Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8

9
  # Scanner mixin should be near last
10
  include Msf::Auxiliary::Scanner
11
  include Msf::Auxiliary::Report
12

13
  def initialize
14
    super(
15
      'Name'		=> 'Borland InterBase Services Manager Information',
16
      'Description'	=> %q{
17
        This module retrieves version of the services manager, version
18
        and implementation of the InterBase server from InterBase
19
        Services Manager.
20
      },
21
      'Author'	=>
22
        [
23
          'Ramon de C Valle',
24
          'Adriano Lima <adriano[at]risesecurity.org>',
25
        ],
26
      'License'	=> MSF_LICENSE
27
    )
28

29
    register_options(
30
      [
31
        Opt::RPORT(3050)
32
      ],
33
      self.class
34
    )
35

36
  end
37

38
  # Create service parameter block
39
  def spb_create
40
    isc_dpb_user_name = 28
41
    isc_dpb_password = 29
42

43
    isc_spb_user_name = isc_dpb_user_name
44
    isc_spb_password = isc_dpb_password
45

46
    isc_spb_current_version = 2
47
    isc_spb_version = isc_spb_current_version
48

49
    user = 'SYSDBA'
50
    pass = 'masterkey'
51

52
    spb = ''
53

54
    spb << [isc_spb_version].pack('c')
55
    spb << [isc_spb_current_version].pack('c')
56

57
    spb << [isc_spb_user_name].pack('c')
58
    spb << [user.length].pack('c')
59
    spb << user
60

61
    spb << [isc_spb_password].pack('c')
62
    spb << [pass.length].pack('c')
63
    spb << pass
64

65
    spb
66
  end
67

68
  # Create receive buffer
69
  def recv_spb_create
70
    # Retrieves the version of the services manager
71
    isc_info_svc_version = 54
72

73
    # Retrieves the version of the InterBase server
74
    isc_info_svc_server_version = 55
75

76
    # Retrieves the implementation of the InterBase server
77
    isc_info_svc_implementation = 56
78

79
    recv_spb = ''
80

81
    recv_spb << [isc_info_svc_version].pack('c')
82
    recv_spb << [isc_info_svc_server_version].pack('c')
83
    recv_spb << [isc_info_svc_implementation].pack('c')
84

85
    recv_spb
86
  end
87

88
  # Calculate buffer padding
89
  def buf_padding(length = '')
90
    remainder = length.remainder(4)
91
    padding = 0
92

93
    if remainder > 0
94
      padding = (4 - remainder)
95
    end
96

97
    padding
98
  end
99

100
  def run_host(ip)
101

102
    #
103
    # Using the InterBase Services Manager
104
    # http://dn.codegear.com/article/27002
105
    #
106

107
    begin
108

109
      print_status("Trying #{ip}")
110

111
      connect
112

113
      # isc_service_attach
114

115
      # Service name
116
      svc_name = 'service_mgr'
117

118
      # Service attach
119
      op_service_attach = 82
120

121
      buf = ''
122

123
      # Operation/packet type
124
      buf << [op_service_attach].pack('N')
125

126
      # Id
127
      buf << [0].pack('N')
128

129
      # Length
130
      buf << [svc_name.length].pack('N')
131

132
      # Service name
133
      buf << svc_name
134

135
      # Padding
136
      buf << "\x00" * buf_padding(svc_name.length)
137

138
      # Create service parameter block
139
      spb = spb_create
140

141
      # Service parameter block length
142
      buf << [spb.length].pack('N')
143

144
      # Service parameter block
145
      buf << spb
146

147
      # Padding
148
      buf << "\x00" * buf_padding(spb.length)
149

150
      sock.put(buf)
151

152
      response = sock.get_once || ''
153

154
      # print(Rex::Text.to_hex_dump(response))
155

156

157
      # isc_service_query
158

159
      # Response buffer length
160
      response_buffer_length = 64
161

162
      # Service info
163
      op_service_info = 84
164

165
      buf = ''
166

167
      # Operation/packet type
168
      buf << [op_service_info].pack('N')
169

170
      # Id
171
      buf << [0].pack('N')
172

173
      # ?
174
      buf << [0].pack('N')
175

176
      # ?
177
      buf << [0].pack('N')
178

179
      # Create receive buffer
180
      recv_spb = recv_spb_create
181

182
      # Receive buffer length
183
      buf << [recv_spb.length].pack('N')
184

185
      # Receive buffer
186
      buf << recv_spb
187

188
      # Padding
189
      buf << "\x00" * buf_padding(recv_spb.length)
190

191
      # Response buffer length
192
      buf << [response_buffer_length].pack('N')
193

194
      sock.put(buf)
195

196
      response = sock.get_once || ''
197

198
      res = response.unpack('x28Z*Z*')
199

200
      info_svc_server_version = res[0].chop.chop
201
      info_svc_implementation = res[1].chop
202

203
      print("IP Address: #{ip}\n")
204
      # print("Version of the services manager: #{info_svc_version}\n")
205
      print("Version of the InterBase server: #{info_svc_server_version}\n")
206
      print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")
207

208
      #print(Rex::Text.to_hex_dump(response))
209

210
      # Add Report
211
      report_note(
212
        :host	=> ip,
213
        :sname	=> 'ib',
214
        :proto	=> 'tcp',
215
        :port	=> rport,
216
        :type	=> 'Version of the InterBase server',
217
        :data	=> "Version of the InterBase server: #{info_svc_server_version}"
218
      )
219

220
      # Add Report
221
      report_note(
222
        :host	=> ip,
223
        :sname	=> 'ib',
224
        :proto	=> 'tcp',
225
        :port	=> rport,
226
        :type	=> 'Implementation of the InterBase server',
227
        :data	=> "Implementation of the InterBase server: #{info_svc_implementation}"
228
      )
229

230
    rescue ::Rex::ConnectionError
231
    rescue ::Errno::EPIPE
232

233
    end
234

235
  end
236
end
237

238