This PoC works with at least these Listeners:
11.1.0.6.0 win32
10.2.0.4 win32
10.1.0.5 win32
It makes Listener crashing and require relatively fast network. On other side, server's heavy load may be very helpful environment for this.
Basically, all what it do, is just sending these two TNS commands to host, in eternal loop:
(CONNECT_DATA=(COMMAND=service_register)(SERVICE_ID=1CB5887660D7-11DD-9EBE-000C29E11606)(ADDRESS=(PROTOCOL=TCP)(HOST=some_host)(PORT=1098))(FLAGS=2))
and
(CONNECT_DATA=(COMMAND=service_register)(SERVICE_ID=1CB5887660D7-11DD-9EBE-000C29E11606)(ADDRESS=(PROTOCOL=TCP)(HOST=some_host)(PORT=1098))(FLAGS=2)(HANDOFF=OFF))
Probably, it is not a matter of service_register command parameters, but parameters set should be slightly different.
Use hostname or IP-address of victim host as argument in command-line and run.
If I'm correct (I may not) this problem is related to nsdisc() function in network layer. Listener closes connection using this function. It frees some memory, but the same chunk of memory is used again for next connection.
Download source code + win32 executable.
→ [list of blog posts] Please drop me email about bug(s) and/or suggestion(s): my emails.