Oracle exploitation in Metasploit

It might be a nightmare for you to use any of Metasploit modules for Oracle service!


The fact is that Metasploit uses ruby OCI8 module and for using it successfully you need to install two main modules: oracle-instantclient and ruby-oci8.

Basically at the time I was testing, these were the required file:

4: Ruby-oci8-2.0.3.tar.gz

Installing Oracle Instant Client

The first step is to extract the contents and create a Symbolic link:

sudo chmod 777 /opt
mkdir /opt/oracle/
cd /opt/oracle/
unzip /opt/oracle/
unzip /opt/oracle/
unzip /opt/oracle/
cd /opt/oracle/instantclient_10_2
ln -s

Then we will add environment variables; it is suggested to add them to /root/.bashrc so you will not need to add them after every reboot.

export PATH=$PATH:/opt/oracle/instantclient_10_2
export SQLPATH=/opt/oracle/instantclient_10_2
export TNS_ADMIN=/opt/oracle/instantclient_10_2
export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2
export ORACLE_HOME=/opt/oracle/instantclient_10_2

And finally testing:



Install ruby-oci8

Installing OCI8 library for ruby to use instant client through sqlplus

Requirement: RUBI

tar xvzf ruby-oci8-2.0.3.tar.gz
cd /opt/oracle/ruby-oci8-2.0.3/
export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/
sudo make install

And at the end testing:

ruby -r oci8 -e '"scott", "tiger", nil).exec("select * from emp")'


By now you should be able to use Oracle client, Rubi’s OCI8 and finally Metasploit Oracle exploits.

In continue you can find some common errors, following with a solution.

*** /usr/local/lib/site_ruby/1.9.2/oci8.rb:23:in `require’: no such file to load — oci8lib_191

gedit /usr/local/lib/site_ruby/1.9.2/oci8.rb &

change line 23 to “require ‘i486-linux/oci8lib_192’”

*** Warning: NLS_LANG is not set. fallback to US-ASCII.


*** /msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:443:in `load_missing_constant’

gem install ruby-oci8

*** require ‘oci8’ LoadError: no such file to load – oci8lib_191 from / usr/local/lib/site_ruby/1.9.2/oci8.rb: 40:

gedit /opt/metasploit/scripts/ &

add to RUBYLIB the “/opt/metasploit/ruby/lib/ruby/site_ruby/1.9. 2/i686-linux:/usr/local/lib/site_ruby/1.9.2/”

P.S. You should be able to see environment variables (appendix 1) and files (appendix 2)

Related Video: