Add new module to test TNS poison

msf auxiliary(tnspoison_checker) > show options Module options (auxiliary/scanner/oracle/tnspoison_checker1): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.16.2.100, 172.16.2.24, 172.16.2.101 yes The target address range or CIDR identifier RPORT 1521 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(tnspoison_checker) > exploit [+] 172.16.2.100:1521 is vulnerable [*] Scanned 1 of 3 hosts (033% complete) [-] 172.16.2.24:1521 is not vulnerable [*] Scanned 2 of 3 hosts (066% complete) [-] 172.16.2.101:1521 unable to connect to the server [*] Scanned 3 of 3 hosts (100% complete) [*] Auxiliary module execution completed
2014-11-11 17:29:27 +03:00 · 2014-11-11 17:29:27 +03:00 · c0285067c9
parent 621b9523b1
commit c0285067c9
1 changed files with 16 additions and 23 deletions
--- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb
+++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb
@ -13,14 +13,17 @@ class Metasploit3 < Msf::Auxiliary

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Oracle TNS Poison vulnerability',
+      'Name'           => 'Oracle TNS Listener Checker',
      'Description'    => %q{
-        This module simply checks the server for vulnerabilities like TNS Poison.
+        This module checks the server for vulnerabilities like TNS Poison.
+        Module sends to server a packet with command to register new TNS Listener and check response.
      },
-      'Author'         => ['ir0njaw (Kelesis Nikita)'],
-      'Company'        => ['Digital Security - http://dsec.ru'],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => 'Oct 12 2014'))
+      'Author'         => ['ir0njaw (Nikita Kelesis) <nikita.elkey@gmail.com>'], # of Digital Security [http://dsec.ru]
+      'References'     =>
+        [
+          [ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ],
+        ],
+      'License'        => MSF_LICENSE))

    register_options(
      [
@ -33,23 +36,13 @@ class Metasploit3 < Msf::Auxiliary
  def run_host(ip)
    begin
      connect
-
-      pkt = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
-      sock.put(pkt)
-      a= sock.read(100)
-      	
-      flag = a.include? "(ERROR_STACK=(ERROR="
-	     if (flag==true) then print_error ip+" is not vulnerable"
-	     else	print_good ip+" is vulnerable"
-	     end
-
-     	rescue ::Rex::ConnectionError, ::Errno::EPIPE
-      print_error("#{ip} unable to connect to the server")
-        
-	
-    rescue ::Rex::ConnectionError
-    rescue ::Errno::EPIPE
-	
+      send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
+      sock.put(send_packet)
+      packet = sock.read(100)
+      find_packet = packet.include? "(ERROR_STACK=(ERROR="
+      find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
+      rescue ::Rex::ConnectionError, ::Errno::EPIPE
+      print_error("#{ip}:#{rport} unable to connect to the server")
    end
  end
 end