drgreen/coolbins
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity
coolbins/system/usr/share/nmap/nselib/tns.lua

1799 lines
63 KiB
Lua
Raw Permalink Blame History

---
-- TNS Library supporting a very limited subset of Oracle operations
--
-- Summary
-- -------
-- The library currently provides functionality to connect and authenticate
-- to the Oracle database server. Some preliminary query support has been
-- added, which only works against a few specific versions. The library has
-- been tested against and known to work with Oracle 10g and 11g. Please check
-- the matrix below for tested versions that are known to work.
--
-- Due to the lack of documentation the library is based mostly on guesswork
-- with a lot of unknowns. Bug reports are therefore both welcome and
-- important in order to further improve this library. In addition, knowing
-- that the library works against versions not in the test matrix is valuable
-- as well.
--
-- Overview
-- --------
-- The library contains the following classes:
--
-- o Packet.*
-- - The Packet classes contain specific packets and function to serialize
-- them to strings that can be sent over the wire. Each class may also
-- contain a function to parse the servers response.
--
-- o Comm
-- - Implements a number of functions to handle communication
--
-- o Crypt
-- - Implements encryption algorithms and functions to support
-- authentication with Oracle 10G and Oracle 11G.
--
-- o Helper
-- - A helper class that provides easy access to the rest of the library
--
--
-- Example
-- -------
-- The following sample code illustrates how scripts can use the Helper class
-- to interface the library:
--
-- <code>
-- tnshelper = tns.Helper:new(host, port)
-- status, err = tnshelper:Connect()
-- status, res = tnshelper:Login("sys", "change_on_install")
-- status, err = tnshelper:Close()
-- </code>
--
-- Additional information
-- ----------------------
-- The implementation is based on the following documentation and through
-- analysis of packet dumps:
--
-- o Oracle 10g TNS AES-128 authentication details (Massimiliano Montoro)
-- x http://www.oxid.it/downloads/oracle_tns_aes128_check.txt
-- o Oracle 11g TNS AES-192 authentication details (Massimiliano Montoro)
-- x http://www.oxid.it/downloads/oracle_tns_aes192_check.txt
-- o Initial analysis of Oracle native authentication version 11g
-- (László Tóth)
-- x http://www.soonerorlater.hu/index.khtml?article_id=512
-- o Oracle native authentication version 9i and 10g (László Tóth)
-- x http://www.soonerorlater.hu/index.khtml?article_id=511
--
-- This implementation is tested and known to work against Oracle 10g and 11g
-- on both Linux and Windows. For details regarding what versions where tested
-- please consult the matrix below.
--
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
-- @author Patrik Karlsson <patrik@cqure.net>
--
-- @args tns.sid specifies the Oracle instance to connect to
--
-- Version 0.71
-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 07/21/2010 - v0.2 - made minor changes to support 11gR2 on Windows
-- Revised 07/23/2010 - v0.3 - corrected incorrect example code in docs
-- - removed ssl require
-- Revised 02/08/2011 - v0.4 - added basic query support <patrik@cqure.net>
-- Revised 17/08/2011 - v0.5 - fixed bug that would prevent connections from
-- working on 64-bit oracle.
-- Revised 20/08/2011 - v0.6 - fixed a few bugs in connection and query code
-- - changed so that connections against untested
-- databases versions will fail
-- - added some more documentation and fixed some
-- indentation bugs
-- <patrik@cqure.net>
-- Revised 26/08/2011 - v0.7 - applied patch from Chris Woodbury
-- <patrik@cqure.net>
-- Revised 28/08/2011 - v0.71- fixed a bug that would prevent the library from
-- authenticating against Oracle 10.2.0.1.0 XE
-- <patrik@cqure.net>
--
-- The following versions have been tested and are known to work:
-- +--------+---------------+---------+-------+-------------------------------+
-- | OS | DB Version | Edition | Arch | Functionality |
-- +--------+---------------+---------+-------+-------------------------------|
-- | Win | 10.2.0.1.0 | EE | 32bit | Authentication |
-- | Win | 10.2.0.1.0 | XE | 32bit | Authentication, Queries |
-- | Linux | 10.2.0.1.0 | EE | 32bit | Authentication |
-- | Win | 11.1.0.6.0 | EE | 32bit | Authentication, Queries |
-- | Win | 11.1.0.6.0 | EE | 64bit | Authentication |
-- | Win | 11.2.0.1.0 | EE | 64bit | Authentication |
-- | Win | 11.2.0.2.0 | EE | 64bit | Authentication |
-- | Linux | 11.2.0.1.0 | EE | 64bit | Authentication |
-- | Win | 11.2.0.2.0 | XE | 32bit | Authentication, Queries |
-- | Win | 11.2.0.2.0 | EE | 64bit | Authentication, Queries |
-- +--------+---------------+---------+-------+-------------------------------+
--
local bits = require "bits"
local math = require "math"
local match = require "match"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local openssl = stdnse.silent_require "openssl"
_ENV = stdnse.module("tns", stdnse.seeall)
-- Oracle version constants
ORACLE_VERSION_10G = 313
ORACLE_VERSION_11G = 314
-- Data type to number conversions
DataTypes = {
NUMBER = 2,
DATE = 12,
}
-- A class containing some basic authentication options
AuthOptions =
{
-- Creates a new AuthOptions instance
-- @return o new instance of AuthOptions
new = function( self )
local o = {
auth_term = "pts/" .. math.random(255),
auth_prog = ("sqlplus@nmap_%d (TNS V1-V3)"):format(math.random(32768)),
auth_machine = "nmap_target",
auth_pid = "" .. math.random(32768),
auth_sid = "nmap_" .. math.random(32768)
}
setmetatable(o, self)
self.__index = self
return o
end,
}
-- Decodes different datatypes from the byte arrays or strings read from the
-- tns data packets
DataTypeDecoders = {
-- Decodes a number
[DataTypes.NUMBER] = function(val)
if ( #val == 0 ) then return "" end
if ( #val == 1 and val == '\128' ) then return 0 end
local bytes = {string.byte(val, 1, #val)}
local positive = ( (bytes[1] & 0x80) ~= 0 )
local function convert_bytes(bytes, positive)
local ret_bytes = {}
local len = #bytes
if ( positive ) then
ret_bytes[1] = (bytes[1] & 0x7F) - 65
for i=2, len do ret_bytes[i] = bytes[i] - 1 end
else
ret_bytes[1] = ((bytes[1] ~ 0xFF) & 0x7F) - 65
for i=2, len do ret_bytes[i] = 101 - bytes[i] end
end
return ret_bytes
end
bytes = convert_bytes(bytes, positive)
local k = ( #bytes - 1 > bytes[1] +1 ) and ( bytes[1] + 1 ) or #bytes - 1
local l = 0
for m=1, k do l = l * 100 + bytes[m+1] end
for m=bytes[1]-#bytes - 1, 0, -1 do l = l * 100 end
return (positive and l or -l)
end,
-- Decodes a date
[DataTypes.DATE] = function(val)
local bytes = {}
if (#val == 0) then
return ""
elseif( #val ~= 7 ) then
return "ERROR: Failed to decode date"
end
local bytes = {string.byte(val, 1, 7)}
return ("%d-%02d-%02d"):format( (bytes[1] - 100 ) * 100 + bytes[2] - 100, bytes[3], bytes[4] )
end,
}
-- Packet class table
--
-- Each Packet type SHOULD implement:
-- o tns_type - A variable indicating the TNS Type of the Packet
-- o toString - A function that serializes the object to string
--
-- Each Packet MAY also optionally implement:
-- o parseResponse
-- x An optional function that parses the servers response
-- x The function should return status and an undefined second return value
--
Packet = {}
-- Contains the TNS header and basic functions for decoding and reading the
-- TNS packet.
