Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2012-3137 PoC — Oracle Database 隐形密码破解漏洞

Source
https://github.com/hantwister/o5logon-fetch
Associated Vulnerability
Title:Oracle Database 隐形密码破解漏洞 (CVE-2012-3137)
Description:Oracle Database是美国甲骨文(Oracle)公司的一套关系数据库管理系统。该数据库管理系统提供数据管理、分布式处理等功能。 Oracle Database 11g 1和2版本中的身份认证协议中存在漏洞。远程攻击者可利用该漏洞获取任意用户的会话密钥和SALT。导致泄漏密码哈希,使得其更容易遭到暴力破解密码猜测攻击(注:Oracle SALT=Oracle Service Architecture Leveraging Tuxedo,是一种用来构建网络引用服务的服务组件)。
Description
Attempts to exploit CVE-2012-3137 on vulnerable Oracle servers
Readme
o5logon-fetch
=============

A small Java program that attempts to exploit CVE-2012-3137 on vulnerable Oracle 11 servers. By exploiting this vulnerability, you can run offline brute force attacks until you discover a given user’s password, without any apparent audit trail.

### Vulnerability Details

A good writeup on the vulnerability, including ways to protect yourself from it, are available [here](http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-database-11g-stealth-password-cracking-vulnerability-in-logon-protocol-cve-2012-3137/).

### Alternative Tools

An alternative to this tool is an mmap script located [here](http://nmap.org/nsedoc/scripts/oracle-brute-stealth.html).

If you don’t want to use a tool, you can do what these tools do manually by:

* Obtaining SQL*Plus as part of an Instant Client package from [Oracle](http://www.oracle.com/technetwork/indexes/downloads/index.html).
* Starting a packet capture tool such as [Wireshark](https://www.wireshark.org/).
* Using SQL*Plus to login as the user you want to attack, with a fake password.
* Using your packet capture tool, find the packet sent by the server with “AUTH_SESSKEY” and “AUTH_VFR_DATA” in the payload, both followed by a long hex string.

### Complimentary Tools

Once you use this tool or another method, the next step is to begin brute force attacks against the information you’ve collected.

* A proof of concept brute forcer is available [here](http://www.exploit-db.com/exploits/22069/).
* [John the Ripper’s bleeding jumbo branch](https://github.com/magnumripper/JohnTheRipper/tree/bleeding-jumbo) has a o5logon plugin format.

### Requirements

This project was designed with the following in mind:

* OpenJDK 6, usually easily installed with your OS package manager
* An older ojdbc6.jar, such as the one included with the basic Instant Client 11.2.0.1 from [Oracle](http://www.oracle.com/technetwork/indexes/downloads/index.html)

#### Different JVMs

If you are using a Java implementation besides OpenJDK 6, some of the reflection code in the MitMSocket package may need a few tweaks to work. For example, the default socket implementation may not be called “PlainSocketImpl”.

#### Instant Client version

As discussed in the writeup linked to above, a new protocol was introduced in later versions of both Instant Client and Oracle servers that inhibits the damage potential of this vulnerability. That said, both clients and servers support older protocols, and by default will allow them.
File Snapshot

 [4.0K]  /data/pocs/70780e53e3b50f3b28f7e2ed73d8cf62601dfb8c
├── [ 34K]  LICENSE
├── [4.0K]  MitMSocket
│   ├── [ 786]  MitMAction.java
│   ├── [3.7K]  MitMInputStream.java
│   ├── [2.5K]  MitMOutputStream.java
│   ├── [1.7K]  MitMSocketImplFactory.java
│   ├── [1015]  MitMSocketImplFactoryListener.java
│   └── [5.2K]  MitMSocketImpl.java
├── [5.2K]  OracleFakeLogon.java
└── [2.5K]  README.md

1 directory, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.