in with the new, out with the old. added some more enum aux modules.

git-svn-id: file:///home/svn/framework3/trunk@6517 4d416f70-5f16-0410-b530-b9f4589650da

modules/auxiliary/admin/oracle/oracle_sid.rb

@@ -1,71 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Auxiliary
-
-	include Msf::Exploit::Remote::TNS
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Oracle SID Enumeration.',
-			'Description'    => %q{
-				This module simply queries the TNS listner for the Oracle SID. With 10g Release 2 and above the listener will be protected and the SID will have to be bruteforced or guessed.
-			},
-			'Author'         => ['CG'],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'DisclosureDate' => 'Jan 7 2009'))
-
-                        register_options( 
-                                [
-                                        Opt::RPORT(1521),
-                                ], self.class)
-
-	end
-
-	def run
-
-		connect_data = "(CONNECT_DATA=(COMMAND=STATUS))"
-		pkt = tns_packet(connect_data)
-
-		begin
-			connect
-		rescue => e
-			print_error("#{e}")
-			return false
-		end
-
-		sock.put(pkt)
-
-		sleep(1)
-
-		data = sock.get_once
-		disconnect
-
-		if ( data =~ /ERROR_STACK/ )
-			print_error("TNS listener protected for #{rhost}...")
-
-		else
-
-		#sid = data.scan(/INSTANCE_NAME=(\w+)/)
-		sid = data.scan(/INSTANCE_NAME=([^\)]+)/)
-			sid.uniq.each do |s|
-				print_status("Identified SID for #{rhost}: #{s}")
-			end
-
-		end 
-
-		#service_name = data.scan(/SERVICE_NAME=(\w+)/)
-		service_name = data.scan(/SERVICE_NAME=([^\)]+)/)
-			service_name.each do |s|
-				print_status("Identified SERVICE_NAME for #{rhost}: #{s}")
-			
-			end
-		end
-end

modules/auxiliary/scanner/oracle/emc_sid.rb

@@ -0,0 +1,58 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Auxiliary::Report	
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'Oracle Enterprise Manager Control SID Discovery',
+			'Description' => %q{
+					This module makes a request to the Oracle  Enterprise Manager Control Console
+					 in an attempt to discover the SID.
+			},
+			'Version'     => '$Revision:$',
+			'References'  =>
+				[
+					[ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],
+				],
+			'Author'      => [ 'MC' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options([Opt::RPORT(1158),], self.class)
+	end
+
+	def run_host(ip)
+		begin
+			res = send_request_raw({
+				'uri'     => '/em/console/logon/logon',
+				'method'  => 'GET',
+			}, 5)
+		
+				if (res.code == 200)
+				sid = res.body.scan(/Login to Database:(\w+)/)
+					report_note(
+							:host	=> ip,
+							:proto	=> 'tcp',
+							:type	=> 'SERVICE_NAME',
+							:data	=> "#{sid}"
+					)
+					print_status("Discovered SID: '#{sid}' for host #{ip}")
+				else
+					print_error("Unable to retrieve SID for #{ip}...")
+				end
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE
+		end		
+	end
+end

modules/auxiliary/scanner/oracle/spy_sid.rb

@@ -0,0 +1,60 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Auxiliary::Report	
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'Oracle Application Server Spy Servlet SID Enumeration.',
+			'Description' => %q{
+					This module makes a request to the Oracle Application Server
+					 in an attempt to discover the SID.
+			},
+			'Version'     => '$Revision:$',
+			'References'  =>
+				[
+					[ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],
+				],
+			'Author'      => [ 'MC' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options([Opt::RPORT(1158),], self.class)
+	end
+
+	def run_host(ip)
+		begin
+			res = send_request_raw({
+				'uri'     => '/servlet/Spy?format=raw&loginfo=true',
+				'method'  => 'GET',
+				'version' => '1.1',
+			}, 5)
+		
+			if ( res.body =~ /SERVICE_NAME=/ )
+				sleep(2)
+				sid = res.body.scan(/SERVICE_NAME=([^\)]+)/)
+					report_note(
+							:host	=> ip,
+							:proto	=> 'tcp',
+							:type	=> 'SERVICE_NAME',
+							:data	=> "#{sid.uniq}"
+					)
+				print_status("Discovered SID: '#{sid.uniq}' for host #{ip}")
+			else
+				print_error("Unable to retrieve SID for #{ip}...")
+			end
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
+end

modules/auxiliary/scanner/oracle/xdb_sid.rb

@@ -0,0 +1,71 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Auxiliary::Report	
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'Oracle XML DB SID Discovery',
+			'Description' => %q{
+					This module simply makes a authenticated request to retrieve
+					the sid from the Oracle XML DB httpd server.
+			},
+			'Version'     => '$Revision:$',
+			'References'  =>
+				[
+					[ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],
+				],
+			'Author'      => [ 'MC' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options(
+				[
+					Opt::RPORT(8080),
+					OptString.new('DBUSER', [ false, 'The db user to authenticate with.',  'scott']),
+					OptString.new('DBPASS', [ false, 'The db pass to authenticate with.',  'tiger']),
+				], self.class)
+	end
+
+	def run_host(ip)
+		begin
+
+			user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}"
+	
+			res = send_request_raw({
+				'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',
+				'version' => '1.0',
+				'method'  => 'GET',
+				'headers' =>
+				{
+					'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
+				}
+			}, 5)
+
+				if (res.code == 200)
+					sid = res.body.scan(/<GLOBAL_NAME>(\w+)/)
+						report_note(
+							:host	=> ip,
+							:proto	=> 'tcp',
+							:type	=> 'SERVICE_NAME',
+							:data	=> "#{sid}"
+						)	
+					print_status("Discovered SID: '#{sid}' for host #{ip}")
+				else
+					print_error("Unable to retrieve SID for #{ip}...")
+				end
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
+end