Packet.TNS = {
checksum = 0,
hdr_checksum = 0,
length = 0,
reserved = 0,
Type =
{
CONNECT = 1,
ACCEPT = 2,
REFUSE = 4,
DATA = 6,
RESEND = 11,
MARKER = 12,
},
new = function( self, typ )
local o = {
type = typ
}
setmetatable(o, self)
self.__index = self
return o
end,
--- Read a TNS packet of the socket
--
-- @return true on success, false on failure
-- @return err string containing error message on failure
recv = function( self )
local status, data = self.socket:receive_buf( match.numbytes(2), true )
if ( not(status) ) then
return status, data
end
self.length = string.unpack(">I2", data )
status, data = self.socket:receive_buf( match.numbytes(6), true )
if ( not(status) ) then
return status, data
end
self.checksum, self.type, self.reserved, self.hdr_checksum = string.unpack(">I2BBI2", data)
status, data = self.socket:receive_buf( match.numbytes(self.length - 8), true )
if ( status ) then
self.data = data
end
return true
end,
parse = function(data)
local tns = Packet.TNS:new()
local pos
tns.length, tns.checksum, tns.type, tns.reserved, tns.hdr_checksum, pos = string.unpack(">I2I2BBI2", data)
tns.data, pos = string.unpack("c" .. ( tns.length - 8 ), data, pos)
return tns
end,
--- Converts the TNS packet to string suitable to be sent over the socket
--
-- @return string containing the TNS packet
__tostring = function( self )
local data = string.pack(">I2I2BBI2", self.length, self.checksum, self.type, self.reserved, self.hdr_checksum) .. self.data
return data
end,
}
-- Initiates the connection to the listener
Packet.Connect = {
CONN_STR = [[
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=%s)(PORT=%d))
(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=%s)(CID=
(PROGRAM=sqlplus)(HOST=%s)(USER=nmap))))]],
version = 314,
version_comp = 300,
svc_options = 0x0c41,
sess_dus = 8192,
max_trans_dus = 32767,
nt_proto_char = 0x7f08,
line_turnaround = 0,
value_of_1_in_hw = 0x0100,
conn_data_len = 0,
conn_data_offset = 58,
conn_data_max_recv = 512,
conn_data_flags_0 = 0x41,
conn_data_flags_1 = 0x41,
trace_cross_1 = 0,
trace_cross_2 = 0,
trace_unique_conn = 0,
tns_type = Packet.TNS.Type.CONNECT,
-- Creates a new Connect instance
-- @param rhost string containing host or ip
-- @param rport string containing the port number
-- @param dbinstance string containing the instance name
-- @return o containing new Connect instance
new = function( self, rhost, rport, dbinstance )
local o = {
rhost = rhost,
rport = rport,
conn_data = Packet.Connect.CONN_STR:format( rhost, rport, dbinstance, rhost ),
dbinstance = dbinstance:upper()
}
setmetatable(o, self)
self.__index = self
return o
end,
setCmd = function( self, cmd )
local tmp = [[
(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=%s)(USER=nmap))(COMMAND=%s)(ARGUMENTS=64)(SERVICE=%s:%d)(VERSION=185599488)))
]]
self.conn_data = tmp:format( self.rhost, cmd, self.rhost, self.rport )
end,
--- Parses the server response from the CONNECT
--
-- @param tns Packet.TNS containing the TNS packet received from the
-- server
-- @return true on success, false on failure
-- @return version number containing the version supported by the
-- server or an error message on failure
parseResponse = function( self, tns )
if ( tns.type ~= Packet.TNS.Type.ACCEPT ) then
if ( tns.data:match("ERR=12514") ) then
return false, ("TNS: The listener could not resolve \"%s\""):format(self.dbinstance)
end
return false, tns.data:match("%(ERR=(%d*)%)")
end
local version = string.unpack(">I2", tns.data )
return true, version
end,
--- Converts the CONNECT packet to string
--
-- @return string containing the packet
__tostring = function( self )
self.conn_data_len = #self.conn_data
return string.pack(">I2I2I2I2I2I2I2I2I2I2I4 BBI4 I4 I8I8", self.version, self.version_comp, self.svc_options,
self.sess_dus, self.max_trans_dus, self.nt_proto_char,
self.line_turnaround, self.value_of_1_in_hw, self.conn_data_len,
self.conn_data_offset, self.conn_data_max_recv, self.conn_data_flags_0,
self.conn_data_flags_1, self.trace_cross_1, self.trace_cross_2,
self.trace_unique_conn, 0) .. self.conn_data
end,
}
-- A TNS data packet, one of the most common packets
Packet.Data = {
flag = 0,
-- Createas a new Data instance
-- @return o new instance of Data
new = function( self, data )
local o = {
TNS = Packet.TNS:new( Packet.TNS.Type.DATA ),
data = data
}
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
local data = string.pack( ">I2", self.flag ) .. self.data
self.TNS.length = #data + 8
return tostring(self.TNS) .. data
end,
}
-- Packet received by the server to indicate errors or end of
-- communication.
Packet.Attention = {
tns_type = Packet.TNS.Type.MARKER,
-- Creates a new instance of the Attention packet
-- @return o new instance of Attention
new = function( self, typ, data )
local o = { data = data, att_type = typ }
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the MARKER packet to string
--
-- @return string containing the packet
__tostring = function( self )
return string.pack( ">B", self.att_type ) .. self.data
end,
}
-- Packet initializing challenge response authentication
Packet.PreAuth = {
tns_type = Packet.TNS.Type.DATA,
flags = 0,
param_order = {
{ ["AUTH_TERMINAL"] = "auth_term" },
{ ["AUTH_PROGRAM_NM"] = "auth_prog" },
{ ["AUTH_MACHINE"] = "auth_machine" },
{ ["AUTH_PID"] = "auth_pid" },
{ ["AUTH_SID"] = "auth_sid" }
},
--- Creates a new PreAuth packet
--
-- @param user string containing the user name
-- @return a new instance of Packet.PreAuth
new = function(self, user, options, ver)
local o = { auth_user = user, auth_options = options, version = ver }
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
local packet_type = 0x0376
local UNKNOWN_MAP = {
["Linuxi386/Linux-2.0.34-8.1.0"] = stdnse.fromhex("0238be0808") .. string.char(#self.auth_user) .. stdnse.fromhex("00000001000000a851bfbf05000000504ebfbf7853bfbf"),
["IBMPC/WIN_NT-8.1.0"] = stdnse.fromhex("0238be0808") .. string.char(#self.auth_user) .. stdnse.fromhex("00000001000000a851bfbf05000000504ebfbf7853bfbf"),
["IBMPC/WIN_NT64-9.1.0"] = stdnse.fromhex("0201040000000100000001050000000101"),
["x86_64/Linux 2.4.xx"] = stdnse.fromhex("0201040000000100000001050000000101"),
}
local unknown = UNKNOWN_MAP[self.version] or ""
local data = {
string.pack(">I2I2", self.flags, packet_type),
unknown,
string.pack("s1", self.auth_user),
}
for _, v in ipairs( Packet.PreAuth.param_order ) do
for k, v2 in pairs(v) do
data[#data+1] = Marshaller.marshalKvp( k, self.auth_options[v2] )
end
end
return table.concat(data)
end,
--- Parses the PreAuth packet response and extracts data needed to
-- perform authentication
--
-- @param tns Packet.TNS containing the TNS packet received from the server
-- @return table containing the keys and values returned by the server
parseResponse = function( self, tns )
local kvps = {}
local kvp_count = string.unpack( "B", tns.data, 4 )
local pos = 6
for kvp_itr=1, kvp_count do
local key, val, kvp_flags
pos, key, val, kvp_flags = Marshaller.unmarshalKvp( tns.data, pos )
-- we don't actually do anything with the flags currently, but they're there
kvps[key] = val
end
return true, kvps
end,
}
-- Packet containing authentication data
Packet.Auth = {
tns_type = Packet.TNS.Type.DATA,
