-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-8010 & CVE-2020-8012 #13875
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks neat, thanks! As much as I enjoy the endless range syntax from Ruby 2.6, we still have to support Ruby 2.5 for now, so these have to be converted to the more tradtional [i..-1]
syntax.
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
not a fan of how rubocopy spaces it 🤮, but it is what it is 😂 120 alignment = rand_text_alphanumeric(7) # Adjustment for the initial chain
121 rop_chain = generate_rsp_chain # Stage1: Stack alignment
122 rop_chain += rand_text_alphanumeric(631) # Adjust for second stage
123 rop_chain += generate_rop_chain # Stage2: GetModuleHandleA, GetProcAddressStub, VirtualProtectStub
124 rop_chain += rand_text_alphanumeric((3500 - # ROP chain MUST be 3500 bytes, or exploitation WILL fail |
Comments regarding Ruby 2.5 support have been addressed
So for testing this, I'm not sure where to get this "Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)". I checked the link to CA UIM in your docs but: 1) it doesn't look like there's any reference to a Can you confirm if that's correct and provide some clarification on if and how I can access the installer for testing this? |
Software is not available as per #13866 (comment) |
Thanks! I missed that PR for context. In that case, as was stated, we'll definitely need a PCap for demo purposes sent over to msfdev@metasploit.com (feel free to CC me directly at smcintyre@metasploit.com). I'll keep my eye out for it and once I've had a chance to review it, I can see about landing this PR. |
@bcoles unfortunately you are correct you cannot get this software without contacting CA or Broadcom. I'm actually unaware of the exact download link as this software was just handed to me to begin research on. You can find more research on this protocol here: https://github.com/wetw0rk/CA-UIM-Nimbus-Research Went ahead and shot you an email @smcintyre-r7 lemme know if you guys need anything else. Wish I could get you a copy but unfortunately cannot. |
After reviewing the PCap that was sent to the Metasploit developers mailing list, everything appears to be in order. I made a few minor changes to the docs per suggestions from Thank you for this contribution @wetw0rk ! 🎉 It's not every day I see a ROP chain for 64-bit Windows, so that's pretty cool. |
Release NotesNew module |
w00tw00t thanks man 🔥 🎊 |
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller. The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list probe. Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the directory_list probe.
Verification Steps
msfconsole
use exploit/windows/nimsoft/nimcontroller_bof
set RHOSTS <ip>
exploit
From #13866.