A small Java program that attempts to exploit CVE-2012-3137 on vulnerable Oracle 11 servers. By exploiting this vulnerability, you can run offline brute force attacks until you discover a given user’s password, without any apparent audit trail.
A good writeup on the vulnerability, including ways to protect yourself from it, are available here.
An alternative to this tool is an mmap script located here.
If you don’t want to use a tool, you can do what these tools do manually by:
- Obtaining SQL*Plus as part of an Instant Client package from Oracle.
- Starting a packet capture tool such as Wireshark.
- Using SQL*Plus to login as the user you want to attack, with a fake password.
- Using your packet capture tool, find the packet sent by the server with “AUTH_SESSKEY” and “AUTH_VFR_DATA” in the payload, both followed by a long hex string.
Once you use this tool or another method, the next step is to begin brute force attacks against the information you’ve collected.
- A proof of concept brute forcer is available here.
- John the Ripper’s bleeding jumbo branch has a o5logon plugin format.
This project was designed with the following in mind:
- OpenJDK 6, usually easily installed with your OS package manager
- An older ojdbc6.jar, such as the one included with the basic Instant Client 11.2.0.1 from Oracle
If you are using a Java implementation besides OpenJDK 6, some of the reflection code in the MitMSocket package may need a few tweaks to work. For example, the default socket implementation may not be called “PlainSocketImpl”.
As discussed in the writeup linked to above, a new protocol was introduced in later versions of both Instant Client and Oracle servers that inhibits the damage potential of this vulnerability. That said, both clients and servers support older protocols, and by default will allow them.