flags = 0,
param_order = {
{ ['key'] = "AUTH_RTT", ['def'] = "25456" },
{ ['key'] = "AUTH_CLNT_MEM", ['def'] = "4096" },
{ ['key'] = "AUTH_TERMINAL", ['var'] = "auth_term" },
{ ['key'] = "AUTH_PROGRAM_NM", ['var'] = "auth_prog" },
{ ['key'] = "AUTH_MACHINE", ['var'] = "auth_machine" },
{ ['key'] = "AUTH_PID", ['var'] = "auth_pid" },
{ ['key'] = "AUTH_SID", ['var'] = "auth_sid" },
{ ['key'] = "AUTH_ACL", ['def'] = "4400" },
{ ['key'] = "AUTH_ALTER_SESSION", ['def'] = "ALTER SESSION SET TIME_ZONE='+02:00'\0" },
{ ['key'] = "AUTH_LOGICAL_SESSION_ID", ['def'] = stdnse.tohex(openssl.rand_pseudo_bytes(16)) },
{ ['key'] = "AUTH_FAILOVER_ID", ['def'] = "" },
},
--- Creates a new Auth packet
--
-- @param auth_sesskey the encrypted session key
-- @param auth_pass the encrypted user password
-- @return a new instance of Packet.Auth
new = function(self, user, options, auth_sesskey, auth_pass, ver)
local o = {
auth_sesskey = auth_sesskey,
auth_pass = auth_pass,
auth_options = options,
user = user,
version = ver
}
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
local UNKNOWN_MAP = {
["Linuxi386/Linux-2.0.34-8.1.0"] = stdnse.fromhex("0338be0808") .. string.char(#self.user) .. stdnse.fromhex("00000001010000cc7dbfbf0d000000747abfbf608abfbf"),
["IBMPC/WIN_NT-8.1.0"] = stdnse.fromhex("0338be0808") .. string.char(#self.user) .. stdnse.fromhex("00000001010000cc7dbfbf0d000000747abfbf608abfbf"),
["IBMPC/WIN_NT64-9.1.0"] = stdnse.fromhex("03010400000001010000010d0000000101"),
["x86_64/Linux 2.4.xx"] = stdnse.fromhex("03010400000001010000010d0000000101")
}
local sess_id = stdnse.tohex(openssl.rand_pseudo_bytes(16))
local unknown = UNKNOWN_MAP[self.version] or ""
local data = {
string.pack(">I2I2", self.flags, 0x0373),
unknown,
string.pack("s1", self.user),
Marshaller.marshalKvp( "AUTH_SESSKEY", self.auth_sesskey, 1 ),
Marshaller.marshalKvp( "AUTH_PASSWORD", self.auth_pass ),
}
for k, v in ipairs( self.param_order ) do
if ( v['def'] ) then
data[#data+1] = Marshaller.marshalKvp( v['key'], v['def'] )
elseif ( self.auth_options[ v['var'] ] ) then
data[#data+1] = Marshaller.marshalKvp( v['key'], self.auth_options[ v['var'] ] )
elseif ( self[ v['var'] ] ) then
data[#data+1] = Marshaller.marshalKvp( v['key'], self[ v['var'] ] )
end
end
return table.concat(data)
end,
-- Parses the response of an Auth packet
--
-- @param tns Packet.TNS containing the TNS packet received from the server
-- @return table containing the key pair values from the Auth packet
parseResponse = function( self, tns )
local kvps = {}
local kvp_count = string.unpack( "B", tns.data, 4 )
local pos = 6
for kvp_itr=1, kvp_count do
local key, val, kvp_flags
pos, key, val, kvp_flags = Marshaller.unmarshalKvp( tns.data, pos )
-- we don't actually do anything with the flags currently, but they're there
kvps[key] = val
end
return true, kvps
end,
}
Packet.SNS = {
tns_type = Packet.TNS.Type.DATA,
flags = 0,
-- Creates a new SNS instance
--
-- @return o new instance of the SNS packet
new = function(self)
local o = {}
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
return string.pack(">I2", self.flags) .. stdnse.fromhex(
[[
deadbeef00920b1006000004000004000300000000000400050b10060000080
001000015cb353abecb00120001deadbeef0003000000040004000100010002
0001000300000000000400050b10060000020003e0e100020006fcff0002000
200000000000400050b100600000c0001001106100c0f0a0b08020103000300
0200000000000400050b10060000030001000301
]] )
end,
}
-- Packet containing protocol negotiation
Packet.ProtoNeg = {
tns_type = Packet.TNS.Type.DATA,
flags = 0,
new = function(self)
local o = {}
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
return string.pack(">I2", self.flags) .. stdnse.fromhex("0106050403020100")
.. "Linuxi386/Linux-2.0.34-8.1.0\0"
end,
--- Parses and verifies the server response
--
-- @param tns Packet.TNS containing the response from the server
parseResponse = function( self, tns )
local flags, neg, ver, srv = string.unpack(">I2BBxz", tns.data)
if ( neg ~= 1 ) then
return false, "Error protocol negotiation failed"
end
if ( ver ~= 6 ) then
return false, ("Error protocol version (%d) not supported"):format(ver)
end
return true, srv
end
}
Packet.Unknown1 = {
tns_type = Packet.TNS.Type.DATA,
flags = 0,
--- Creates a new Packet.Unknown1
--
-- @param version containing the version of the packet to send
-- @return new instance of Packet.Unknown1
new = function(self, os)
local o = { os = os }
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
if ( self.os:match("IBMPC/WIN_NT[64]*[-]%d%.%d%.%d") ) then
return string.pack(">I2", self.flags) .. stdnse.fromhex([[
02b200b2004225060101010d010105010101010101017fff0309030301007f0
11fff010301013f01010500010702010000180001800000003c3c3c80000000
d007000100010001000000020002000a00000008000800010000000c000c000
a00000017001700010000001800180001000000190019001800190001000000
1a001a0019001a00010000001b001b000a001b00010000001c001c0016001c0
0010000001d001d0017001d00010000001e001e0017001e00010000001f001f
0019001f0001000000200020000a00200001000000210021000a00210001000
0000a000a00010000000b000b00010000002800280001000000290029000100
000075007500010000007800780001000001220122000100000123012300010
12300010000012401240001000001250125000100000126012600010000012a
012a00010000012b012b00010000012c012c00010000012d012d00010000012
e012e00010000012f012f000100000130013000010000013101310001000001
320132000100000133013300010000013401340001000001350135000100000
136013600010000013701370001000001380138000100000139013900010000
013b013b00010000013c013c00010000013d013d00010000013e013e0001000
0013f013f000100000140014000010000014101410001000001420142000100
000143014300010000014701470001000001480148000100000149014900010
000014b014b00010000014d014d00010000014e014e00010000014f014f0001
000001500150000100000151015100010000015201520001000001530153000
100000154015400010000015501550001000001560156000100000157015700
0101570001000001580158000100000159015900010000015a015a000100000
15c015c00010000015d015d0001000001620162000100000163016300010000
0167016700010000016b016b00010000017c017c0001014200010000017d017
d00010000017e017e00010000017f017f000100000180018000010000018101
810001000001820182000100000183018300010000018401840001000001850
18500010000018601860001000001870187000100000189018900010000018a
018a00010000018b018b00010000018c018c00010000018d018d00010000018
e018e00010000018f018f000100000190019000010000019101910001000001
940194000101250001000001950195000100000196019600010000019701970
0010000019d019d00010000019e019e00010000019f019f0001000001a001a0
0001000001a101a10001000001a201a20001000001a301a30001000001a401a
40001000001a501a50001000001a601a60001000001a701a70001000001a801
a80001000001a901a90001000001aa01aa0001000001ab01ab0001000001ad0
1ad0001000001ae01ae0001000001af01af0001000001b001b00001000001b1
01b10001000001c101c10001000001c201c2000101250001000001c601c6000
1000001c701c70001000001c801c80001000001c901c90001000001ca01ca00
01019f0001000001cb01cb000101a00001000001cc01cc000101a2000100000
1cd01cd000101a30001000001ce01ce000101b10001000001cf01cf00010122
0001000001d201d20001000001d301d3000101ab0001000001d401d40001000
001d501d50001000001d601d60001000001d701d70001000001d801d8000100
0001d901d90001000001da01da0001000001db01db0001000001dc01dc00010
00001dd01dd0001000001de01de0001000001df01df0001000001e001e00001
000001e101e10001000001e201e20001000001e301e30001016b0001000001e
401e40001000001e501e50001000001e601e60001000001ea01ea0001000001
eb01eb0001000001ec01ec0001000001ed01ed0001000001ee01ee000100000
1ef01ef0001000001f001f00001000001f201f20001000001f301f300010000
01f401f40001000001f501f50001000001f601f60001000001fd01fd0001000
001fe01fe000100000201020100010000020202020001000002040204000100
000205020500010000020602060001000002070207000100000208020800010
0000209020900010000020a020a00010000020b020b00010000020c020c0001
0000020d020d00010000020e020e00010000020f020f0001000002100210000
100000211021100010000021202120001000002130213000100000214021400
010000021502150001000002160216000100000217021700010000021802180
00100000219021900010000021a021a00010000021b021b00010000021c021c
00010000021d021d00010000021e021e00010000021f021f000100000220022
000010000022102210001000002220222000100000223022300010000022402
240001000002250225000100000226022600010000022702270001000002280
228000100000229022900010000022a022a00010000022b022b00010000022c
022c00010000022d022d00010000022e022e00010000022f022f00010000023
102310001000002320232000100000233023300010000023402340001000002
3702370001000002380238000100000239023900010000023a023a000100000
23b023b00010000023c023c00010000023d023d00010000023e023e00010000
023f023f0001000002400240000100000241024100010000024202420001000
002430243000100000244024400010000
]])
elseif ( "x86_64/Linux 2.4.xx" == self.os ) then
return string.pack(">I2", self.flags) .. stdnse.fromhex([[
02b200b2004221060101010d01010401010101010101ffff0308030001003f0
1073f010101010301050201000018800000003c3c3c80000000d00700010001
0001000000020002000a00000008000800010000000c000c000a00000017001
7000100000018001800010000001900190018001900010000001a001a001900
1a00010000001b001b000a001b00010000001c001c0016001c00010000001d0
01d0017001d00010000001e001e0017001e00010000001f001f0019001f0001
000000200020000a00200001000000210021000a002100010000000a000a000
10000000b000b00010000002800280001000000290029000100000075007500
010000007800780001000001220122000100000123012300010123000100000
12401240001000001250125000100000126012600010000012a012a00010000
012b012b00010000012c012c00010000012d012d00010000012e012e0001000
0012f012f000100000130013000010000013101310001000001320132000100
000133013300010000013401340001000001350135000100000136013600010
000013701370001000001380138000100000139013900010000013b013b0001
0000013c013c00010000013d013d00010000013e013e00010000013f013f000
100000140014000010000014101410001000001420142000100000143014300
010000014701470001000001480148000100000149014900010000014b014b0
0010000014d014d00010000014e014e00010000014f014f0001000001500150
000100000151015100010000015201520001000001530153000100000154015
400010000015501550001000001560156000100000157015700010157000100
0001580158000100000159015900010000015a015a00010000015c015c00010
000015d015d0001000001620162000100000163016300010000016701670001
0000016b016b00010000017c017c0001014200010000017d017d00010000017
e017e00010000017f017f000100000180018000010000018101810001000001
820182000100000183018300010000018401840001000001850185000100000
18601860001000001870187000100000189018900010000018a018a00010000
018b018b00010000018c018c00010000018d018d00010000018e018e0001000
0018f018f000100000190019000010000019101910001000001940194000101
2500010000019501950001000001960196000100000197019700010000019d0
19d00010000019e019e00010000019f019f0001000001a001a00001000001a1
01a10001000001a201a20001000001a301a30001000001a401a40001000001a
501a50001000001a601a60001000001a701a70001000001a801a80001000001
a901a90001000001aa01aa0001000001ab01ab0001000001ad01ad000100000
1ae01ae0001000001af01af0001000001b001b00001000001b101b100010000
01c101c10001000001c201c2000101250001000001c601c60001000001c701c
70001000001c801c80001000001c901c90001000001ca01ca0001019f000100
0001cb01cb000101a00001000001cc01cc000101a20001000001cd01cd00010
1a30001000001ce01ce000101b10001000001cf01cf000101220001000001d2
01d20001000001d301d3000101ab0001000001d401d40001000001d501d5000
1000001d601d60001000001d701d70001000001d801d80001000001d901d900
01000001da01da0001000001db01db0001000001dc01dc0001000001dd01dd0
001000001de01de0001000001df01df0001000001e001e00001000001e101e1
0001000001e201e20001000001e301e30001016b0001000001e401e40001000
001e501e50001000001e601e60001000001ea01ea0001000001eb01eb000100
0001ec01ec0001000001ed01ed0001000001ee01ee0001000001ef01ef00010
00001f001f00001000001f201f20001000001f301f30001000001f401f40001
000001f501f50001000001f601f60001000001fd01fd0001000001fe01fe000
100000201020100010000020202020001000002040204000100000205020500
010000020602060001000002070207000100000208020800010000020902090
0010000020a020a00010000020b020b00010000020c020c00010000020d020d
00010000020e020e00010000020f020f0001000002100210000100000211021
100010000021202120001000002130213000100000214021400010000021502
150001000002160216000100000217021700010000021802180001000002190
21900010000021a021a00010000021b021b0001000000030002000a00000004
0002000a0000000500010001000000060002000a000000070002000a0000000
9000100010000000d0000000e0000000f001700010000001000000011000000
12000000130000001400000015000000160000002700780001015d000101260
0010000003a003a0001000000440002000a00000045000000460000004a006d
00010000004c0000005b0002000a0000005e000100010000005f00170001000
000600060000100000061006000010000006400640001000000650065000100
0000660066000100000068000000690000006a006a00010000006c006d00010
000006d006d00010000006e006f00010000006f006f00010000007000700001
000000710071000100000072007200010000007300730001000000740066000
100000076000000770000007900790001
]])
else
return string.pack(">I2", self.flags) .. stdnse.fromhex( [[
02b200b2004225060101010d010105010101010101017fff0309030301007f011
fff010301013f01010500010702010000180001800000003c3c3c80000000d007
]])
end
end,
}
--- This packet is only used by Oracle10 and older
Packet.Unknown2 = {
tns_type = Packet.TNS.Type.DATA,
flags = 0,
new = function(self, os)
local o = { os = os }
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
if ( "x86_64/Linux 2.4.xx" == self.os ) then
return string.pack(">I2", self.flags) .. stdnse.fromhex([[
0000007a007a00010000007b007b00010000008800000092009200010000009
300930001000000980002000a000000990002000a0000009a0002000a000000
9b000100010000009c000c000a000000ac0002000a000000b200b2000100000
0b300b30001000000b400b40001000000b500b50001000000b600b600010000
00b700b70001000000b8000c000a000000b900b20001000000ba00b30001000
000bb00b40001000000bc00b50001000000bd00b60001000000be00b7000100
0000bf000000c0000000c300700001000000c400710001000000c5007200010
00000d000d00001000000d1000000e700e70001000000e800e70001000000e9
00e90001000000f1006d0001000002030203000100000000]]
)
else
return string.pack(">I2", self.flags) .. stdnse.fromhex([[
024502450001000002460246000100000247024700010000024802480001000
0024902490001000000030002000a000000040002000a000000050001000100
0000060002000a000000070002000a00000009000100010000000d0000000e0
000000f00170001000000100000001100000012000000130000001400000015
000000160000002700780001015d0001012600010000003a003a00010000004
40002000a00000045000000460000004a006d00010000004c0000005b000200
