Path: blob/master/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp78# Scanner mixin should be near last9include Msf::Auxiliary::Scanner10include Msf::Auxiliary::Report1112def initialize13super(14'Name' => 'Borland InterBase Services Manager Information',15'Description' => %q{16This module retrieves version of the services manager, version17and implementation of the InterBase server from InterBase18Services Manager.19},20'Author' => [21'Ramon de C Valle',22'Adriano Lima <adriano[at]risesecurity.org>',23],24'License' => MSF_LICENSE25)2627register_options(28[29Opt::RPORT(3050)30],31self.class32)33end3435# Create service parameter block36def spb_create37isc_dpb_user_name = 2838isc_dpb_password = 293940isc_spb_user_name = isc_dpb_user_name41isc_spb_password = isc_dpb_password4243isc_spb_current_version = 244isc_spb_version = isc_spb_current_version4546user = 'SYSDBA'47pass = 'masterkey'4849spb = ''5051spb << [isc_spb_version].pack('c')52spb << [isc_spb_current_version].pack('c')5354spb << [isc_spb_user_name].pack('c')55spb << [user.length].pack('c')56spb << user5758spb << [isc_spb_password].pack('c')59spb << [pass.length].pack('c')60spb << pass6162spb63end6465# Create receive buffer66def recv_spb_create67# Retrieves the version of the services manager68isc_info_svc_version = 546970# Retrieves the version of the InterBase server71isc_info_svc_server_version = 557273# Retrieves the implementation of the InterBase server74isc_info_svc_implementation = 567576recv_spb = ''7778recv_spb << [isc_info_svc_version].pack('c')79recv_spb << [isc_info_svc_server_version].pack('c')80recv_spb << [isc_info_svc_implementation].pack('c')8182recv_spb83end8485# Calculate buffer padding86def buf_padding(length = '')87remainder = length.remainder(4)88padding = 08990if remainder > 091padding = (4 - remainder)92end9394padding95end9697def run_host(ip)98#99# Using the InterBase Services Manager100# http://dn.codegear.com/article/27002101#102103begin104print_status("Trying #{ip}")105106connect107108# isc_service_attach109110# Service name111svc_name = 'service_mgr'112113# Service attach114op_service_attach = 82115116buf = ''117118# Operation/packet type119buf << [op_service_attach].pack('N')120121# Id122buf << [0].pack('N')123124# Length125buf << [svc_name.length].pack('N')126127# Service name128buf << svc_name129130# Padding131buf << "\x00" * buf_padding(svc_name.length)132133# Create service parameter block134spb = spb_create135136# Service parameter block length137buf << [spb.length].pack('N')138139# Service parameter block140buf << spb141142# Padding143buf << "\x00" * buf_padding(spb.length)144145sock.put(buf)146147response = sock.get_once || ''148149# print(Rex::Text.to_hex_dump(response))150151# isc_service_query152153# Response buffer length154response_buffer_length = 64155156# Service info157op_service_info = 84158159buf = ''160161# Operation/packet type162buf << [op_service_info].pack('N')163164# Id165buf << [0].pack('N')166167# ?168buf << [0].pack('N')169170# ?171buf << [0].pack('N')172173# Create receive buffer174recv_spb = recv_spb_create175176# Receive buffer length177buf << [recv_spb.length].pack('N')178179# Receive buffer180buf << recv_spb181182# Padding183buf << "\x00" * buf_padding(recv_spb.length)184185# Response buffer length186buf << [response_buffer_length].pack('N')187188sock.put(buf)189190response = sock.get_once || ''191192res = response.unpack('x28Z*Z*')193194info_svc_server_version = res[0].chop.chop195info_svc_implementation = res[1].chop196197print("IP Address: #{ip}\n")198# print("Version of the services manager: #{info_svc_version}\n")199print("Version of the InterBase server: #{info_svc_server_version}\n")200print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")201202# print(Rex::Text.to_hex_dump(response))203204# Add Report205report_note(206:host => ip,207:sname => 'ib',208:proto => 'tcp',209:port => rport,210:type => 'Version of the InterBase server',211:data => "Version of the InterBase server: #{info_svc_server_version}"212)213214# Add Report215report_note(216:host => ip,217:sname => 'ib',218:proto => 'tcp',219:port => rport,220:type => 'Implementation of the InterBase server',221:data => "Implementation of the InterBase server: #{info_svc_implementation}"222)223rescue ::Rex::ConnectionError224rescue ::Errno::EPIPE225end226end227end228229230