metasploit-framework/modules/auxiliary/scanner/oracle/sid_enum.rb

82 lines
2.1 KiB
Ruby
Raw Normal View History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::TNS
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle SID Enumeration.',
'Description' => %q{
This module simply queries the TNS listner for the Oracle SID.
With Oracle 9.2.0.8 and above the listener will be protected and
the SID will have to be bruteforced or guessed.
},
'Author' => [ 'CG', 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'DisclosureDate' => 'Jan 7 2009'))
register_options([Opt::RPORT(1521),], self.class)
deregister_options('RHOST')
end
def run_host(ip)
begin
connect
pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))")
sock.put(pkt)
sleep(0.5)
data = sock.get_once
if ( data and data =~ /ERROR_STACK/ )
print_error("TNS listener protected for #{ip}...")
else
if(not data)
print_error("#{ip} Connection but no data")
else
sid = data.scan(/INSTANCE_NAME=([^\)]+)/)
sid.uniq.each do |s|
report_auth_info(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle_instance_name",
:data => "#{s}"
)
print_status("Identified SID for #{ip}: #{s}")
end
service_name = data.scan(/SERVICE_NAME=([^\)]+)/)
service_name.uniq.each do |s|
report_auth_info(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle_service_name",
:data => "#{s}"
)
print_status("Identified SERVICE_NAME for #{ip}: #{s}")
end
end
end
disconnect
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
end
end