CoCalc -- ib_service_mgr

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb
¹⁹⁶¹² views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8

9
  # Scanner mixin should be near last
10
  include Msf::Auxiliary::Scanner
11
  include Msf::Auxiliary::Report
12

13
  def initialize
14
    super(
15
      'Name'	=> 'Borland InterBase Services Manager Information',
16
      'Description'	=> %q{
17
        This module retrieves version of the services manager, version
18
        and implementation of the InterBase server from InterBase
19
        Services Manager.
20
      },
21
      'Author' => [
22
        'Ramon de C Valle',
23
        'Adriano Lima <adriano[at]risesecurity.org>',
24
      ],
25
      'License'	=> MSF_LICENSE
26
    )
27

28
    register_options(
29
      [
30
        Opt::RPORT(3050)
31
      ],
32
      self.class
33
    )
34
  end
35

36
  # Create service parameter block
37
  def spb_create
38
    isc_dpb_user_name = 28
39
    isc_dpb_password = 29
40

41
    isc_spb_user_name = isc_dpb_user_name
42
    isc_spb_password = isc_dpb_password
43

44
    isc_spb_current_version = 2
45
    isc_spb_version = isc_spb_current_version
46

47
    user = 'SYSDBA'
48
    pass = 'masterkey'
49

50
    spb = ''
51

52
    spb << [isc_spb_version].pack('c')
53
    spb << [isc_spb_current_version].pack('c')
54

55
    spb << [isc_spb_user_name].pack('c')
56
    spb << [user.length].pack('c')
57
    spb << user
58

59
    spb << [isc_spb_password].pack('c')
60
    spb << [pass.length].pack('c')
61
    spb << pass
62

63
    spb
64
  end
65

66
  # Create receive buffer
67
  def recv_spb_create
68
    # Retrieves the version of the services manager
69
    isc_info_svc_version = 54
70

71
    # Retrieves the version of the InterBase server
72
    isc_info_svc_server_version = 55
73

74
    # Retrieves the implementation of the InterBase server
75
    isc_info_svc_implementation = 56
76

77
    recv_spb = ''
78

79
    recv_spb << [isc_info_svc_version].pack('c')
80
    recv_spb << [isc_info_svc_server_version].pack('c')
81
    recv_spb << [isc_info_svc_implementation].pack('c')
82

83
    recv_spb
84
  end
85

86
  # Calculate buffer padding
87
  def buf_padding(length = '')
88
    remainder = length.remainder(4)
89
    padding = 0
90

91
    if remainder > 0
92
      padding = (4 - remainder)
93
    end
94

95
    padding
96
  end
97

98
  def run_host(ip)
99
    #
100
    # Using the InterBase Services Manager
101
    # http://dn.codegear.com/article/27002
102
    #
103

104
    begin
105
      print_status("Trying #{ip}")
106

107
      connect
108

109
      # isc_service_attach
110

111
      # Service name
112
      svc_name = 'service_mgr'
113

114
      # Service attach
115
      op_service_attach = 82
116

117
      buf = ''
118

119
      # Operation/packet type
120
      buf << [op_service_attach].pack('N')
121

122
      # Id
123
      buf << [0].pack('N')
124

125
      # Length
126
      buf << [svc_name.length].pack('N')
127

128
      # Service name
129
      buf << svc_name
130

131
      # Padding
132
      buf << "\x00" * buf_padding(svc_name.length)
133

134
      # Create service parameter block
135
      spb = spb_create
136

137
      # Service parameter block length
138
      buf << [spb.length].pack('N')
139

140
      # Service parameter block
141
      buf << spb
142

143
      # Padding
144
      buf << "\x00" * buf_padding(spb.length)
145

146
      sock.put(buf)
147

148
      response = sock.get_once || ''
149

150
      # print(Rex::Text.to_hex_dump(response))
151

152
      # isc_service_query
153

154
      # Response buffer length
155
      response_buffer_length = 64
156

157
      # Service info
158
      op_service_info = 84
159

160
      buf = ''
161

162
      # Operation/packet type
163
      buf << [op_service_info].pack('N')
164

165
      # Id
166
      buf << [0].pack('N')
167

168
      # ?
169
      buf << [0].pack('N')
170

171
      # ?
172
      buf << [0].pack('N')
173

174
      # Create receive buffer
175
      recv_spb = recv_spb_create
176

177
      # Receive buffer length
178
      buf << [recv_spb.length].pack('N')
179

180
      # Receive buffer
181
      buf << recv_spb
182

183
      # Padding
184
      buf << "\x00" * buf_padding(recv_spb.length)
185

186
      # Response buffer length
187
      buf << [response_buffer_length].pack('N')
188

189
      sock.put(buf)
190

191
      response = sock.get_once || ''
192

193
      res = response.unpack('x28Z*Z*')
194

195
      info_svc_server_version = res[0].chop.chop
196
      info_svc_implementation = res[1].chop
197

198
      print("IP Address: #{ip}\n")
199
      # print("Version of the services manager: #{info_svc_version}\n")
200
      print("Version of the InterBase server: #{info_svc_server_version}\n")
201
      print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")
202

203
      # print(Rex::Text.to_hex_dump(response))
204

205
      # Add Report
206
      report_note(
207
        :host	=> ip,
208
        :sname	=> 'ib',
209
        :proto	=> 'tcp',
210
        :port	=> rport,
211
        :type	=> 'Version of the InterBase server',
212
        :data	=> "Version of the InterBase server: #{info_svc_server_version}"
213
      )
214

215
      # Add Report
216
      report_note(
217
        :host	=> ip,
218
        :sname	=> 'ib',
219
        :proto	=> 'tcp',
220
        :port	=> rport,
221
        :type	=> 'Implementation of the InterBase server',
222
        :data	=> "Implementation of the InterBase server: #{info_svc_implementation}"
223
      )
224
    rescue ::Rex::ConnectionError
225
    rescue ::Errno::EPIPE
226
    end
227
  end
228
end
229

230
Product

Resources

Company
