Oracle getting anyone’s password

I just published a blog post on how to get the oracle database link password if for some reason we have forgotten it.Brian Fitzgerald respond to me with :

Indeed this is a very good point ! And here is how we can do that using GDB :

Based on my previous work using pintools i have identified the function “r0_aes_cbc_loop_dec_x86_intel” used for decrypting the password and the offset of interest inside it.

DEMO :

Test ENV : oracle 12.1.0.2.6/OEL6/UEK4

Attach to the listener using GDB and after setting some parameter on it try to connect from another session (in this case user : hatem / password :  hatemmahmoud)

capture-10

The password in raw format is at the last line :

0x68, 0x61, 0x74, 0x65, 0x6d, 0x6d, 0x61, 0x68, 0x6d, 0x6f, 0x75, 0x64


select  utl_raw.cast_to_varchar2 ('686174656d6d61686d6f7564') from dual;
UTL_RAW.CAST_TO_VARCHAR2('686174656D6D61686D6F7564')
--------------------------------------------------------------------------------
hatemmahmoud
1 row selected.

This is only a very quick demo for demonstration purpose and far from being exhaustive  ,more elaborated work can be done !

That’s it 😀

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s