win32 exec, this is actually in the framework now, what you need to do is grant Java's just privs to whatever user you're running as. From there we can run the Win32 exec module to just run OS commands, and that's via Java. So net user ads, you can TFTP your Trojan over, do FTP batch scripts, and I've also got a video out on the net of doing a net user ad to Metasploit and then if we're on the land we can do a PS exec to Meturpreter shell, which is pretty handy. Yeah, so that's kind of what it looks like. We set the command to whatever OS command we want to run, so we're adding a user DBA in the password, creates the class, creates the procedure, runs the command, and it cleans up, it's not in the screenshot, but those also delete the Java classes that we create there too. Anything to add on there? Yeah, I guess the stuff to take away from this is that it's cool that we got the data and if you're doing a pen test, the data's probably the important thing to show, but if you want to escalate to the network a little more, it's probably better to break out of the Oracle Sandbox and get to the operating system, and again, this is just one way of doing it. So some examples, some things you can do. You can echo over your FTP batch script via util file, and then you can use DBMS schedule to run some things and I did a video of this. It's on the Vimeo site, and the URL for that would be at the end. Just showing you some examples of some things you can do because Oracle's awesome and it stalls Perl with every install. On any kind of the NICS environments, you can actually just use the same util file and echo over Perl shell and then execute that. So that's something handy if you're on any kind of Unix environments. Good? Do you want to say something? Yeah, I did have a NICS variant of the Win32 exact stuff. It's not too clean because everything has to be at the absolute path of what you want to execute. It does work and you can use some server-sized scripting or decoding like UU-Inco, UU-Decode, to do a lot of nasty stuff too. So again, I'm a little paranoid when I hack, so. Evil. All right, so some other things we can do, external proc factors via directory traversals. So if you find yourself on an old Oracle box, you can actually use this method to just directory traverse out into either Windows land for MSV CRT DLL or a libc if you're on any kind of Linux environment or Unix environment. And we'll actually just allow you to invoke system commands that way. We'll be pushing that module out next week once I make sure that it's cleaned up and working. That's kind of what it looks like. You set the path to wherever your Oracle bin directory is, which you can use your SQL.rb module to actually find that out for you. It's just one quick kind of lookup. Just navigates out and calls it and lets you run your commands. Again, we're just using the net user add. Pretty simple, but sky's the limit on whatever OS commands you want to execute. Anything. Just showing that it worked, I added a Metasploit user. I also added him to the admin group, no big deal. Alex from a digital security research group who's actually put out a lot of SQL injection code. We've got a samex to a product back door. But in this case, instead of directory traversaling out, you can actually just copy the binary into your Oracle bin directory. So when Oracle patched the old vulnerability, it didn't really fix this one. This works on all the newer Oracle. So late 10Gs and Oracle 11 and 11.6 and 11.7. So works pretty good. And we'll be pushing that out as well. All right, so the guys from our genus back in 2005 pushed out some code that would actually allow you to grab a binary from a remote web server and pull that back down back onto the OS. And then we can use the Win32 exact module to actually execute that binary. We'll be showing you a demo of that in a second. Again, DBMS scheduler back doors. Alex sent that in. We'll be adding that to the send very soon. And he's not talking about this NCL one. Oh, yeah, I kind of alluded to this earlier. But this Oracle NTL MCL there is the shit. I mean, all you really need is a user that has connect and resource privileges. And you just force using some CTX context.sys. Man, it's awesome because you don't really have to inject anything. You just need a valid account. And again, you don't get back to the database. You go straight to the operating system using pass the hash type of stuff. Yeah, Alex rocks. That's actually a really good attack. By default, Oracle will run a system. But a lot of people recommend to actually make it be an admin running as a different domain account. So this is a good example. Obviously, system doesn't have any domain cred. So your SMB relay is not going to work. There's no way to log into that. But if it's running as an admin, you can now do the half LMs and SMB relay type stuff. And he wrote actually a whole white paper on why you would do that. So I highly recommend you go read it because it's really good. And it's really, really slick. Never even thought of that and the way he did it. Yeah. Yeah, go ahead. Yeah, yeah. The instance is running as a domain user or a domain account. Yeah, that's when it works. By default, it'll go by system. And you have to go and click free that. So it'll run as like an administrator user or something like that. So yeah, it only works then, of course. But yeah. That's that special case when they've actually done some hardening. And it's not running as system. So some of those other tricks aren't going to work for you. Mario says no. So I'm going to listen to him. No, no, no. Oh, Will? Yeah, it will. I'm sorry, yes, it will. There you go. All right, so one of the other modules that Mario pushed out