Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/oracle/tnspoison_checker.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Auxiliary::Scanner

9
  include Msf::Exploit::Remote::TNS

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Oracle TNS Listener Checker',

16
        'Description' => %q{

17
          This module checks the server for vulnerabilities like TNS Poison.

18
          Module sends a server a packet with command to register new TNS Listener and checks

19
          for a response indicating an error. If the registration is errored, the target is not

20
          vulnerable. Otherwise, the target is vulnerable to malicious registrations.

21
        },

22
        'Author' => ['ir0njaw (Nikita Kelesis) <nikita.elkey[at]gmail.com>'], # of Digital Security [http://dsec.ru]

23
        'References' => [

24
          [ 'CVE', '2012-1675'],

25
          [ 'URL', 'https://seclists.org/fulldisclosure/2012/Apr/204' ],

26
        ],

27
        'DisclosureDate' => '2012-04-18',

28
        'License' => MSF_LICENSE,

29
        'Notes' => {

30
          'Reliability' => UNKNOWN_RELIABILITY,

31
          'Stability' => UNKNOWN_STABILITY,

32
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        Opt::RPORT(1521)

40
      ]

41
    )

42
  end

43


44
  def run_host(ip)

45
    begin

46
      connect

47
      send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")

48
      sock.put(send_packet)

49
      packet = sock.read(100)

50
      if packet

51
        hex_packet = Rex::Text.to_hex(packet, ':')

52
        split_hex = hex_packet.split(':')

53
        find_packet = /\(ERROR_STACK=\(ERROR=/ === packet

54
        if find_packet == true # TNS Packet returned ERROR

55
          print_error("#{ip}:#{rport} is not vulnerable")

56
        elsif split_hex[5] == '02' # TNS Packet Type: ACCEPT

57
          print_good("#{ip}:#{rport} is vulnerable")

58
        elsif split_hex[5] == '04' # TNS Packet Type: REFUSE

59
          print_error("#{ip}:#{rport} is not vulnerable")

60
        else # All other TNS packet types or non-TNS packet type response cannot guarantee vulnerability

61
          print_error("#{ip}:#{rport} might not be vulnerable")

62
        end

63
      else

64
        print_error("#{ip}:#{rport} is not vulnerable")

65
      end

66
      # TODO: Module should report_vuln if this finding is solid.

67
    rescue ::Rex::ConnectionError, ::Errno::EPIPE

68
      print_error("#{ip}:#{rport} unable to connect to the server")

69
    end

70
  end

71
end

72


73