CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::TNS
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Oracle TNS Listener SID Enumeration',
14
      'Description'    => %q{
15
        This module simply queries the TNS listener for the Oracle SID.
16
        With Oracle 9.2.0.8 and above the listener will be protected and
17
        the SID will have to be bruteforced or guessed.
18
      },
19
      'Author'         => [ 'CG', 'MC' ],
20
      'License'        => MSF_LICENSE,
21
      'DisclosureDate' => '2009-01-07'
22
    ))
23

24
    register_options(
25
      [
26
        Opt::RPORT(1521)
27
      ])
28
  end
29

30
  def run_host(ip)
31
    begin
32
      connect
33

34
      pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))")
35

36
      sock.put(pkt)
37

38
      select(nil,nil,nil,0.5)
39

40
      data = sock.get_once
41

42
        if ( data and data =~ /ERROR_STACK/ )
43
          print_error("TNS listener protected for #{ip}...")
44
        else
45
          if(not data)
46
            print_error("#{ip} Connection but no data")
47
          else
48
            sid = data.scan(/INSTANCE_NAME=([^\)]+)/)
49
              sid.uniq.each do |s|
50
                report_note(
51
                  :host   => ip,
52
                  :port	=> rport,
53
                  :type   => "oracle_sid",
54
                  :data   => "PORT=#{rport}, SID=#{s}",
55
                  :update	=> :unique_data
56
                )
57
                print_good("Identified SID for #{ip}:#{rport} #{s}")
58
              end
59
            service_name = data.scan(/SERVICE_NAME=([^\)]+)/)
60
              service_name.uniq.each do |s|
61
                report_note(
62
                  :host   => ip,
63
                  :port	=> rport,
64
                  :type   => "oracle_service_name",
65
                  :data   => "PORT=#{rport}, SERVICE_NAME=#{s}",
66
                  :update	=> :unique_data
67
                )
68
                print_status("Identified SERVICE_NAME for #{ip}:#{rport} #{s}")
69
              end
70
          end
71
        end
72
      disconnect
73
    rescue ::Rex::ConnectionError
74
    rescue ::Errno::EPIPE
75
    end
76
  end
77
end
78

79