[SeeRM #8803] Avoid false positives when checking fb_cnct_group

[jvazquez-r7]

Verification

• Install Firebird-2.5.2.26540_0_Win32
• Run the check from the module without this pull request, it should report the service as vulnerable

msf > use exploit/windows/misc/fb_cnct_group
msf exploit(fb_cnct_group) > show options

Module options (exploit/windows/misc/fb_cnct_group):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3050             yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows FB 2.5.2.26539


msf exploit(fb_cnct_group) > set rhost 172.16.158.157
rhost => 172.16.158.157
msf exploit(fb_cnct_group) > check
[+] 172.16.158.157:3050 - The target is vulnerable.

• Try to exploit it with the Debug target, no crash, the service continues running

msf exploit(fb_cnct_group) > set target 4
target => 4
msf exploit(fb_cnct_group) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.157:3050 - Sending Connection Request For C:\qQjFtirEcKHvQ.fdb
[*] Exploit completed, but no session was created.
msf exploit(fb_cnct_group) > check
[+] 172.16.158.157:3050 - The target is vulnerable.

• Try to check with this pull request change applied, the service shouldn't be reported as vulnerable but detected:

msf exploit(fb_cnct_group) > check
[*] 172.16.158.157:3050 - The target service is running, but could not be validated.

[zeroSteiner]

I think this would still benefit from checking that version is one of the two values to help fingerprint that the service is Firebird. From my testing 0xffff800b is for the 2.1.x versions, while 0xffff800c is for the 2.5.x versions.

So maybe something similar to the following would work:

    opcode = data.unpack("N*")[0]
    version = data.unpack("N*")[1]
    if opcode == 3 # Accept
      if [ 0xffff800b, 0xffff800c ].include?(version)
        return Exploit::CheckCode::Detected
      end
    end

[jvazquez-r7]

@zeroSteiner, 2.1.x and 2.5.x are the only branches are affected? If it's the case then your patch have sense. If older versions are also vulnerable I think the proposed:

    if opcode == 3 # Accept
        return Exploit::CheckCode::Detected
    end

is good enough. Don't you think? Or maybe:

    if opcode == 3 && version <= 0xffff800c
        return Exploit::CheckCode::Detected
    end

The only last one has sense if older versions are also vulnerable and the version condition is good enough. I don't know how firefird encodes versions really :S Just trying to solve the false positives (shame... :$)

Let me know your opinion! Thanks for reviewing!

[zeroSteiner]

I took a look at version 1.0.3 and its vulnerable as well and responds with 0x0000000a as it's version. I think your original changes are going to be the best option.

Sorry for the confusion.

With keeping your original changes, setting version in version = data.unpack("N*")[1] on L95 is no longer necessary.

[jvazquez-r7]

@zeroSteiner right L95 wasn't needed anymore, deleted!

thanks for review!!

[zeroSteiner]

Thanks @jvazquez-r7 I'll land this once travis approves.

[jvazquez-r7]

@zeroSteiner since there is a RM ticket remind to add [FixRM #3379] to the commit message when merging this branch. Thanks!

[jvazquez-r7]

Thanks @zeroSteiner !