24-Jul-2009: CVE-2009-1970 PoC (CPUjul2009)
source link: https://yurichev.com/blog/26/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
24-Jul-2009: CVE-2009-1970 PoC (CPUjul2009)
This PoC works with at least these Listeners:
11.1.0.6.0 win32
10.2.0.4 win32
10.1.0.5 win32
It makes Listener crashing and require relatively fast network. On other side, server's heavy load may be very helpful environment for this.
Basically, all what it do, is just sending these two TNS commands to host, in eternal loop:
(CONNECT_DATA=(COMMAND=service_register)(SERVICE_ID=1CB5887660D7-11DD-9EBE-000C29E11606)(ADDRESS=(PROTOCOL=TCP)(HOST=some_host)(PORT=1098))(FLAGS=2))
(CONNECT_DATA=(COMMAND=service_register)(SERVICE_ID=1CB5887660D7-11DD-9EBE-000C29E11606)(ADDRESS=(PROTOCOL=TCP)(HOST=some_host)(PORT=1098))(FLAGS=2)(HANDOFF=OFF))
Probably, it is not a matter of service_register command parameters, but parameters set should be slightly different.
Use hostname or IP-address of victim host as argument in command-line and run.
If I'm correct (I may not) this problem is related to nsdisc() function in network layer. Listener closes connection using this function. It frees some memory, but the same chunk of memory is used again for next connection.
Download source code + win32 executable.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK