If you don't know neither the enemy nor yourself, you will sucumb in every battle.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
But if you know the enemy and know yourself you need not fear the result of a hundred battles.
The art of war (Sun Tzu)
Oracle DLL injection,TDE, Remote Job Scheduling

Introduction

We gave a presentation at Derbycon 2.0 in 2012 which details the following topics:

  • How to get the password from the memory of the oracle clients that are using the OCI driver (ocioralog).
  • How to use the tnspoison attack and pytnsproxy together to really hijack an Oracle connection (tnspoison, pytnsproxy).
  • How to use oradebug in creative ways, for example how to load a meterpreter payload into the Oracle process memory (oradebug).
  • How to hook the password encryption/decryption function in the Oracle server and collect the users' password (oralog).
  • How to hijack an MSSQL connection (tdsproxy).

Below you can download PoC codes and our slides.

All of the codes should be considered as a proof of concept code and use them at your own risk.

Links:

Presentation

tnspoison metasploit module (the attack was discovered by Joxean Koret all credit goes to him)

pytnsproxy that supports tnspoison

oradebug metasploit modules

tdsproxy for hijacking MSSQL connections

ocioralog meterpreter extension

oralog meterpreter extension


Authors:

Ferenc Spala

László Tóth

Disclaimer
The views, opinions and thoughts in this homepage are the views, opinions and thoughts of the writer of this homepage and do not represent the views, opinions or thoughts of any past or current employer of the writer or any other third person. The content is provided 'as is' without warranty of any kind. Use at your own responsibility.  Laszlo may be contacted on donctl@gmail.com.