0a0000005e000100010000005f0017000100000060006000010000006100600
001000000640064000100000065006500010000006600660001000000680000
00690000006a006a00010000006c006d00010000006d006d00010000006e006
f00010000006f006f0001000000700070000100000071007100010000007200
720001000000730073000100000074006600010000007600000077000000790
07900010000007a007a00010000007b007b0001000000880000009200920001
0000009300930001000000980002000a000000990002000a0000009a0002000
a0000009b000100010000009c000c000a000000ac0002000a000000b200b200
01000000b300b30001000000b400b40001000000b500b50001000000b600b60
001000000b700b70001000000b8000c000a000000b900b20001000000ba00b3
0001000000bb00b40001000000bc00b50001000000bd00b60001000000be00b
70001000000bf000000c0000000c300700001000000c400710001000000c500
720001000000d000d00001000000d1000000e700e70001000000e800e700010
00000e900e90001000000f1006d0001000002030203000100000000
]])
end
end,
}
-- Signals that we're about to close the connection
Packet.EOF = {
tns_type = Packet.TNS.Type.DATA,
flags = 0x0040,
new = function(self)
local o = {}
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
return string.pack(">I2", self.flags )
end
}
Packet.PostLogin = {
tns_type = Packet.TNS.Type.DATA,
flags = 0x0000,
-- Creates a new PostLogin instance
--
-- @param sessid number containing session id
-- @return o a new instance of PostLogin
new = function(self, sessid)
local o = { sessid = sessid }
setmetatable(o, self)
self.__index = self
return o
end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
local unknown1 = "116b04"
local unknown2 = "0000002200000001000000033b05fefffffff4010000fefffffffeffffff"
return string.pack(">I2", self.flags) .. stdnse.fromhex(unknown1) .. string.char(self.sessid) .. stdnse.fromhex(unknown2)
end
}
-- Class responsible for sending queries to the server and handling the first
-- row returned by the server. This class is 100% based on packet captures and
-- guesswork.
Packet.Query = {
tns_type = Packet.TNS.Type.DATA,
flags = 0x0000,
--- Creates a new instance of Query
-- @param query string containing the SQL query
-- @return instance of Query
new = function(self, query)
local o = { query = query, counter = 0 }
setmetatable(o, self)
self.__index = self
return o
end,
--- Gets the current counter value
-- @return counter number containing the current counter value
getCounter = function(self) return self.counter end,
--- Sets the current counter value
-- This function is called from sendTNSPacket
-- @param counter number containing the counter value to set
setCounter = function(self, counter) self.counter = counter end,
--- Converts the DATA packet to string
--
-- @return string containing the packet
__tostring = function( self )
local unknown1 = "035e"
local unknown2 = "6180000000000000feffffff"
local unknown3 = "000000feffffff0d000000fefffffffeffffff000000000100000000000000000000000000000000000000feffffff00000000fefffffffeffffff54d25d020000000000000000fefffffffeffffff0000000000000000000000000000000000000000"
local unknown4 = "01000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000"
return string.pack(">I2", self.flags)
.. stdnse.fromhex(unknown1)
.. string.char(self.counter)
.. stdnse.fromhex(unknown2)
.. string.char(#self.query)
.. stdnse.fromhex(unknown3)
.. string.pack("s1", self.query)
.. stdnse.fromhex(unknown4)
end,
--- Parses the Query response from the server
-- @param tns response as received from the <code>Comm.recvTNSPacket</code>
-- function.
-- @return result table containing:
-- <code>columns</code> - a column indexed table with the column names
-- <code>types</code> - a column indexed table with the data types
-- <code>rows</code> - a table containing a row table for each row
-- the row table is a column indexed table of
-- column values.
parseResponse = function( self, tns )
local data = tns.data
local result = {}
local columns = string.unpack("B", tns.data, 35)
local pos = 40
for i=1, columns do
local sql_type
sql_type, pos = string.unpack("B", data, pos)
pos = pos + 34
local name
name, pos = string.unpack("s1", tns.data, pos)
result.columns = result.columns or {}
result.types = result.types or {}
table.insert(result.columns, name)
table.insert(result.types, sql_type)
pos = pos + 10
end
pos = pos + 55
result.rows = {}
local row = {}
for i=1, columns do
local val
val, pos = string.unpack("s1", tns.data, pos)
-- if we're at the first row and first column and the len is 0
-- assume we got an empty resultset
if ( #val == 0 and #result.rows == 0 and i == 1 ) then
return true, { data = result, moredata = false }
end
local sql_type = result.types[i]
if ( DataTypeDecoders[sql_type] ) then
val = DataTypeDecoders[sql_type](val)
end
table.insert(row, val)
end
table.insert(result.rows, row)
local moredata = true
-- check if we've got any more data?
if ( #data > pos + 97 ) then
local len, err
err, pos = string.unpack(">s2", data, pos + 97)
if ( err:match("^ORA%-01403") ) then
moredata = false
end
end
return true, { data = result, moredata = moredata }
end,
}
-- Class responsible for acknowledging a query response from the server
-- and handles the next several rows returned by the server. This class
-- is mostly based on packet captures and guesswork.
Packet.QueryResponseAck = {
tns_type = Packet.TNS.Type.DATA,
flags = 0x0000,
--- Creates a new QueryResponseAck instance
-- @param result table containing the results as received from the
-- <code>Query.parseResponse</code> function.
-- @return instance new instance of QueryResponseAck
new = function(self, result)
local o = { result = result }
setmetatable(o, self)
self.__index = self
return o
end,
--- Gets the current counter value
-- @return counter number containing the current counter value
getCounter = function(self) return self.counter end,
--- Sets the current counter value
-- This function is called from sendTNSPacket
-- @param counter number containing the counter value to set
setCounter = function(self, counter) self.counter = counter end,
--- Serializes the packet into a string suitable to be sent to the DB
-- server.
-- @return str string containing the serialized packet
__tostring = function(self)
return string.pack(">I2BBB", self.flags, 3, 5, self.counter) .. stdnse.fromhex("030000000f000000")
end,
--
-- This is how I (Patrik Karlsson) think this is supposed to work
-- At this point we have the 2nd row (the query response has the first)
-- Every row looks like this, where the leading mask marker (0x15) and mask
-- is optional.
-- | (mask mark)| (bytes) | sor | byte | len * bytes | ... next_column |
-- | 0x15 | [mask] | 0x07 | [len]| [column_val]| ... next_column |
-- The mask is used in order to achieve "compression" and is essentially
-- at a bit mask that decides what columns should be fetched from the
-- preceding row. The mask is provided in reverse order and a set bit
-- indicates that data is provided while an unset bit indicates that the
-- column data should be fetched from the previous row.
--
-- Once a value is fetched the sql data type is verified against the
-- DataTypeDecoder table. If there's a function registered for the fetched
-- data it is run through a decoder, that decodes the *real* value from
-- the encoded data.
