Re: [enhacement+question] Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow

["Joshua J. Drake" <jdrake () metasploit com>]

On Wed, Jan 11, 2012 at 08:55:29AM +0100, Lukas Kuzmiak wrote:
> after reviewing the exploit I discovered there's a hardcoded sid ORCL,
> however this may not exists on every oracle system, so here's a tiny patch
> to turn it into an option.
> can someone merge it please (if considered useful)?

Thanks again for your patch. Much of that exploit is hardcoded.

> however even after disabling DEP exploits never finishes as it's supposed
> to - after call to kpoauth oracle.exe just ends up crashing like:
>
> Access violation when reading [644B566A]
>
> I haven't yet managed to look into this, but I'm going to - keeping this
> bug in mind http://dev.metasploit.com/redmine/issues/812

I'm guessing this is due to slight version mismatch with what the
exploit was developed against. If you can create a target for your
version we'd be happy to add it to the exploit.

> I wanted to ask if there's some more generic way to bypass DEP in
> metasploit already or if there's a recommended approach, I'd like to try
> implementing it into the module once digging into it while debugging the
> issue mentioned above.

As far as I know, there still is not any generic DEP implementation
within the framework. It's sort of an odd cat to skin. That is, it
doesn't necessarily fit well any specific place within the framework's
design... Hopefully before too long something will happen and we'll
get something in =) 

-- 
Joshua J. Drake

Attachment: _bin
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework