Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Tcp
8
9
# Scanner mixin should be near last
10
include Msf::Auxiliary::Scanner
11
include Msf::Auxiliary::Report
12
13
def initialize
14
super(
15
'Name' => 'Borland InterBase Services Manager Information',
16
'Description' => %q{
17
This module retrieves version of the services manager, version
18
and implementation of the InterBase server from InterBase
19
Services Manager.
20
},
21
'Author' => [
22
'Ramon de C Valle',
23
'Adriano Lima <adriano[at]risesecurity.org>',
24
],
25
'License' => MSF_LICENSE
26
)
27
28
register_options(
29
[
30
Opt::RPORT(3050)
31
],
32
self.class
33
)
34
end
35
36
# Create service parameter block
37
def spb_create
38
isc_dpb_user_name = 28
39
isc_dpb_password = 29
40
41
isc_spb_user_name = isc_dpb_user_name
42
isc_spb_password = isc_dpb_password
43
44
isc_spb_current_version = 2
45
isc_spb_version = isc_spb_current_version
46
47
user = 'SYSDBA'
48
pass = 'masterkey'
49
50
spb = ''
51
52
spb << [isc_spb_version].pack('c')
53
spb << [isc_spb_current_version].pack('c')
54
55
spb << [isc_spb_user_name].pack('c')
56
spb << [user.length].pack('c')
57
spb << user
58
59
spb << [isc_spb_password].pack('c')
60
spb << [pass.length].pack('c')
61
spb << pass
62
63
spb
64
end
65
66
# Create receive buffer
67
def recv_spb_create
68
# Retrieves the version of the services manager
69
isc_info_svc_version = 54
70
71
# Retrieves the version of the InterBase server
72
isc_info_svc_server_version = 55
73
74
# Retrieves the implementation of the InterBase server
75
isc_info_svc_implementation = 56
76
77
recv_spb = ''
78
79
recv_spb << [isc_info_svc_version].pack('c')
80
recv_spb << [isc_info_svc_server_version].pack('c')
81
recv_spb << [isc_info_svc_implementation].pack('c')
82
83
recv_spb
84
end
85
86
# Calculate buffer padding
87
def buf_padding(length = '')
88
remainder = length.remainder(4)
89
padding = 0
90
91
if remainder > 0
92
padding = (4 - remainder)
93
end
94
95
padding
96
end
97
98
def run_host(ip)
99
#
100
# Using the InterBase Services Manager
101
# http://dn.codegear.com/article/27002
102
#
103
104
begin
105
print_status("Trying #{ip}")
106
107
connect
108
109
# isc_service_attach
110
111
# Service name
112
svc_name = 'service_mgr'
113
114
# Service attach
115
op_service_attach = 82
116
117
buf = ''
118
119
# Operation/packet type
120
buf << [op_service_attach].pack('N')
121
122
# Id
123
buf << [0].pack('N')
124
125
# Length
126
buf << [svc_name.length].pack('N')
127
128
# Service name
129
buf << svc_name
130
131
# Padding
132
buf << "\x00" * buf_padding(svc_name.length)
133
134
# Create service parameter block
135
spb = spb_create
136
137
# Service parameter block length
138
buf << [spb.length].pack('N')
139
140
# Service parameter block
141
buf << spb
142
143
# Padding
144
buf << "\x00" * buf_padding(spb.length)
145
146
sock.put(buf)
147
148
response = sock.get_once || ''
149
150
# print(Rex::Text.to_hex_dump(response))
151
152
# isc_service_query
153
154
# Response buffer length
155
response_buffer_length = 64
156
157
# Service info
158
op_service_info = 84
159
160
buf = ''
161
162
# Operation/packet type
163
buf << [op_service_info].pack('N')
164
165
# Id
166
buf << [0].pack('N')
167
168
# ?
169
buf << [0].pack('N')
170
171
# ?
172
buf << [0].pack('N')
173
174
# Create receive buffer
175
recv_spb = recv_spb_create
176
177
# Receive buffer length
178
buf << [recv_spb.length].pack('N')
179
180
# Receive buffer
181
buf << recv_spb
182
183
# Padding
184
buf << "\x00" * buf_padding(recv_spb.length)
185
186
# Response buffer length
187
buf << [response_buffer_length].pack('N')
188
189
sock.put(buf)
190
191
response = sock.get_once || ''
192
193
res = response.unpack('x28Z*Z*')
194
195
info_svc_server_version = res[0].chop.chop
196
info_svc_implementation = res[1].chop
197
198
print("IP Address: #{ip}\n")
199
# print("Version of the services manager: #{info_svc_version}\n")
200
print("Version of the InterBase server: #{info_svc_server_version}\n")
201
print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")
202
203
# print(Rex::Text.to_hex_dump(response))
204
205
# Add Report
206
report_note(
207
:host => ip,
208
:sname => 'ib',
209
:proto => 'tcp',
210
:port => rport,
211
:type => 'Version of the InterBase server',
212
:data => "Version of the InterBase server: #{info_svc_server_version}"
213
)
214
215
# Add Report
216
report_note(
217
:host => ip,
218
:sname => 'ib',
219
:proto => 'tcp',
220
:port => rport,
221
:type => 'Implementation of the InterBase server',
222
:data => "Implementation of the InterBase server: #{info_svc_implementation}"
223
)
224
rescue ::Rex::ConnectionError
225
rescue ::Errno::EPIPE
226
end
227
end
228
end
229
230