Lucene search
K

Borland InterBase Services Manager Information

🗓️ 04 Oct 2007 03:03:13Reported by Ramon de C Valle <[email protected]>, Adriano Lima <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp

  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'		=> 'Borland InterBase Services Manager Information',
      'Description'	=> %q{
        This module retrieves version of the services manager, version
        and implementation of the InterBase server from InterBase
        Services Manager.
      },
      'Author'	=>
        [
          'Ramon de C Valle',
          'Adriano Lima <adriano[at]risesecurity.org>',
        ],
      'License'	=> MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(3050)
      ],
      self.class
    )

  end

  # Create service parameter block
  def spb_create
    isc_dpb_user_name = 28
    isc_dpb_password = 29

    isc_spb_user_name = isc_dpb_user_name
    isc_spb_password = isc_dpb_password

    isc_spb_current_version = 2
    isc_spb_version = isc_spb_current_version

    user = 'SYSDBA'
    pass = 'masterkey'

    spb = ''

    spb << [isc_spb_version].pack('c')
    spb << [isc_spb_current_version].pack('c')

    spb << [isc_spb_user_name].pack('c')
    spb << [user.length].pack('c')
    spb << user

    spb << [isc_spb_password].pack('c')
    spb << [pass.length].pack('c')
    spb << pass

    spb
  end

  # Create receive buffer
  def recv_spb_create
    # Retrieves the version of the services manager
    isc_info_svc_version = 54

    # Retrieves the version of the InterBase server
    isc_info_svc_server_version = 55

    # Retrieves the implementation of the InterBase server
    isc_info_svc_implementation = 56

    recv_spb = ''

    recv_spb << [isc_info_svc_version].pack('c')
    recv_spb << [isc_info_svc_server_version].pack('c')
    recv_spb << [isc_info_svc_implementation].pack('c')

    recv_spb
  end

  # Calculate buffer padding
  def buf_padding(length = '')
    remainder = length.remainder(4)
    padding = 0

    if remainder > 0
      padding = (4 - remainder)
    end

    padding
  end

  def run_host(ip)

    #
    # Using the InterBase Services Manager
    # http://dn.codegear.com/article/27002
    #

    begin

      print_status("Trying #{ip}")

      connect

      # isc_service_attach

      # Service name
      svc_name = 'service_mgr'

      # Service attach
      op_service_attach = 82

      buf = ''

      # Operation/packet type
      buf << [op_service_attach].pack('N')

      # Id
      buf << [0].pack('N')

      # Length
      buf << [svc_name.length].pack('N')

      # Service name
      buf << svc_name

      # Padding
      buf << "\x00" * buf_padding(svc_name.length)

      # Create service parameter block
      spb = spb_create

      # Service parameter block length
      buf << [spb.length].pack('N')

      # Service parameter block
      buf << spb

      # Padding
      buf << "\x00" * buf_padding(spb.length)

      sock.put(buf)

      response = sock.get_once || ''

      # print(Rex::Text.to_hex_dump(response))


      # isc_service_query

      # Response buffer length
      response_buffer_length = 64

      # Service info
      op_service_info = 84

      buf = ''

      # Operation/packet type
      buf << [op_service_info].pack('N')

      # Id
      buf << [0].pack('N')

      # ?
      buf << [0].pack('N')

      # ?
      buf << [0].pack('N')

      # Create receive buffer
      recv_spb = recv_spb_create

      # Receive buffer length
      buf << [recv_spb.length].pack('N')

      # Receive buffer
      buf << recv_spb

      # Padding
      buf << "\x00" * buf_padding(recv_spb.length)

      # Response buffer length
      buf << [response_buffer_length].pack('N')

      sock.put(buf)

      response = sock.get_once || ''

      res = response.unpack('x28Z*Z*')

      info_svc_server_version = res[0].chop.chop
      info_svc_implementation = res[1].chop

      print("IP Address: #{ip}\n")
      # print("Version of the services manager: #{info_svc_version}\n")
      print("Version of the InterBase server: #{info_svc_server_version}\n")
      print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")

      #print(Rex::Text.to_hex_dump(response))

      # Add Report
      report_note(
        :host	=> ip,
        :sname	=> 'ib',
        :proto	=> 'tcp',
        :port	=> rport,
        :type	=> 'Version of the InterBase server',
        :data	=> "Version of the InterBase server: #{info_svc_server_version}"
      )

      # Add Report
      report_note(
        :host	=> ip,
        :sname	=> 'ib',
        :proto	=> 'tcp',
        :port	=> rport,
        :type	=> 'Implementation of the InterBase server',
        :data	=> "Implementation of the InterBase server: #{info_svc_implementation}"
      )

    rescue ::Rex::ConnectionError
    rescue ::Errno::EPIPE

    end

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 Jul 2017 13:26Current
0.6Low risk
Vulners AI Score0.6
21