1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::TNS
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Oracle TNS Listener Command Issuer',
14
        'Description' => %q{
15
          This module allows for the sending of arbitrary TNS commands in order
16
          to gather information.
17
          Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd
18
        },
19
        'Author' => ['MC'],
20
        'License' => MSF_LICENSE,
21
        'DisclosureDate' => '2009-02-01',
22
        'Notes' => {
23
          'Stability' => [CRASH_SAFE],
24
          'SideEffects' => [IOC_IN_LOGS],
25
          'Reliability' => []
26
        }
27
      )
28
    )
29

30
    register_options(
31
      [
32
        Opt::RPORT(1521),
33
        OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']),
34
      ]
35
    )
36
  end
37

38
  def run
39
    begin
40
      connect
41

42
      command = datastore['CMD']
43

44
      pkt = tns_packet(command)
45

46
      print_status("Sending '#{command}' to #{rhost}:#{rport}")
47
      sock.put(pkt)
48
      print_status("writing #{pkt.length} bytes.")
49

50
      select(nil, nil, nil, 0.5)
51

52
      print_status('reading')
53
      res = sock.get_once(-1, 5) || ''
54
      res = res.tr("[\200-\377]", "[\000-\177]")
55
      res = res.tr("[\000-\027\]", '.')
56
      res = res.tr("\177", '.')
57
      print_status(res)
58

59
      disconnect
60
    end
61
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
62
    print_error e.message
63
  rescue ::Timeout::Error, ::Errno::EPIPE, Errno::ECONNRESET => e
64
    print_error e.message
65
  end
66
end
67

68