Happy scripting!

An interesting comment is that they where actually able to evade Snort detection by base64 encoding the attack.

Currently there are 9 privilege escalation exploits included in Metasploit, but they are a basis for further development.

The demonstration contained the following steps:

• TNSLIST -> Version enumeration of TNS Listener
• SIDENUM -> Enumeration of the SIDs, this failed because it was an Oracle version 10 box
• Burt force SID – Obtained the SID this way
• Account brute fore – To get an account
• Escalate to DBA – Get DBA privileges
• Add JAVASYS privilege
• Upload exploit
• Run it via WINEXEC
• Get a Shell prompt.

All in all a good overview of what stuff is available to the Oracle pentester in the Metasploit Framework.

[char[]]”DEFGJKLMNOPQRTUVWXY” | ?{!(gdr $_ -ea ‘SilentlyContinue’)} | select -f 1

The character array containing only valid driveletters (in this example A, B, C, H, I, S and Z are not to be used)  is piped to the where-object cmdlet which uses Get-PSDrive to filter out the non-used drive letters. These are then passed to the Select-Object cmdlet which only displays the 1st match.

Beware: the line above returns only the bare driveletter – no colon is appended.

#!/bin/bash
# obj-oriented.sh: Object-oriented programming in a shell script.
# Script by Stephane Chazelas.

person.new()        # Looks almost like a class declaration in C++.
{
  local obj_name=$1 name=$2 firstname=$3 birthdate=$4

  eval "$obj_name.set_name() {
          eval \"$obj_name.get_name() {
                   echo \$1
                 }\"
        }"

  eval "$obj_name.set_firstname() {
          eval \"$obj_name.get_firstname() {
                   echo \$1
                 }\"
        }"

  eval "$obj_name.set_birthdate() {
          eval \"$obj_name.get_birthdate() {
            echo \$1
          }\"
          eval \"$obj_name.show_birthdate() {
            echo \$(date -d \"1/1/1970 0:0:\$1 GMT\")
          }\"
          eval \"$obj_name.get_age() {
            echo \$(( (\$(date +%s) - \$1) / 3600 / 24 / 365 ))
          }\"
        }"

  $obj_name.set_name $name
  $obj_name.set_firstname $firstname
  $obj_name.set_birthdate $birthdate
}

echo

person.new self Bozeman Bozo 101272413
# Create an instance of "person.new" (actually passing args to the function).

self.get_firstname       #   Bozo
self.get_name            #   Bozeman
self.get_age             #   28
self.get_birthdate       #   101272413
self.show_birthdate      #   Sat Mar 17 20:13:33 MST 1973

echo

# typeset -f
# to see the created functions (careful, it scrolls off the page).

exit 0

The .Net System.Version assembly offers a CompareTo method which can do the trick, as shown in the figure below.

The CompareTo method will return 1, 0 or -1  depending whether the compare to version  is higher, equal or lower.

Thanks to Shay Levi (see the comment) I now know a better/faster method for comparing version numbers (thaks Shay). PowerShell has its own [vesion] type. This removes the need of loading the assembly and using New-Object. It still allows for using the CompareTo method and direct compare via -ge, -gt, etc.

The CompareTo method will distinguish between the 3 possibilities (>, < or =), but direct comparison might be sufficient in a script.

For example: scripts manipulating files will often use the Get-ChildItem cmdlet in combination with the -recurse parameter, but not allways the subfolder files are required. Instead off having multiple Get-ChildItem commandlines (each with their own set of parameters) a single line might be possible.

The following examples use the Get-ChildItem cmdlet to show what I mean.

The command in figure below will display all *.tmp files in the current folder and its subfolders.

By extending -recurse with :$false recursive lookup will be turned off.

On the otherhand, replacing $false with $true will turn recursive lookup on again.

So using a boolean variable we can turn recursive lookup on or off from within the script (-recurse:$RecurseOnOff). And of course this method also works for other parameters.

And it does get stranger….. in some occasions you can also reverse the default action of a parameter. Hence the following figure.

The 1st command will show all files with exception of the *.tmp files. By appending :$false to -exclude, we turn -exclude into -include as demonstrated by the 2nd command.

This form of parameter manipulation offers a scala of possibilities. Using script parameters to control cmdlet behaviour can both decrease script size and complexity.

Have fun experimenting with this little trick