Prepare a BT5 as an intruder, a win2003 as target drone, there is a vulnerability of the Oracle Database (version 10.2.0.1.0) TNS service on target drone, the vulnerability is numbered cve-2009-1979.
Bt5:ip 10.10.10.128win2003:ip 10.10.10.130 The following walkthrough: Found some Introduction to this vulnerability on the Internet, and there are modules in Metasploit that exploit this vulnerability, First search This module: Go to the directory to see the source code of this module, find target, can see the overflow mode with P/P/R, and different versions need different return address variable ret. Enter Metasploit, select good penetration module and attack load, configure the Parameters: configuration, execute exploit command, The problem of the system version is suspected because the discovery did not return shell: many to execute and still did not return. First suspect is the return address error, so go to target drone with ollydbg loaded ORACLE.EXE process, from the source code of the infiltration module can know, ret for 0x011b0528, corresponds to P/P/R, in target drone positioning to the position, no fault ah, No idea, or go back to turn over the book, according to the book on the idea of it. went back to look at the module source code, found these lines, with a clue: the data packet with Auth_sesskey as the name identification, which means that the Oracle program will definitely use this identity, back to ollydbg, to see all the text string, Search auth_sesskey in the text box, found three, respectively follow up to see, found all call the same function, here is cut a graph: Tracking This function, came here: in 60fd99ac next breakpoint, and then F9 let the program run up, Then attack again with BT5 's exploit command. The program breaks at the breakpoint. Then use CTRL+F9 to return 01010ebd, then call the call_02610928 function, read the book only know this is the _intel_fast_memcpy function, F7 follow up, you can see the call parameters in the stack, Address value comments0673d040 |0673da96 & nbsp; Destination Address 0673d044  |04AB99A4 Source Address 0673d048 |000001a7 Copy length Next look at seh:address value &N Bsp  COMMENTS0673DC40 |0673de64 pointer to next SEH record0673dc44 | 0261348C seh handler calculates the length 0x1a7 bytes of data to the destination address 0673da96, eventually overwriting to 0x0673dc3d without overwriting to the SEH start address 0x0673dc40 . The truth is, the original copy of the string does not frame long! Locate the string at the source address 04ab99a4 in the Memory section, and then find the return address ret0x011b0528 that was found at the beginning, and the address is 0x04ab9b42. Calculate the offset: The return address is between the source address: 0x04ab9b42-0x04ab99a4=0x19e Destination Address to SEH handler: 0x0673dc44-0x0673da96=0x1ae Therefore, you need to increase the random bytes of 0x10, Locate the source code in the module that constructs the overflow string: modify to in order to overwrite the string that must be extended, all +0x10. This will increase the stack in the payload and jump instruction offset, so also to modify the JMP instructions jump distance, because of jmp 0x10, the front string increase 0x10 finally increase +0x20, here is said slightly simple, do not understand the reader can go to Baidu a bit of SEH jump memory attack principle, It is not in detail, too cumbersome, and I do not know very well. Restart Oracle service, re-test on BT5, with rexploit command, result: success.
Metasploit penetration Test Devil Training camp Target drone walkthrough Fifth chapter of the actual case Oracle database