## https://sploitus.com/exploit?id=PACKETSTORM:180936
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::TNS
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle TNS Listener SID Enumeration',
'Description' => %q{
This module simply queries the TNS listener for the Oracle SID.
With Oracle 9.2.0.8 and above the listener will be protected and
the SID will have to be bruteforced or guessed.
},
'Author' => [ 'CG', 'MC' ],
'License' => MSF_LICENSE,
'DisclosureDate' => '2009-01-07'
))
register_options(
[
Opt::RPORT(1521)
])
end
def run_host(ip)
begin
connect
pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))")
sock.put(pkt)
select(nil,nil,nil,0.5)
data = sock.get_once
if ( data and data =~ /ERROR_STACK/ )
print_error("TNS listener protected for #{ip}...")
else
if(not data)
print_error("#{ip} Connection but no data")
else
sid = data.scan(/INSTANCE_NAME=([^\)]+)/)
sid.uniq.each do |s|
report_note(
:host => ip,
:port => rport,
:type => "oracle_sid",
:data => "PORT=#{rport}, SID=#{s}",
:update => :unique_data
)
print_good("Identified SID for #{ip}:#{rport} #{s}")
end
service_name = data.scan(/SERVICE_NAME=([^\)]+)/)
service_name.uniq.each do |s|
report_note(
:host => ip,
:port => rport,
:type => "oracle_service_name",
:data => "PORT=#{rport}, SERVICE_NAME=#{s}",
:update => :unique_data
)
print_status("Identified SERVICE_NAME for #{ip}:#{rport} #{s}")
end
end
end
disconnect
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
end
end