--
parseResponse = function( self, tns )
local data = tns.data
local len, pos = string.unpack("B", data, 21)
local mask = ""
-- calculate the initial mask
if ( len > 0 ) then
while( len > 0) do
local mask_part
mask_part, pos = string.unpack("B", data, pos)
mask_part = stdnse.tobinary(bits.reverse(mask_part))
assert(#mask_part <= 8)
mask_part = ("0"):rep(8-#mask_part)..mask_part
mask = mask .. mask_part
len = len - 1
end
pos = pos + 4
else
pos = pos +3
end
while(true) do
local row = {}
local result = self.result
local cols = #result.columns
-- check for start of data marker
local marker
marker, pos = string.unpack("B", data, pos)
if ( marker == 0x15 ) then
mask = ""
-- not sure what this 2-byte value is
pos = pos + 2
-- calculate the bitmask for the columns that do contain
-- data.
len = cols
while( len > 0 ) do
local mask_part
mask_part, pos = string.unpack("B", data, pos)
mask_part = stdnse.tobinary(bits.reverse(mask_part))
assert(#mask_part <= 8)
mask_part = ("0"):rep(8-#mask_part)..mask_part
mask = mask .. mask_part
len = len - 8
end
marker, pos = string.unpack("B", data, pos)
end
if ( marker ~= 0x07 ) then
stdnse.debug2("Encountered unknown marker: %d", marker)
break
end
local val
local rows = self.result.rows
for col=1, cols do
if ( #mask > 0 and mask:sub(col, col) == '0' ) then
val = rows[#rows][col]
else
val, pos = string.unpack("s1", data, pos)
local sql_type = result.types[col]
if ( DataTypeDecoders[sql_type] ) then
val = DataTypeDecoders[sql_type](val)
end
end
table.insert(row, val)
end
-- add row to result
table.insert(rows, row)
end
return true, tns.data
end,
}
Marshaller = {
--- Marshals a TNS key-value pair data structure
--
-- @param key The key
-- @param value The value
-- @param flags The flags
-- @return A binary packed string representing the KVP structure
marshalKvp = function( key, value, flags )
return Marshaller.marshalKvpComponent( key ) ..
Marshaller.marshalKvpComponent( value ) ..
string.pack( "<I4", ( flags or 0 ) )
end,
--- Parses a TNS key-value pair data structure.
--
-- @param data Packed string to parse
-- @param pos Position in the string at which the KVP begins
-- @return table containing the last position read, the key, the value, and the KVP flags
unmarshalKvp = function( data, pos )
local key, value, flags
pos, key = Marshaller.unmarshalKvpComponent( data, pos )
pos, value = Marshaller.unmarshalKvpComponent( data, pos )
flags, pos = string.unpack("<I4", data, pos )
return pos, key, value, flags
end,
--- Marshals a key or value element from a TNS key-value pair data structure
--
-- @param value The key or value
-- @return A binary packed string representing the element
marshalKvpComponent = function( value )
value = value or ""
local sb4len = string.pack("<I4", #value)
if #value == 0 then return sb4len end
local result = {sb4len}
-- 64 bytes is the maximum before Oracle starts chunking strings
local MAX_CHUNK_LENGTH = 64
if #value > MAX_CHUNK_LENGTH then
-- First, write the multiple-chunk indicator
table.insert(result, "\xFE")
-- Loop through the string value, chunk by chunk
local pos = 1
repeat
local nextpos = pos + MAX_CHUNK_LENGTH
table.insert(result, string.pack("s1", value:sub(pos, nextpos - 1)))
pos = nextpos
until pos > #value
-- Finish with an empty chunk
table.insert(result, "\0")
else
table.insert(result, string.pack("s1", value))
end
return table.concat(result)
end,
--- Parses a key or value element from a TNS key-value pair data structure.
--
-- @param data Packed string to parse
-- @param pos Position in the string at which the element begins
-- @return table containing the last position read and the value parsed
unmarshalKvpComponent = function( data, pos )
-- read the 32-bit total length of the value
local value_len
value_len, pos = string.unpack("<I4", data, pos)
if value_len == 0 then return pos, "" end
-- Look at the first byte after the total length. If the value is
-- broken up into multiple chunks, this will be indicated by this
-- byte being 0xFE. Otherwise this is the length of the only chunk.
local chunked = string.unpack("B", data, pos) == 0xFE
if chunked then
pos = pos + 1
end
-- Loop through the chunks until we read the whole value
local chunks = {}
repeat
local chunk
chunk, pos = string.unpack("s1", data, pos)
table.insert(chunks, chunk)
until #chunk == 0 or not chunked -- last chunk is zero-length
return pos, table.concat(chunks)
end,
}
-- The TNS communication class uses the TNSSocket to transmit data
Comm = {
--- Creates a new instance of the Comm class
--
-- @param socket containing a TNSSocket
-- @return new instance of Comm
new = function(self, socket)
local o = {
socket = socket,
data_counter = 06
}
setmetatable(o, self)
self.__index = self
return o
end,
--- Attemts to send a TNS packet over the socket
--
-- @param pkt containing an instance of a Packet.*
-- @return Status (true or false).
-- @return Error code (if status is false).
sendTNSPacket = function( self, pkt )
local tns = Packet.TNS:new( pkt.tns_type )
if ( pkt.setCounter ) then
pkt:setCounter(self.data_counter)
self.data_counter = self.data_counter + 1
end
tns.data = tostring(pkt)
tns.length = #tns.data + 8
-- buffer incase of RESEND
self.pkt = pkt
return self.socket:send( tostring(tns) )
end,
--- Handles communication when a MARKER packet is received and retrieves
-- the following error message
--
-- @return false always to indicate that an error occurred
-- @return msg containing the error message
handleMarker = function( self )
local status, tns = self:recvTNSPacket()
if ( not(status) or tns.type ~= Packet.TNS.Type.MARKER ) then
return false, "ERROR: failed to handle marker sent by server"
end
-- send our marker
status = self:sendTNSPacket( Packet.Attention:new( 1, "\x00\x02") )
if ( not(status) ) then
return false, "ERROR: failed to send marker to server"
end
status, tns = self:recvTNSPacket()
if ( not(status) or tns.type ~= Packet.TNS.Type.DATA ) then
return false, "ERROR: expecting DATA packet"
end
-- check if byte 12 is set or not, this should help us distinguish the offset
-- to the error message in Oracle 10g and 11g
local b1 = string.unpack("B", tns.data, 10)
local pos = (b1 == 1) and 99 or 69
-- fetch the oracle error and return it
local msg = string.unpack("s1", tns.data, pos )
return false, msg
end,
--- Receives a TNS packet and handles TNS-resends
--
-- @return status true on success, false on failure
-- @return tns Packet.TNS containing the received packet or err on failure
recvTNSPacket = function( self )
local tns
local retries = 5
repeat
local function recv()
local status, header = self.socket:receive_buf( match.numbytes(8), true )
if ( not(status) ) then return status, header end
local length = string.unpack(">I2", header )
local status, data = self.socket:receive_buf( match.numbytes(length - 8), true )
if ( not(status) ) then
return false, data
else
return status, Packet.TNS.parse(header .. data)
end
end
local status
status, tns = recv()
if ( not(status) ) then
if ( retries == 0 ) then
return false, "ERROR: recvTNSPacket failed to receive TNS headers"
end
retries = retries - 1
elseif ( tns.type == Packet.TNS.Type.RESEND ) then
self:sendTNSPacket( self.pkt )
end
until ( status and tns.type ~= Packet.TNS.Type.RESEND )
return true, tns
end,
--- Sends a TNS packet and receives (and handles) the response
--
-- @param pkt containing the Packet.* to send to the server
-- @return status true on success, false on failure
-- @return the parsed response as return from the respective parseResponse
-- function or error message if status was false
exchTNSPacket = function( self, pkt )
local status = self:sendTNSPacket( pkt )
local tns, response
if ( not(status) ) then
return false, "sendTNSPacket failed"
end
status, tns = self:recvTNSPacket()
if ( not(status) ) then
return false, tns
end
--- handle TNS MARKERS
if ( tns.type == Packet.TNS.Type.MARKER ) then
return self:handleMarker()
end
if ( pkt.parseResponse ) then
status, response = pkt:parseResponse( tns )
end
return status, response
end
}
--- Class that handles all Oracle encryption
Crypt = {
-- Test function, not currently in use