is a simple CGI scanner. So it'll help you kind of look for some of those vulnerable servlets and things that we were looking for earlier when we were trying to identify our SIDS. Just a little extra bonus. I mean, that's about it, right? Yeah, nothing special. OK, so I guess before we get into Chris's demo, the way ahead, again, it goes back to the researching piece of what the framework is about. The reason why I kind of wrote this stuff and was the same packages are vulnerable to overflows. It's not no secret that there's a lot of them out there. There's hundreds of packages that are executed by public. But under Windows, the point being is that, yeah, we have exploits for them. Eventually we'll push them out. I kind of got them scattered about. They're not really clean. So yeah, overflows where it's at. I'll add a little more to that, because what's handy about this is if you've looked at any of the POCs for a lot of the memory corruption bugs that get pushed out, they're kind of confusing to look at. And it's hard to reimplement that. So what's really cool about the mix-in and the stuff that Mario wrote is you don't have to worry about the setup, the connect, or any other stuff. If the mix-in is doing that for you, all you really have to worry about now is the actual string that's doing the overflow. And that's kind of what this slide is supposed to be showing you, that all the back-in stuff is now handled for you by Metasploit. You don't need to worry about all that. So you just need to focus on doing the vulnerability and exploit dev stuff. All right, so I have a demo. I'm a little gun shy, so I recorded it. Sorry. All right, so the first thing we're going to do is run the TNLSListenerVersion command, which is going to give you the version of the TNLSListener, which is usually the same as the DB version, but not always. Next thing we're going to do is try to do the sit-a-num. Because it's a 10 box, it's going to fail. But I just wanted to show what it looks like when you try to run it. So we got a listener protected, which we knew was going to happen because it was Oracle 10. Next thing we're going to try to do is try to brute-force the sit. I added in a sleep variable. So if you're doing this across the LAN, .1 is probably good. If you've got to go across a WAN, if you're going to go in after someone remote, you may need to link them that out to help us in false positives. Now we're doing the account brute-forcing. What's handy about this is it runs pretty fast, and we actually just left the output so you could see that something was going on, because sometimes it could take a long time over the net. And it writes all that out to a log file and your data wordless thing. So you can actually query that later to make sure that it's there. So you see we found two accounts. These are the two default accounts for Oracle 10. So DBSNP and Scott Tiger will go after Scott, because he's going to have the Connect and Resource privileges. So this is the SQL.rb module. This allows us to check our work, make sure that all the things that we found, the SID, and the account are actually working. And it just allows you to run simple queries. And then this is what Carlos is extending to do some of the admin checks. So we just fill in our gaps. The SID we found, the username and password, we're going to check his privileges and see what kind of permissions he has. So he's got Connect and Resource. So the next thing we need is we need to escalate him to DBA so we can do some fun things. So we're just going to use the LTFindRicksetCursor method. I did my best to put where I got most of this stuff. So if I miss something, just send me an email and I'll be happy to add it for you guys. Again, so we're just sending our SQL to grant DBA to Scott, filling in all the gaps. And that's it, pretty quick, creates the method, creates the function, executes it, and then deletes itself. Go back and check again, now he's DBA. To use all the Win32 exec and Win32 upload, we need to have the Java SysPrivs added, so we just do that real quick on the command line. So that's there. So the next thing we're going to do is we're going to do the Win32 upload, because I already had a demo showing doing it across SMB. You don't always have SMB access, so let's try to do it remotely. So we're going to grab a, we're going to grab a interpreter binary from my web server and write it to the C drive on the Oracle instance. I'm just showing that it's not there. You'll have to trust me. It wasn't. This is the remote box. It's actually going to catch the callback on the web server. So we'll just use the exploit multi handler to catch the callback. All right, so we're listening. We're ready to run it on the other end. All right, so it's creating the Java source file, creating the Java procedure, actually downloading the binary from the web server and putting it on the remote box and then cleaning up. So we delete all that stuff. And you can see it's there. Again, you'll have to trust me. I could have just put it there, but it works. Then we're going to use the Win32 exact module to actually execute the OS. What? No. You can talk to HD. I mean, he has that whole post and all those tricks of how to make them interpret a shell, not flag on AV. And so we called it math.itc, and so we're just running it. And then you can see it's running it and cleaning it up. And then on the remote side, we got the shell. That's it. Yeah, so what we've done is just, we just created an extension of the framework to do other stuff, just to help the pen tester and the researcher and hopefully the security community as far as the defensive side to do, to see some of this stuff that could happen, and it probably will happen.