1 /* Dreatica−FXP crew
2 *
3 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
4 * Target : ESRI ArcSDE 9.0 − 9.2sp1
5 * Site : http://www.esri.com
6 * Found by : iDefense, http://labs.idefense.com/intelligence/vulnerabilities/
7 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
8 * Exploit : ESRI ArcSDE 9.0 − 9.2sp1 Remote Buffer Overflow exploit
9 * Exploit date : 26.06.2007
10 * Exploit writer : Heretic2 (heretic2x@gmail.com)
11 * OS : Windows ALL
12 * Crew : Dreatica−FXP
13 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
14 * Info : Trivially exploitable stack overflow vulnerability: if we send more than 516 bytes to
15 * server, we can overwrite EIP. After the EIP gets overwritten we can see that the ESP
16 * points to the next bytes of buffer after EIP, so we simply write shellcode at 520 byte.
17 * The server allows any type of buffer even with the 0x00 bytes, so have fun!
18 * For use universal RET’s you need to find the ArcSDE version (this is not a trivial job :P)
19 *
20 * Seems that the earlier versions are also vulnerable. To protect the server against that
21 * vulnerability you need to install ArcSDE 9.2sp2.
22 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
23 * Compiling :
24 * To compile this exploit you need:
25 * 1. Windows C/C++ compiler
26 * 2. WinSock 2
27 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
28 * Thanks to :
29 * 1. iDefense ( http://labs.idefense.com/intelligence/vulnerabilities/ )
30 * 2. The Metasploit project ( http://metasploit.com )
31 * 3. ALPHA 2: Zero−tolerance ( <skylined [at] edup.tudelft.nl> )
32 * 4. anghell at Dreatica−FXP ( )
33 * 5. Dreatica−FXP crew ( http://www.dreatica.cl )
34 * −−−