Decrypt11g = function(self, c_sesskey, s_sesskey, auth_password, pass, salt )
local sha1 = openssl.sha1(pass .. salt) .. "\0\0\0\0"
local auth_sesskey = s_sesskey
local auth_sesskey_c = c_sesskey
local server_sesskey = openssl.decrypt( "aes-192-cbc", sha1, nil, auth_sesskey )
local client_sesskey = openssl.decrypt( "aes-192-cbc", sha1, nil, auth_sesskey_c )
local combined_sesskey = {}
for i=17, 40 do
combined_sesskey[#combined_sesskey+1] = string.char( string.byte(server_sesskey, i) ~ string.byte(client_sesskey,i) )
end
combined_sesskey = table.concat(combined_sesskey)
combined_sesskey = ( openssl.md5( combined_sesskey:sub(1,16) ) .. openssl.md5( combined_sesskey:sub(17) ) ):sub(1, 24)
local p = openssl.decrypt( "aes-192-cbc", combined_sesskey, nil, auth_password, false )
return p:sub(17)
end,
--- Creates an Oracle 10G password hash
--
-- @param username containing the Oracle user name
-- @param password containing the Oracle user password
-- @return hash containing the Oracle hash
HashPassword10g = function( self, username, password )
local uspw = (username .. password):upper():gsub(".", "\0%1")
local key = stdnse.fromhex("0123456789abcdef")
-- do padding
uspw = uspw .. string.rep('\0', (8 - (#uspw % 8)) % 8)
local iv2 = openssl.encrypt( "DES-CBC", key, nil, uspw, false ):sub(-8)
local enc = openssl.encrypt( "DES-CBC", iv2, nil, uspw, false ):sub(-8)
return enc
end,
-- Test function, not currently in use
Decrypt10g = function(self, user, pass, srv_sesskey_enc )
local pwhash = self:HashPassword10g( user, pass ) .. "\0\0\0\0\0\0\0\0"
local cli_sesskey_enc = stdnse.fromhex("7B244D7A1DB5ABE553FB9B7325110024911FCBE95EF99E7965A754BC41CF31C0")
local srv_sesskey = openssl.decrypt( "AES-128-CBC", pwhash, nil, srv_sesskey_enc )
local cli_sesskey = openssl.decrypt( "AES-128-CBC", pwhash, nil, cli_sesskey_enc )
local auth_pass = stdnse.fromhex("4C5E28E66B6382117F9D41B08957A3B9E363B42760C33B44CA5D53EA90204ABE")
local pass
local combined_sesskey = {}
for i=17, 32 do
combined_sesskey[#combined_sesskey+1] = string.char( string.byte(srv_sesskey, i) ~ string.byte(cli_sesskey, i) )
end
combined_sesskey = openssl.md5( table.concat(combined_sesskey) )
pass = openssl.decrypt( "AES-128-CBC", combined_sesskey, nil, auth_pass ):sub(17)
print( stdnse.tohex( srv_sesskey ))
print( stdnse.tohex( cli_sesskey ))
print( stdnse.tohex( combined_sesskey ))
print( "pass=" .. pass )
end,
--- Performs the relevant encryption needed for the Oracle 10g response
--
-- @param user containing the Oracle user name
-- @param pass containing the Oracle user password
-- @param srv_sesskey_enc containing the encrypted server session key as
-- received from the PreAuth packet
-- @return cli_sesskey_enc the encrypted client session key
-- @return auth_pass the encrypted Oracle password
Encrypt10g = function( self, user, pass, srv_sesskey_enc )
local pwhash = self:HashPassword10g( user, pass ) .. "\0\0\0\0\0\0\0\0"
-- We're currently using a static client session key, this should
-- probably be changed to a random value in the future
local cli_sesskey = stdnse.fromhex("FAF5034314546426F329B1DAB1CDC5B8FF94349E0875623160350B0E13A0DA36")
local srv_sesskey = openssl.decrypt( "AES-128-CBC", pwhash, nil, srv_sesskey_enc )
local cli_sesskey_enc = openssl.encrypt( "AES-128-CBC", pwhash, nil, cli_sesskey )
-- This value should really be random, not this static cruft
local rnd = stdnse.fromhex("4C31AFE05F3B012C0AE9AB0CDFF0C508")
local auth_pass
local combined_sesskey = {}
for i=17, 32 do
combined_sesskey[#combined_sesskey+1] = string.char( string.byte(srv_sesskey, i) ~ string.byte(cli_sesskey, i) )
end
combined_sesskey = openssl.md5( table.concat(combined_sesskey) )
auth_pass = openssl.encrypt("AES-128-CBC", combined_sesskey, nil, rnd .. pass, true )
auth_pass = stdnse.tohex(auth_pass)
cli_sesskey_enc = stdnse.tohex(cli_sesskey_enc)
return cli_sesskey_enc, auth_pass
end,
--- Performs the relevant encryption needed for the Oracle 11g response
--
-- @param pass containing the Oracle user password
-- @param srv_sesskey_enc containing the encrypted server session key as
-- received from the PreAuth packet
-- @param auth_vrfy_data containing the password salt as received from the
-- PreAuth packet
-- @return cli_sesskey_enc the encrypted client session key
-- @return auth_pass the encrypted Oracle password
Encrypt11g = function( self, pass, srv_sesskey_enc, auth_vrfy_data )
-- This value should really be random, not this static cruft
local rnd = openssl.rand_pseudo_bytes(16)
local cli_sesskey = openssl.rand_pseudo_bytes(40) .. stdnse.fromhex("0808080808080808")
local pw_hash = openssl.sha1(pass .. auth_vrfy_data) .. "\0\0\0\0"
local srv_sesskey = openssl.decrypt( "aes-192-cbc", pw_hash, nil, srv_sesskey_enc )
local auth_password
local cli_sesskey_enc
local data = ""
local combined_sesskey = {}
for i=17, 40 do
combined_sesskey[#combined_sesskey+1] = string.char( string.byte(srv_sesskey, i) ~ string.byte(cli_sesskey, i) )
end
combined_sesskey = table.concat(combined_sesskey)
combined_sesskey = ( openssl.md5( combined_sesskey:sub(1,16) ) .. openssl.md5( combined_sesskey:sub(17) ) ):sub(1, 24)
cli_sesskey_enc = openssl.encrypt( "aes-192-cbc", pw_hash, nil, cli_sesskey )
cli_sesskey_enc = stdnse.tohex(cli_sesskey_enc)
auth_password = openssl.encrypt( "aes-192-cbc", combined_sesskey, nil, rnd .. pass, true )
auth_password = stdnse.tohex(auth_password)
return cli_sesskey_enc, auth_password
end,
}
Helper = {
--- Creates a new Helper instance
--
-- @param host table containing the host table as received by action
-- @param port table containing the port table as received by action
-- @param instance string containing the instance name
-- @return o new instance of Helper
new = function(self, host, port, instance, socket )
local o = {
host = host,
port = port,
socket = socket or nmap.new_socket(),
dbinstance = instance or stdnse.get_script_args('tns.sid') or "orcl"
}
o.socket:set_timeout(30000)
setmetatable(o, self)
self.__index = self
return o
end,
--- Connects and performs protocol negotiation with the Oracle server
--
-- @return true on success, false on failure
-- @return err containing error message when status is false
Connect = function( self )
local SUPPORTED_VERSIONS = {
"IBMPC/WIN_NT64-9.1.0",
"IBMPC/WIN_NT-8.1.0",
"Linuxi386/Linux-2.0.34-8.1.0",
"x86_64/Linux 2.4.xx"
}
local status, data = self.socket:connect( self.host.ip, self.port.number, "tcp" )
local conn, packet, tns
if( not(status) ) then return status, data end
self.comm = Comm:new( self.socket )
status, self.version = self.comm:exchTNSPacket( Packet.Connect:new( self.host.ip, self.port.number, self.dbinstance ) )
if ( not(status) ) then return false, self.version end
if ( self.version ~= ORACLE_VERSION_11G and self.version ~= ORACLE_VERSION_10G ) then
return false, ("Unsupported Oracle Version (%d)"):format(self.version)
end
status = self.comm:exchTNSPacket( Packet.SNS:new( self.version ) )
if ( not(status) ) then return false, "ERROR: Helper.Connect failed" end
status, self.os = self.comm:exchTNSPacket( Packet.ProtoNeg:new( self.version ) )
if ( not(status) ) then
return false, data
end
-- used for testing unsupported versions
self.os = stdnse.get_script_args("tns.forceos") or self.os
status = false
for _, ver in pairs(SUPPORTED_VERSIONS) do
if ( self.os == ver ) then
status = true
break
end
end
if ( not(status) ) then
stdnse.debug2("ERROR: Version %s is not yet supported", self.os)
return false, ("ERROR: Connect to version %s is not yet supported"):format(self.os)
end
if ( self.os:match("IBMPC/WIN_NT") ) then
status = self.comm:sendTNSPacket( Packet.Unknown1:new( self.os ) )
if ( not(status) ) then
return false, "ERROR: Helper.Connect failed"
end
status, data = self.comm:sendTNSPacket( Packet.Unknown2:new( self.os ) )
if ( not(status) ) then return false, data end
status, data = self.comm:recvTNSPacket( Packet.Unknown2:new( ) )
if ( not(status) ) then return false, data end
-- Oracle 10g under Windows needs this additional read, there's
-- probably a better way to detect this by analysing the packets
-- further.
