Skip to content
Multithreaded Padding Oracle Attack on Oracle OAM (CVE-2018-2879)
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README.md Aug 6, 2019
oambuster.py Critical bug fix Aug 6, 2019

README.md

OAMBuster

Multithreaded Padding Oracle Attack on Oracle OAM (CVE-2018-2879)

Authors

Red Timmy (Marco Ortisi, Stefan Broeder, Ahmad Mahfouz)

Description

This multithreaded exploit was developed to greatly increase the speed of the attack as compared to the single threaded version. For more information about the technical details of the attack, see this blog post by SEC Consult:

https://sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/

Screenshot of OAMBuster

The first two stages will quickly verify whether the website is vulnerable to the attack. Stage 3 will launch the multithreaded Padding Oracle attack.

More information

Please adjust the valid_padding() function to catch the error that is returned from a padding failure in your environment.

For more information about the exploit and our trainings on advanced Java attacks, see RedTimmy.com

You can’t perform that action at this time.