metasploit-framework/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb

243 lines
4.9 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::Tcp
2013-08-30 21:28:54 +00:00
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
2013-08-30 21:28:54 +00:00
def initialize
super(
'Name' => 'Borland InterBase Services Manager Information',
'Description' => %q{
This module retrieves version of the services manager, version
and implementation of the InterBase server from InterBase
Services Manager.
},
'Author' =>
[
'Ramon de C Valle',
'Adriano Lima <adriano[at]risesecurity.org>',
],
'License' => MSF_LICENSE
)
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(3050)
],
self.class
)
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
# Create service parameter block
def spb_create
isc_dpb_user_name = 28
isc_dpb_password = 29
2013-08-30 21:28:54 +00:00
isc_spb_user_name = isc_dpb_user_name
isc_spb_password = isc_dpb_password
2013-08-30 21:28:54 +00:00
isc_spb_current_version = 2
isc_spb_version = isc_spb_current_version
2013-08-30 21:28:54 +00:00
user = 'SYSDBA'
pass = 'masterkey'
2013-08-30 21:28:54 +00:00
spb = ''
2013-08-30 21:28:54 +00:00
spb << [isc_spb_version].pack('c')
spb << [isc_spb_current_version].pack('c')
2013-08-30 21:28:54 +00:00
spb << [isc_spb_user_name].pack('c')
spb << [user.length].pack('c')
spb << user
2013-08-30 21:28:54 +00:00
spb << [isc_spb_password].pack('c')
spb << [pass.length].pack('c')
spb << pass
2013-08-30 21:28:54 +00:00
spb
end
2013-08-30 21:28:54 +00:00
# Create receive buffer
def recv_spb_create
# Retrieves the version of the services manager
isc_info_svc_version = 54
2013-08-30 21:28:54 +00:00
# Retrieves the version of the InterBase server
isc_info_svc_server_version = 55
2013-08-30 21:28:54 +00:00
# Retrieves the implementation of the InterBase server
isc_info_svc_implementation = 56
2013-08-30 21:28:54 +00:00
recv_spb = ''
2013-08-30 21:28:54 +00:00
recv_spb << [isc_info_svc_version].pack('c')
recv_spb << [isc_info_svc_server_version].pack('c')
recv_spb << [isc_info_svc_implementation].pack('c')
2013-08-30 21:28:54 +00:00
recv_spb
end
2013-08-30 21:28:54 +00:00
# Calculate buffer padding
def buf_padding(length = '')
remainder = length.remainder(4)
padding = 0
2013-08-30 21:28:54 +00:00
if remainder > 0
padding = (4 - remainder)
end
2013-08-30 21:28:54 +00:00
padding
end
2013-08-30 21:28:54 +00:00
def run_host(ip)
2013-08-30 21:28:54 +00:00
#
# Using the InterBase Services Manager
# http://dn.codegear.com/article/27002
#
2013-08-30 21:28:54 +00:00
begin
2013-08-30 21:28:54 +00:00
print_status("Trying #{ip}")
2013-08-30 21:28:54 +00:00
connect
2013-08-30 21:28:54 +00:00
# isc_service_attach
2013-08-30 21:28:54 +00:00
# Service name
svc_name = 'service_mgr'
2013-08-30 21:28:54 +00:00
# Service attach
op_service_attach = 82
2013-08-30 21:28:54 +00:00
buf = ''
2013-08-30 21:28:54 +00:00
# Operation/packet type
buf << [op_service_attach].pack('N')
2013-08-30 21:28:54 +00:00
# Id
buf << [0].pack('N')
2013-08-30 21:28:54 +00:00
# Length
buf << [svc_name.length].pack('N')
2013-08-30 21:28:54 +00:00
# Service name
buf << svc_name
2013-08-30 21:28:54 +00:00
# Padding
buf << "\x00" * buf_padding(svc_name.length)
2013-08-30 21:28:54 +00:00
# Create service parameter block
spb = spb_create
2013-08-30 21:28:54 +00:00
# Service parameter block length
buf << [spb.length].pack('N')
2013-08-30 21:28:54 +00:00
# Service parameter block
buf << spb
2013-08-30 21:28:54 +00:00
# Padding
buf << "\x00" * buf_padding(spb.length)
2013-08-30 21:28:54 +00:00
sock.put(buf)
response = sock.get_once || ''
2013-08-30 21:28:54 +00:00
# print(Rex::Text.to_hex_dump(response))
2013-08-30 21:28:54 +00:00
# isc_service_query
2013-08-30 21:28:54 +00:00
# Response buffer length
response_buffer_length = 64
2013-08-30 21:28:54 +00:00
# Service info
op_service_info = 84
2013-08-30 21:28:54 +00:00
buf = ''
2013-08-30 21:28:54 +00:00
# Operation/packet type
buf << [op_service_info].pack('N')
2013-08-30 21:28:54 +00:00
# Id
buf << [0].pack('N')
2013-08-30 21:28:54 +00:00
# ?
buf << [0].pack('N')
2013-08-30 21:28:54 +00:00
# ?
buf << [0].pack('N')
2013-08-30 21:28:54 +00:00
# Create receive buffer
recv_spb = recv_spb_create
2013-08-30 21:28:54 +00:00
# Receive buffer length
buf << [recv_spb.length].pack('N')
2013-08-30 21:28:54 +00:00
# Receive buffer
buf << recv_spb
2013-08-30 21:28:54 +00:00
# Padding
buf << "\x00" * buf_padding(recv_spb.length)
2013-08-30 21:28:54 +00:00
# Response buffer length
buf << [response_buffer_length].pack('N')
2013-08-30 21:28:54 +00:00
sock.put(buf)
response = sock.get_once || ''
2013-08-30 21:28:54 +00:00
res = response.unpack('x28Z*Z*')
2013-08-30 21:28:54 +00:00
info_svc_server_version = res[0].chop.chop
info_svc_implementation = res[1].chop
2013-08-30 21:28:54 +00:00
print("IP Address: #{ip}\n")
# print("Version of the services manager: #{info_svc_version}\n")
print("Version of the InterBase server: #{info_svc_server_version}\n")
print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")
#print(Rex::Text.to_hex_dump(response))
# Add Report
2013-08-30 21:28:54 +00:00
report_note(
:host => ip,
:sname => 'ib',
:proto => 'tcp',
:port => rport,
:type => 'Version of the InterBase server',
:data => "Version of the InterBase server: #{info_svc_server_version}"
)
# Add Report
2013-08-30 21:28:54 +00:00
report_note(
:host => ip,
:sname => 'ib',
:proto => 'tcp',
:port => rport,
:type => 'Implementation of the InterBase server',
:data => "Implementation of the InterBase server: #{info_svc_implementation}"
)
2013-08-30 21:28:54 +00:00
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
end
end