How can I call a SQL Server stored procedure from Oracle and retrieve a scalar return value?

I’m developing a PL/SQL solution in Oracle Database Enterprise Edition 12.1.0.2. I’m calling stored procedures in Microsoft SQL Server 2014.

I am using DG4ODBC with the DBMS_HS_PASSTHROUGH package to call those stored procedures.

For stored procedures that return a tabular result set, I am able to use PARSE, FETCH_ROW, and GET_VALUE to retrieve the values. (My solution uses hard parsing, but it works for the volume we’re expecting. I’m open to tips if you know how I can use binds, but that’s not my question.)

DECLARE    sql_server_cursor_     BINARY_INTEGER;    sql_server_statement_  VARCHAR2(32767);    fetched_value_col1_    whatever_type_from_col1;    fetched_value_col2_    whatever_type_from_col2; BEGIN    sql_server_statement_ := 'EXEC "myDatabase"."dbo"."myProcedure" @p_one = N''' || sanitize__(my_argument_) || ''';';    sql_server_cursor_ := dbms_hs_passthrough.open_cursor@sql_server_link_;    dbms_hs_passthrough.parse@sql_server_link_(sql_server_cursor_, sql_server_statement_);    WHILE dbms_hs_passthrough.fetch_row@sql_server_link_(sql_server_cursor_) > 0    LOOP       dbms_hs_passthrough.get_value@sql_server_link_(sql_server_cursor_,  1, fetched_value_col1_);       dbms_hs_passthrough.get_value@sql_server_link_(sql_server_cursor_,  2, fetched_value_col2_);       dbms_output.put_line('fetched_value_col1_  ' || fetched_value_col1_);       dbms_output.put_line('fetched_value_col2_  ' || fetched_value_col2_);    END LOOP;    dbms_hs_passthrough.close_cursor@sql_server_link_(sql_server_cursor_); END; / 

I have a stored procedure in SQL Server that returns a scalar integer.

DECLARE @return_value int; EXEC @return_value = "myDatabase"."dbo"."myProcedure" @p_one = N'HelloWorld', @p_two = 42; SELECT @return_value; 

From Oracle, how would I call this procedure and retrieve that scalar value?

Problem with return 2 libc in 64 bit arch

Good day guys I want to perform return to libc in 64 bit architecture using execve. I found a gadget with /bin/sh in it (the /bin/sh offset is 18a143):

   cbcd8:       00 00     cbcda:       4c 89 ea                mov    rdx,r13    cbcdd:       4c 89 e6                mov    rsi,r12    cbce0:       48 8d 3d 5c e4 0b 00    lea    rdi,[rip+0xbe45c]        # 18a143 <_libc_intl_domainname@@GLIBC_2.2.5+0x17e>    cbce7:       e8 94 f9 ff ff          call   cb680 <execve@@GLIBC_2.2.5> --    cbd92:       48 85 c0                test   rax,rax 

now I fill the return address (RIP) with (address of libc + 0xcbce0) with this payload:

r $  (python -c 'print "A"*120 + {libc+-xcbce0}') 

. Here are the registers:

RAX: 0xffffffffffffffff  RBX: 0x0  RCX: 0xffffffffffffff80  RDX: 0x0  RSI: 0x555555555060 (<_start>:  xor    ebp,ebp) RDI: 0x7ffff7f79143 --> 0x68732f6e69622f ('/bin/sh') RBP: 0x4141414141414141 ('AAAAAAAA') RSP: 0x0  RIP: 0x7ffff7ebacef (<maybe_script_execute+175>:        mov    rax,QWORD PTR [rbp-0x28]) R8 : 0xffffffff  R9 : 0x8a  R10: 0x7fffffffdfb0 ('A' <repeats 120 times>, "443777") R11: 0x202  R12: 0x555555555060 (<_start>:  xor    ebp,ebp) R13: 0x0  R14: 0x0  R15: 0x0 

and here are tho codes around execve:

 0x7ffff7ebace0 <maybe_script_execute+160>:   lea    rdi,[rip+0xbe45c]        # 0x7ffff7f79143    0x7ffff7ebace7 <maybe_script_execute+167>:   call   0x7ffff7eba680 <execve>    0x7ffff7ebacec <maybe_script_execute+172>:   mov    rsp,rbx  0x7ffff7ebacef <maybe_script_execute+175>:   mov    rax,QWORD PTR [rbp-0x28]    0x7ffff7ebacf3 <maybe_script_execute+179>:   sub    rax,QWORD PTR fs:0x28    0x7ffff7ebacfc <maybe_script_execute+188>:   jne    0x7ffff7ebad4b <maybe_script_execute+267>    0x7ffff7ebacfe <maybe_script_execute+190>:   lea    rsp,[rbp-0x18]    0x7ffff7ebad02 <maybe_script_execute+194>:   pop    rbx 

but it not works and gives Bus Error.Thanks for help.

How does the cache / memory know where to return results of read requests to?