if ( self.version == ORACLE_VERSION_10G ) then
status, data = self.comm:recvTNSPacket( Packet.Unknown2:new( ) )
if ( not(status) ) then return false, data end
end
elseif ( "x86_64/Linux 2.4.xx" == self.os ) then
status = self.comm:sendTNSPacket( Packet.Unknown1:new( self.os ) )
if ( not(status) ) then
return false, "ERROR: Helper.Connect failed"
end
status = self.comm:sendTNSPacket( Packet.Unknown2:new( self.os ) )
if ( not(status) ) then
return false, "ERROR: Helper.Connect failed"
end
status, data = self.comm:recvTNSPacket( Packet.Unknown2:new( ) )
if ( not(status) ) then
return false, data
end
else
status = self.comm:exchTNSPacket( Packet.Unknown1:new( self.os ) )
if ( not(status) ) then
return false, "ERROR: Helper.Connect failed"
end
end
return true
end,
--- Sends a command to the TNS lsnr
-- It currently accepts and tries to send all commands received
--
-- @param cmd string containing the command to send to the server
-- @return data string containing the result received from the server
lsnrCtl = function( self, cmd )
local status, data = self.socket:connect( self.host.ip, self.port.number, "tcp" )
local conn, packet, tns, pkt
if( not(status) ) then
return status, data
end
self.comm = Comm:new( self.socket )
pkt = Packet.Connect:new( self.host.ip, self.port.number, self.dbinstance )
pkt:setCmd(cmd)
if ( not(self.comm:exchTNSPacket( pkt )) ) then
return false, self.version
end
data = {}
repeat
status, tns = self.comm:recvTNSPacket()
if ( not(status) ) then
self:Close()
return status, tns
end
local flags = string.unpack(">I2", tns.data )
data[#data+1] = tns.data:sub(3)
until ( flags ~= 0 )
self:Close()
return true, table.concat(data)
end,
--- Authenticates to the database
--
-- @param user containing the Oracle user name
-- @param pass containing the Oracle user password
-- @return true on success, false on failure
-- @return err containing error message when status is false
Login = function( self, user, password )
local data, packet, status, tns, parser
local sesskey_enc, auth_pass, auth
local auth_options = AuthOptions:new()
status, auth = self.comm:exchTNSPacket( Packet.PreAuth:new( user, auth_options, self.os ) )
if ( not(status) ) then
return false, auth
end
-- Check what version of the DB to authenticate against AND verify whether
-- case sensitive login is enabled or not. In case-sensitive mode the salt
-- is longer, so we check the length of auth["AUTH_VFR_DATA"]
if ( self.version == ORACLE_VERSION_11G and #auth["AUTH_VFR_DATA"] > 2 ) then
sesskey_enc, auth_pass = Crypt:Encrypt11g( password, stdnse.fromhex(auth["AUTH_SESSKEY"]), stdnse.fromhex(auth["AUTH_VFR_DATA"]) )
else
sesskey_enc, auth_pass = Crypt:Encrypt10g( user, password, stdnse.fromhex(auth["AUTH_SESSKEY"]) )
end
status, data = self.comm:exchTNSPacket( Packet.Auth:new( user, auth_options, sesskey_enc, auth_pass, self.os ) )
if ( not(status) ) then return false, data end
self.auth_session = data["AUTH_SESSION_ID"]
return true
end,
--- Steal auth data from database
-- @param user containing the Oracle user name
-- @param pass containing the Oracle user password
-- @return true on success, false on failure
-- @return err containing error message when status is false
StealthLogin = function( self, user, password )
local data, packet, status, tns, parser
local sesskey_enc, auth_pass, auth
local auth_options = AuthOptions:new()
status, auth = self.comm:exchTNSPacket( Packet.PreAuth:new( user, auth_options, self.os ) )
if ( not(status) ) then
return false, auth
elseif ( auth["AUTH_SESSKEY"] ) then
return true, auth
else
return false
end
end,
--- Queries the database
--
-- @param query string containing the SQL query
-- @return true on success, false on failure
-- @return result table containing fields
-- <code>rows</code>
-- <code>columns</code>
-- @return err containing error message when status is false
Query = function(self, query)
local SUPPORTED_VERSIONS = {
"IBMPC/WIN_NT-8.1.0",
}
local status = false
for _, ver in pairs(SUPPORTED_VERSIONS) do
if ( self.os == ver ) then
status = true
break
end
end
if ( not(status) ) then
stdnse.debug2("ERROR: Version %s is not yet supported", self.os)
return false, ("ERROR: Querying version %s is not yet supported"):format(self.os)
end
if ( not(query) ) then return false, "No query was supplied by user" end
local data
status, data = self.comm:exchTNSPacket( Packet.PostLogin:new(self.auth_session) )
if ( not(status) ) then
return false, "ERROR: Postlogin packet failed"
end
local status, result = self.comm:exchTNSPacket( Packet.Query:new(query) )
if ( not(status) ) then return false, result end
if ( not(result.moredata) ) then return true, result.data end
result = result.data
repeat
status, data = self.comm:exchTNSPacket( Packet.QueryResponseAck:new(result) )
until(not(status) or data:match(".*ORA%-01403: no data found\n$"))
return true, result
end,
--- Ends the Oracle communication
Close = function( self )
-- We should probably stick some slick sqlplus termination stuff in here
local status = self.comm:sendTNSPacket( Packet.EOF:new( ) )
self.socket:close()
end,
}
return _ENV;
Reference in New Issue View Git Blame Copy Permalink