The pipeline of a modern processor has many stages that may issue read requests to main memory, e.g. in fetching the next command or loading some memory location into a register. How is the result of a read request returned to the right pipeline stage, given that there are more than one possible recipients? Since most CPUs access main memory via a cache hierarchy, the question becomes: how does the L1 cache know which part of the pipeline to return a result to?

I imagine that access to the L1 cache is queued, but each access presumably needs a ‘return address’. How is this typically handled?

wc_get_products() not return the images details

When I try to fetch products using the official REST API, returned product contains the a property named images which is an array and contains the URL to image of product. But when I fetch using this method, it fetches other details but not the image.

    $  productsQuery= wc_get_products(array(         'limit' => 10,         'status' => 'publish',     ));     $  products = array();     foreach ($  productsQuery as $  product) {         $  products[] = $  product->get_data();     }     return new WP_REST_Response($  products, 200); 

how can I make this to return the images property as well.

How to make a handaxe return to my hand after being thrown?

I’m playing D&D 5e and my character is a dwarf fighter. He has two throwable handaxes, and I thought it would be really cool if they could come back to me just after throwing them on someone (like Thor do with Mjolnir). That could be either a boomerang-ish move or some magic (enchantment).

Is there a way to make this possible?

I’m just starting the game as a 1st level character and planning for the future.

What happens when a banished creature would return to an extradimensional space that no longer exists?

Consider the following scenarios.

1. Banished from a portable hole, portable hole is destroyed.

A portable hole is described as a ten foot deep, six foot diameter extradimensional space. Suppose I jump into my portable hole after spreading it out on the ground, and I am followed by an enemy. Once we are both inside my portable hole, I cast banishment:

If the target is native to a different plane of existence than the one you’re on, the target is banished with a faint popping noise, returning to its home plane. If the spell ends before 1 minute has passed, the target reappears in the space it left or in the nearest unoccupied space if that space is occupied. Otherwise, the target doesn’t return.

My enemy is banished to its home plane. Next, I climb out of my hole, get a safe distance away, and toss in my bag of holding:

Placing a bag of holding inside an extradimensional space created by a handy haversack, portable hole, or similar item instantly destroys both items and opens a gate to the Astral Plane.

The portable hole is destroyed, and finally I break my concentration on banishment before the full minute has passed.

2. Banished from a rope trick right before the spell ends.

Rope trick says:

an invisible entrance opens to an extradimensional space that lasts until the spell ends. […] Anything inside the extradimensional space drops out when the spell ends.

So I cast rope trick while I’m being chased, and my pursuer pursues me into my little rope trick room, where I am patiently holding banishment. I banish my pursuer, climb out of my rope trick room, and and cast dispel magic on the rope:

Choose one creature, object, or magical effect within range. Any spell of 3rd level or lower on the target ends.

Again, no space to return to as I break my concentration on banishment before the one minute is up.


What happens to the banished creature when banishment ends? Banishment is very specific that the creature returns to the space it left from. Both the actual extradimensional space and the 5 foot square space the creature previously occupied is gone, as well as all nearest unoccupied spaces. What happens?

Overwrite return address in C

It’s about a CTF Challenge. I’m trying to execute a buffer overflow attack on a C program. The code is :

#include<stdio.h> #include<string.h> #include<stdlib.h>  #include <sys/types.h> #include <unistd.h> #include <stdint.h>  int enable_flag() {    printf("yay\n");    fflush(stdout);    setreuid(geteuid(), getuid());    system("chmod 644 flag.txt");    return 0; }  void overflow (void* inbuf, int inbuflen) {    char buf[4];    memcpy(buf, inbuf, inbuflen); }  int main (int argc, char** argv) {    char filebuf[100];    FILE* file = fopen(argv[1], "r");    int bytes = fread(filebuf, sizeof(char), 100, file);    printf("bytes read: %d\n", bytes);    fflush(stdout);    fclose(file);    overflow(filebuf, bytes);    return 0; } 

After running gdb I got :

(gdb) disas main      Dump of assembler code for function main:        0x000000000040123e <+0>: push   %rbp        0x000000000040123f <+1>: mov    %rsp,%rbp        0x0000000000401242 <+4>: add    $  0xffffffffffffff80,%rsp        0x0000000000401246 <+8>: mov    %edi,-0x74(%rbp)        0x0000000000401249 <+11>:    mov    %rsi,-0x80(%rbp)        0x000000000040124d <+15>:    mov    -0x80(%rbp),%rax        0x0000000000401251 <+19>:    add    $  0x8,%rax        0x0000000000401255 <+23>:    mov    (%rax),%rax        0x0000000000401258 <+26>:    lea    0xdbc(%rip),%rsi        # 0x40201b        0x000000000040125f <+33>:    mov    %rax,%rdi        0x0000000000401262 <+36>:    callq  0x4010d0 <fopen@plt>        0x0000000000401267 <+41>:    mov    %rax,-0x8(%rbp)        0x000000000040126b <+45>:    mov    -0x8(%rbp),%rdx        0x000000000040126f <+49>:    lea    -0x70(%rbp),%rax        0x0000000000401273 <+53>:    mov    %rdx,%rcx        0x0000000000401276 <+56>:    mov    $  0x64,%edx        0x000000000040127b <+61>:    mov    $  0x1,%esi        0x0000000000401280 <+66>:    mov    %rax,%rdi        0x0000000000401283 <+69>:    callq  0x401040 <fread@plt>        0x0000000000401288 <+74>:    mov    %eax,-0xc(%rbp)        0x000000000040128b <+77>:    mov    -0xc(%rbp),%eax        0x000000000040128e <+80>:    mov    %eax,%esi        0x0000000000401290 <+82>:    lea    0xd86(%rip),%rdi        # 0x40201d        0x0000000000401297 <+89>:    mov    $  0x0,%eax        0x000000000040129c <+94>:    callq  0x401080 <printf@plt>        0x00000000004012a1 <+99>:    mov    0x2dd8(%rip),%rax        # 0x404080     <stdout@@GLIBC_2.2.5>        0x00000000004012a8 <+106>:   mov    %rax,%rdi        0x00000000004012ab <+109>:   callq  0x4010b0 <fflush@plt>        0x00000000004012b0 <+114>:   mov    -0x8(%rbp),%rax        0x00000000004012b4 <+118>:   mov    %rax,%rdi        0x00000000004012b7 <+121>:   callq  0x401050 <fclose@plt>        0x00000000004012bc <+126>:   mov    -0xc(%rbp),%edx        0x00000000004012bf <+129>:   lea    -0x70(%rbp),%rax        0x00000000004012c3 <+133>:   mov    %edx,%esi        0x00000000004012c5 <+135>:   mov    %rax,%rdi        0x00000000004012c8 <+138>:   callq  0x401213 <overflow>        0x00000000004012cd <+143>:   mov    $  0x0,%eax        0x00000000004012d2 <+148>:   leaveq         0x00000000004012d3 <+149>:   retq        End of assembler dump.(gdb) disas main 

disas overflow gives :

(gdb) disas overflow Dump of assembler code for function overflow:    0x0000000000401213 <+0>: push   %rbp    0x0000000000401214 <+1>: mov    %rsp,%rbp    0x0000000000401217 <+4>: sub    $  0x20,%rsp    0x000000000040121b <+8>: mov    %rdi,-0x18(%rbp)    0x000000000040121f <+12>:    mov    %esi,-0x1c(%rbp)    0x0000000000401222 <+15>:    mov    -0x1c(%rbp),%eax    0x0000000000401225 <+18>:    movslq %eax,%rdx    0x0000000000401228 <+21>:    mov    -0x18(%rbp),%rcx    0x000000000040122c <+25>:    lea    -0x4(%rbp),%rax    0x0000000000401230 <+29>:    mov    %rcx,%rsi    0x0000000000401233 <+32>:    mov    %rax,%rdi    0x0000000000401236 <+35>:    callq  0x4010a0 <memcpy@plt>    0x000000000040123b <+40>:    nop    0x000000000040123c <+41>:    leaveq     0x000000000040123d <+42>:    retq    End of assembler dump. 

and disas enable_flag gives :

Dump of assembler code for function enable_flag:    0x00000000004011c2 <+0>: push   %rbp    0x00000000004011c3 <+1>: mov    %rsp,%rbp    0x00000000004011c6 <+4>: push   %rbx    0x00000000004011c7 <+5>: sub    $  0x8,%rsp    0x00000000004011cb <+9>: lea    0xe32(%rip),%rdi        # 0x402004    0x00000000004011d2 <+16>:    callq  0x401030 <puts@plt>    0x00000000004011d7 <+21>:    mov    0x2ea2(%rip),%rax        # 0x404080 <stdout@@GLIBC_2.2.5>    0x00000000004011de <+28>:    mov    %rax,%rdi    0x00000000004011e1 <+31>:    callq  0x4010b0 <fflush@plt>    0x00000000004011e6 <+36>:    callq  0x401060 <getuid@plt>    0x00000000004011eb <+41>:    mov    %eax,%ebx    0x00000000004011ed <+43>:    callq  0x401090 <geteuid@plt>    0x00000000004011f2 <+48>:    mov    %ebx,%esi    0x00000000004011f4 <+50>:    mov    %eax,%edi    0x00000000004011f6 <+52>:    callq  0x4010c0 <setreuid@plt>    0x00000000004011fb <+57>:    lea    0xe06(%rip),%rdi        # 0x402008    0x0000000000401202 <+64>:    callq  0x401070 <system@plt>    0x0000000000401207 <+69>:    mov    $  0x0,%eax    0x000000000040120c <+74>:    add    $  0x8,%rsp    0x0000000000401210 <+78>:    pop    %rbx    0x0000000000401211 <+79>:    pop    %rbp    0x0000000000401212 <+80>:    retq    End of assembler dump. 

I followed this tutorial Introduction to return oriented programming but I’m getting always segmentation fault

I have tried this:

./rop.o "$  (python3 -c 'print ("A"*0x4 + "BBBB" + "\xc2\x11\x40")')"